Improving cyber governance from front to back: An interview with Google Cloud CISO Phil Venables
There is no one path to stronger cybersecurity governance. There are, however, best practices that can guide your way.
The SEC’s recent ruling on cybersecurity disclosures is only the latest example of the modern realities of cyber risk and threat protection. As CISOs adjust to new compliance standards and disclosure requirements, it’s imperative that they strengthen the board’s understanding of risk and build cyber resilience into the organization’s core functionalities.
In the words of Google Cloud CISO Phil Venables, “It’s an opportunity to look front to back” –– to gauge how current risk governance measures stack up against modern standards, and then get those measures to where they need to be.
We recently sat down with Venables to discuss how exactly CISOs can do that, and why it’s more important than ever.
Could you provide some of the key highlights from the July 26 SEC ruling on cybersecurity disclosures?
I think the recent SEC guidance on cyber risk reporting and cyber governance has been a tremendously important thing, because it really sets a standard for how companies of all sizes and public companies should set up their cyber governance and cyber risk oversight, what the role of the board is in working with management — not just the chief information security officer, but all other leadership — and how to frame the oversight process to make sure the board is driving the right risk appetite for the organization in the context of not just cybersecurity, but how cybersecurity fits with the overall end-to-end business risk.
Why are cybersecurity disclosures important in the current cybersecurity landscape?
The SEC's ruling about how it defines which disclosures should occur and what reporting should occur is really important, because ultimately we live or die in cybersecurity by how much an organization gets transparency over its risks, how we think about the materiality of those, and how management take the right steps to mitigate those risks. Making sure that the board has that degree of oversight is important. And then fundamentally, if there are ever any incidents or any material events at the company, it's important for all of the stakeholders and investors, and the market in general, to be able to understand that through all of the reporting process that exists.
What information should a CISO report to the board?
Board governance and oversight of cyber risk and technology risk in general. I think it's important for the CISOs, alongside other key executives, to start working with the board now to really kind of assess that risk assessment process, and if one doesn't exist, to obviously put that in place.
But really, it's an opportunity to look front to back: Is the risk governance process suitable for what they need it to be? And then start taking steps now to improve it.
How does a CISO provide consistency in board reporting?
In terms of how one can think about the consistency of reporting, it's going to ultimately be important that there's some degree of consistency. Because if you're a board director sitting on multiple boards, you want to see things represented in a fairly consistent way. There's very little standardization at the moment across this type of reporting, and I think ultimately as a result of these rulings and a lot of other work that's going on from other organizations, I think we're ultimately going to start to see some templates.
There are various different frameworks for risk reporting, like the NIST framework, the cybersecurity framework that's just been going through a major update. And there's plenty of other example templates, but I think the industry is going to start to have to consolidate on at least a smaller set of the ways of representing these things, because many board directors are going to need to see that consistency across all of the boards that they serve on.
How does a CISO communicate effectively to the board?
One of the challenges with board reporting is when a CISO feels like they have to present a lot of data to the board. It's always going to be hard for the board to interpret that data and put some context around it, so a key role for the CISO, just like other executives in other risk disciplines, is to be able to translate that risk assessment, and the output of that risk assessment, into a business risk context that leadership of the company — and then ultimately of the board — can understand.
There are many ways of doing this — for example, narrative-based scenario planning, where you have described scenarios that are informed by the risk assessment to paint a picture of what the board could inevitably see inside the organization if these risks aren't addressed.
So I think CISOs are going to have to get better, as they already are, at contextualizing measured risk data into consequences in the context of the particular business processes that the organization is running.
Why is it important for the board to understand cyber risk reporting?
Cyber risk reporting is really important for the board, just like they've got to understand every other risks that exists inside their organization. The way I like to think about this is when you're thinking about what the cyber risk is, you've got to answer a broad question, which is: What are the most critical risks to the most critical assets and business processes of that organization?
What controls exist to mitigate that risk? How well is an organization is monitoring that those controls are effective? What residual risk remains, and who at what level in the organization has deemed that acceptable? And what regular validation goes on to make sure that risk assessment process is operating correctly?
Now in that whole phrase I never mentioned technology or cyber once, so this is a pretty standard risk process for many other risks. And what CISOs have to do — and I see many of them increasingly do this — is apply that methodology to their risks in a way that the business and the board can understand, because that's how they're familiar with dealing with a whole array of enterprise risks that they already manage.
Which cyber risk KPIs should be presented to the board?
In terms of the types of metrics that I think the board needs to see again, I think it comes down to what is contextualized in terms of the business process. The board's always going to want to see what the potential impact is in various quantified terms to the business processes, and the services that the organization applies to customers and the organizations that they serve. But ultimately, I think it's also important to measure leading indicators of progress, not just the lagging indicators of the results of that. And this could be everything from how resilient the organization is, to how much the technology in the organization has been modernized to a more defendable, resilient architecture, all the way through to how well the organization is managing and producing software and how reliable the product production process is. And again, this is not nothing that isn't familiar to most boards and executives in many industries, where every manufacturing process or every energy process or financial services process all have an array of leading indicators that describe how well the process runs to achieve the outcome.
They don't just measure the outcomes, they measure the inputs to the process that will almost, if done well, guarantee the outcome is done well. And again, many organizations that are doing cybersecurity really well. Take that approach of managing the leading indicators to guarantee good outcomes as opposed to just measuring the outcomes.
How can CISOs enhance their cyber risk reporting capabilities?
In many respects, the resources available to CISOs are already quite plentiful. There's the NIST framework and various other frameworks, but I'd also encourage CISOs go look at other risk disciplines — whether it's financial risk, or safety risk. Every different critical infrastructure sector, every industry, has best practices around how they manage the risks.
There's a whole field of hazards analysis, a whole field of medical safety, a whole field of production quality management — all of which CISOs can use alongside the established practice in the cybersecurity industry to take their risk reporting and their risk analysis and communication to the next level. So again, I'd encourage not just cyber professionals, but all risk professionals to look across all the disciplines and learn from each other.
And really, cybersecurity needs to be that major player alongside all of the other significant enterprise risks. It's a first-class business risk, just like every other risk, and everybody should learn from each other.
Looking forward
At the end of the day, effective cybersecurity governance is a team effort. Delivering clear, thorough and actionable board reporting goes a long way in strengthening an organization's risk posture and cyber resilience.
The SEC’s July 2023 ruling on cybersecurity disclosures is sure to be supplemented down the line by new requirements and reporting norms. To keep up, CISOs and boards will both be well served by a strong relationship built on transparency, proactivity and hard data.
Tools like Board Reporting for Cyber Risk by Diligent can help you streamline board reporting for more effective risk oversight. Learn how by scheduling a demo today.
