4 ways to improve cybersecurity from the boardroom
Phil Venables
VP/CISO, Google Cloud
Google Cloud's CISO offers 4 tips on getting boards and cybersecurity to work better together
Editor’s note: Phil’s blog originally appeared in his Cloud CISO Perspectives newsletter published on July 28, 2022. We’re reprinting the full column here.
For most organizations, it’s time for the relationship between their boardroom and their cybersecurity practice to evolve — especially in the context of digital transformation to the cloud. This has been a regular dialogue of late, driven in part by corporate risk processes, potential regulations, and ongoing drum beats to improve cybersecurity risk mitigation, all while managing the enterprise's strategic, competitive, and defensive risks.
In our conversations with Google Cloud enterprise customers, both prospective and current, we see three main types of relationship patterns emerge between boards of directors and their organizations related to digital transformation to the cloud.
In a best-case scenario, there is close dialogue and collaboration between the board, business, risk, IT, and security teams that leads to organizational alignment. It’s the result of hard work, and of practices and patterns that Nick Godfrey, director in the Office of the CISO at Google Cloud, and I have previously documented in our research paper, “Board of Directors Handbook for Cloud Risk Governance.”
Sometimes, an organization’s board is more cautious than its IT and security leadership teams. This is a common pattern where business leaders, IT, and security are fully onboard using cloud as a means to drive the modernization of their infrastructure, applications, and data environments. They recognize the cloud is about reducing risk, as opposed to being a risk to manage in and of itself. However, the board might not be in agreement yet, so there is work to be done to educate the board, listen to their concerns, and demonstrate that appropriate control frameworks exist to safely manage the organization through its transformation.
In other instances, it’s the board—not IT or security leaders—that calls for more urgency and more agility for an organization's digital transformation. This type of situation also requires continued collaboration and education with the board, and likely specific key board members, to ensure alignment between business, IT, security, risk, and the board. However, this pattern also highlights the need for more prioritization for IT and security teams, so they can put in place the right guardrails to move transformation quicker while ensuring the appropriate degree of risk mitigation.
Regardless of where any single organization falls within these patterns, there needs to be broader engagement between boards and enterprise-wide cybersecurity practices. Cybersecurity leaders need to have organizational buy-in and engagement to truly reduce risk and improve performance. That includes management, of course, but also boards of directors, yet the challenge remains a significant one for many organizations.
There are many detailed checklists of cybersecurity goals that boards should expect to see from management, and many of those are good places for cybersecurity leaders to start. As I’ve noted on my personal blog, the National Association of Corporate Directors (NACD) in the U.S. and the Institute of Directors (IoD) in the U.K. have partnered with practitioners to produce some excellent leadership in this regard. There is also plenty of regular commentary from those who work closely with boards.
However, the level of detail in all this guidance can sometimes be counter-productive. Board members can be beguiled into thinking that if they get what could be good answers to these questions then all shall be well. In working with and sitting on boards, I have found that board members actually may be best served by applying their considerable experience and judgment of strategic and corporate risk to instead ask more basic and fundamental questions. While these questions ostensibly appear basic, answering them would, in fact, challenge most management teams at most companies.
From my perspective, there are far more tips I can offer than just the four below, but they are a good place to start. Overall, the most important consideration is developing an effective approach for your organization—for completeness and alignment with your mission and culture.
Focus on risk. Questions that can help in understanding the risks an organization faces include: What are the most significant risks to our most critical assets and business services? What controls mitigate those risks? Who is continuously assessing whether those controls are in place and effective? What residual risks remain? Who deemed those risks to be acceptable, and with what compensating factors or risk transference? What executive management group regularly monitors the measured outcome of this process?
Notice that these questions never mention the words “cybersecurity” or “technology.” By focusing on risk, you’re making it clear what you mean, and what an organization is facing. Of course, it’s easy to ask these questions but it can be difficult to answer them well. It requires a significant amount of work to develop risk taxonomies, asset and service inventories, risk and continuous control monitoring, and an evolving apparatus of risk governance.
Think beyond cyber. Cybersecurity is just one of many technology and information risks and shouldn’t be discussed in isolation. Many of the best mitigations for cybersecurity risk are great technology platforms which offer controls such as software and service lifecycle management, identity and access management, data governance, Zero Trust architectures, and highly resilient and monitored production services.
Take a business perspective. Contextualize all cybersecurity and technology risks in a business context that also takes into consideration the potential impact on customers. This is a good place to think about how the implications of the Risk = Hazard + Outrage formula can affect your organization. It’s vital to factor in reputational risk and brand impact, as well as the potential for direct losses.
Embed cyber in business initiatives. Discussions among boards are widely varied, and can cover topics as disparate as business initiatives, risk and control reviews, strategic discussions, financial reviews, and attestations, among others. Work with your peer executives across business lines and control functions to make sure that relevant content on cybersecurity and technology risk appears in their board content. Work to educate those leaders and prepare them for questions that come from your experiences of talking to the board.
This creates what you really desire, the shared fate to mitigate these risks across the enterprise. It can be transformational if the board is asking everyone they encounter about how cybersecurity is managed in that activity or business process, as opposed to only asking the CISO.
Working with your board to manage cybersecurity risk is about more than getting the right presentation materials and metrics. Rather, it is about having a broader enterprise-wide risk management and business view that contextualizes cybersecurity risk and enables organizations to better establish risk tolerances.
To further your understanding of these critical issues, we have published blogs and guidebooks for CISO’s Guide to Cloud Security Transformation and Risk Governance of Digital Transformation in the Cloud. Along with the research we published in our aforementioned cybersecurity in the boardroom guide, these serve as a family of guides that can help sustain agility and speed in digital transformation while also managing risk and ensuring appropriate governance.
The cybersecurity challenges facing boardrooms are non-trivial, but working through them can lead to healthier relationships between boards and their organizations, and a healthier organization overall.