Cybersecurity governance remains both highly fluid and vastly immature. As discussed in two previous blogs, having an understanding of the Board’s strategic risk role and a strategic risk framework with clear metrics are essential to a mature governance model.
A third key ingredient to effective Board governance for cybersecurity is a cohesive management structure, with C-suite leadership for cyber risk, especially with respect to:
Alignment of Board digital governance and the corporate structure, embedding cybersecurity in all strategic business decisions as a shared responsibility
Clarity on the role and responsibilities of the CISO, regardless of where the CISO reports within the organization’s management structure
Executive and Board interviews for the new Advanced Cyber Security Center’s (ACSC) report produced by Mass Insight, Leveraging Board Governance For Cybersecurity, Front Line Perspectives on How to Improve the Board / C-Suite Partnership, suggest there is much work yet to be done on these issues:
“We have refused to truly define the role and responsibility of a CISO.” Corporate Board Chair and Former CISO
“There is an obvious tension between CIO/CISO priorities — regulators care. Does your Board know that?” Legal Counsel
“Boards should be asking — is the CISO taking an audit or operational role, and how does that fit into the organizational structure?” Corporate Board Member, CEO
What will it take to elevate cybersecurity to an embedded senior executive function?
Most CISOs are still only given a 15-45 minute slot on a crowded quarterly agenda in a Board risk, audit or technology committee meeting and similar time at the Board’s annual meeting. The simple fact that cybersecurity is a separate agenda item suggests most organizations are a long way from routinely and automatically considering one of their greatest risks in overall strategic business reviews.
Further, without clearly-defined lines of cyber defense (framed here according to principles used by many larger financial organizations), have boards and management faced and resolved internal conflicts between policy, evaluation, and operational responsibility?
First Line: Business, IT / security operations
Second Line: Risk officers, cyber policy and assessment functions
Third Line: Internal audit
Boards should be asking management how the organizational structure might be affecting security and risk management.
How are we creating a second and third line of defense, if it’s not in the formal structure?
Does the CISO have the necessary authority?
And importantly, what is the evidence that the CEO has made cyber trust and security a major business pillar?
For example, does the CEO or COO lead a cross-functional executive council to oversee cybersecurity and review business continuity risk management and performance on at least a quarterly basis?
The 2018 ACSC report produced by Mass Insight with McKinsey & Co.— Collaborative Cyber Defense - identified a C-suite committee of this kind as the first of six key elements in a cyber mature organization.
Boards and management will have to do better to satisfy the new standards regulators and courts are setting for them.
To that end, our report includes a Program for Boards and Management organized around three strategic Board responsibilities and five lines of questions proposed by our Board advisors.
For a deep dive into these challenges, as well as insights that can help shape your organization’s cybersecurity strategy, download our comprehensive board governance report.