Corporate board members have made great strides in cyber literacy in recent years, recognizing cybersecurity’s importance and getting up to speed on topics from patching and zero-day vulnerabilities to the need for cyber insurance.
But it is a journey that is just beginning. Escalating threats, expanding attack surfaces and intensifying regulatory scrutiny are upping the ante for in-depth knowledge and sophisticated, timely conversations, among both management and stakeholders.
In a recent webinar, Diligent convened an expert panel to weigh in: Anthony (Tony) Kim, partner with Latham & Watkins; CSO, digital risk management expert and author Nick Shevelyov; and Vanessa Pegueros, former CISO for Expedia and DocuSign who now serves on the boards of Forterra and Prisidio. Highlights follow.
Fundamental Shifts in Threats and Infrastructure
According to the panelists, recent geopolitical tensions, specifically cyber as an integral part of warfare, have spurred a considerable shift in the cyber landscape.
Shevelyov likened cyber defense in today’s environment to “playing poker, when we don’t know all the cards on the table and we’re making probabilistic bets, or facing off against a nation state like playing the game Go,” he said. Cyber aggressors, he explained, “are gradually encircling us. They’re inserting threat actors through contracts or employees. They are attacking you with malware. They have a plan, a grand strategy targeting you.”
Meanwhile, the infrastructure which organizations must defend is getting more complex as well, changing from internal systems on premises that can be guarded with a moat to ecosystems of third-party vendors that are less straightforward to monitor and protect.
Defense now requires a broader view. First, organizations must look beyond controls that safeguard individual systems to the systems themselves: How do systems interlock with one another and how can the organization manage the connections across them to achieve resilience? Second, an organization’s cyber risk score must account for both internal security posture and market externalities, such as the geopolitical risks of the war in Ukraine.
Finally, organizations must move the cyber discussion from prevention to mitigation.
Kim said that organizations he works with used to ask how to prevent cyberattacks from happening.
“We never get those questions anymore,” he said. “Now they assume the attack is happening. How can they best prepare from a technical controls and governance perspective while complying with rules and regulations?”
Achieving the Right Level of Understanding and Involvement
What does this all mean for board agendas and education? On one hand, directors act as generalists, due to the nature of their oversight role. They practice broader corporate management, mostly operating in a “noses in, fingers out” capacity. On the other hand, the new world of cyber requires directors to approach matters in different ways.
“The board gets involved in quite a bit of detail around financial data,” Pegueros pointed out. “But how much are we going to put our fingers in around cyber?” Cyber is a very complicated topic, she explained, with a lot of detailed information that demands more detailed questions.
Effective boards view such questions as more than short-term checklists. They weave them into constant, rich discussions that serve as a “connective tissue” between the board and management, for protecting the organization against potential attacks and shaping overall cybersecurity and risk strategy. What types of issues get escalated? What are the reporting mandates around such escalations? Are attack mitigation techniques integrated with business continuity?
In Pegueros’ eyes, boards are not yet comfortable having these conservations. “We need to get there,” she said. Three key tips were offered for deeper cyber discussions: decide on the metrics your board needs from security leaders, determine the best reporting style for your company, and talk directly with security leaders, privately and often. One-off conversations are not enough.
For determining what to focus on in such conversations, Kim advised using the SEC’s proposed rules on cybersecurity risk management, governance and incident disclosure as a guide.
Such discussions and disclosures start with developing and implementing cybersecurity policies and procedures, risk oversight processes, the frequency of updates and so forth. But they don’t stop there. The SEC also wants to see cyber oversight as part of every new business initiative, Kim said. This includes digital transformation strategies like automation and AI or due diligence for M&A and joint venture activities.
In short, cyber should no longer be a topic relegated to siloed board conversation but an integral part of strategic discussions and considered a matter of governance.
“When cyber’s done well, senior leaders are playing chess, not checkers, and they’re really being strategic and holistic about cyber versus short-term checklist or metric-oriented.”
Tony Kim, Partner, Latham & Watkins
What’s Next for Education, Collaboration, and Oversight
In terms of cyber knowledge, “all boats have risen,” in Kim’s words. Yet the state of the seas ahead—intensifying threats, increased disclosure demands from regulators and investors—requires that leaders step up their navigational skills.
Pegueros talked about a fundamental lack of technical expertise on boards today, of which cyber is a subset. “I think we have a compartmentalization problem where people are only comfortable talking about the things they understand,” she said. “So there needs to be a shift of more education and more curiosity by board members on the new technologies and new things that are evolving that enable them to make better decisions.”
Conversely, she continued, “as CISOs come onto boards, they need to work to become more well-rounded from a business perspective. They can’t come in and just talk about cyber vulnerabilities. They need to understand all the other elements of the business.”
Boards and CIOs must learn how to navigate a wide range of externalities and interdependencies. Shevelyov cited the many types of risk an organization might face, from white swan “known knowns” to the black swan “unknown unknowns you can’t do much about” to so-called red swans.
What processes do you have in place to validate such risks — how frequently and how effectively? How are you achieving an understanding of your risk overall? Shevelyov advised companies to integrate these principles into their business practices and “never really be comfortable in this space.”
Meanwhile, individual leaders should aim to be what Shevelyov calls “Z-shaped professionals. “You understand the business, you understand the technology, and you understand the risk connected between the two.”
“Boards with two or more members with a technology background, those companies actually financially outperform boards that don’t have that background. I think you’ll see more and more former C-suite technology risk executives stepping into boards to help lead those conversations.”
Nick Shevelyov, CSO, Digital Risk Management Expert and Author
Be sure to look retrospectively as well. He presented a hypothetical example: “It’s three years from now, our security strategy has failed — how did it fail?”
“Have that discussion,” he encouraged. “Apply critical thinking skills through the five whys to get to root cause analysis. Begin to evolve that perception of just thinking about controls to thinking about systems that have impact on those cyber risk outcomes. And be curious.”
Overall, he said, “Keep learning and improving. Security is a continuum. It’s a journey. You don’t get to the destination, you evolve over the course of time.”
From her perspective as a CISO and board member, Pegueros advised that leaders emphasize consensus and focus. “Once organizations achieve agreement, they can allocate resources and move forward toward protecting that information. And once organizations identify their priority risks, say, their top five, they can discuss these risks and share updates with the necessary frequency.”
“You need to really understand and gain agreement amongst your executive staff and your board in terms of what you are trying to protect. What data, and what specifically, is the most important?”
Vanessa Pegueros, Board Member for Forterra and Prisidio
From his perspective on the legal side, Kim emphasized the importance of a holistic approach. “The questions that the really effective senior leadership ask are all about connective tissue.
For example, do you think we’re escalating incidents to the right people at the right time? Or, do we have a great instant response plan? Is that integrated with business continuity?”
For the important step of communication, he talked about the importance of demystifying, simplifying and analogizing information, of distilling complicated and complex cyber issues into bite-size chunks and language that a wide range of people with different talent skills and backgrounds can understand.
“I think this is absolutely critical if we want to move the lens from cyber literacy to fluency, which is where I think all of us want to get as an overall ecosystem,” he said.
Watch the full Diligent webinar here.