Boards should bring on experts to help raise their cybersecurity IQ
Phil Venables
VP/CISO, Google Cloud
New proposed SEC regulations, the rapid rise and adoption of AI, and ongoing global cybersecurity threats and challenges are putting increased pressure on executives and board members to recognize and address these potential risks to their organizations. Many boards are looking to bring on cybersecurity experts to help them navigate these challenges, as well as for broader insights on threat trends, security developments, and other critical information to help them to stay ahead of the curve. But what does it mean to be a security expert on the board?
At a recent Google Cloud CISO event in New York City, Karenann Terrell, a member of the Google Cloud Advisory Board, told a story about how she attended a cybersecurity subcommittee meeting chaired by the cybersecurity leader on the board of an organization. The meeting took place ahead of the full board meeting, and involved cybersecurity experts outside of the organization who brought unique perspectives.
"A board security expert shouldn’t be out to ask ‘stump the chump’ questions to the CISO," she said at the event. Instead, choosing the right expert to sit on the board can be vital to an organization’s security success.
The best candidates, while having the requisite technical expertise, are those who also approach the position with the goal of raising the board’s overall “security IQ.” This means they should help guide productive security and risk conversations at the board level, and ask the most relevant questions including:
Do we have the right protections in place?
Are we using intelligence to identify and defend against the threats that matter most to us?
Are our new technologies (such as artificial intelligence) or cloud architectures helping us be more inherently defended against threats?
Are we practicing sound security fundamentals such as least privilege and hardening to reduce attack surface?
Are we meeting our compliance requirements?
Our second Perspectives on Security for the Board report builds on the concepts explored in our first report, which introduced the importance of board oversight for cyber risk and AI integration with security. The new report explores in-depth which questions are the best ones to ask to raise board security IQ. We cover the board’s security role and responsibilities in cloud adoption, shine a light on the latest threats and their impacts to business, and introduce Google’s Secure AI Framework (SAIF) to help ensure organizations use AI responsibly.
How the board can help guide cloud adoption
As we stated in our first report, we encourage boards to adopt the following three principles for effective oversight of cloud adoption: 1) get educated; 2) be engaged; and 3) stay informed.
Getting educated means understanding the complexities of cloud migration from start to finish. This doesn’t mean you need a PhD in cloud, but it’s important to have a macro-level understanding, including how a migration can introduce risk, how to close those gaps and blind spots, how to ensure data integrity, and how to ensure you’re meeting compliance requirements.
Being engaged means taking an active role in the migration. An active board leader doesn’t need to be on the front lines of every action or decision; instead, the board leader should foster collaboration between the myriad groups planning, managing, and executing the migration — including the security teams.
Finally, staying informed means following up on migration activities, and how the organization’s risk and security postures are affected, by advocating for regular conversations in the boardroom.
Navigating the global threat landscape
Today’s cyber threats are serious and can cause financial losses and brand damage. CISOs and security teams are not the only folks who need to be ready for a breach. In times of compromise, boards are in a prime position to guide their organizations to successful outcomes. Part of being ready means understanding the global threat landscape. Boards that are not current on threat trends are not as well-equipped as those that are to lead their organizations through times of cyber crisis.
Boards need to hear regularly from security experts who live in both worlds, who understand the issues at stake for security practitioners and risk managers.
Earlier this year, we saw an increase in zero-day vulnerability abuse from nation-states conducting espionage and cyber criminals seeking to steal data for subsequent financial gain. In this latest board report, we share our research on these threats and our guidance for defending against them, while focusing on the big questions boards need to be asking their CISOs, security leadership, and appointed experts.
Securing AI systems with Google
Every new technology brings with it new security risks, and AI is no different. With generative AI advancements happening rapidly, Google is committed to ensuring that AI systems are not only safe for users, but safe at the development level, too.
Google’s Secure AI Framework (SAIF) is a conceptual framework for secure AI systems that boards can use to help ensure their organizations utilize AI in a responsible way. SAIF offers a practical approach to address top of mind concerns for every organization, including security, AI/ML model risk management, and privacy and compliance.
We recommend boards work with their CISOs to implement SAIF’s six core elements in their organizations:
Expand strong security foundations to the AI ecosystem
Extend detection and response to bring AI into an organization’s threat universe
Automate defenses to keep pace with existing and new threats
Harmonize platform level controls to ensure consistent security across the organization
Adapt controls to adjust mitigations and create faster feedback loops for AI deployment
Contextualize AI system risks in surrounding business processes
Bolstering the board with security expertise
With this latest report, boards should have a better understanding of their role and responsibilities in risk management during cloud adoption, the global threat landscape and how to respond to threats, and how their organization can use AI in responsible and secure ways.
Choosing the right person for the job, be it the CIO, CISO, or another qualified security leader, will depend on the board and the organization that it leads. There is no single correct answer.
Crucially, it’s time for boards of directors to bring on cybersecurity experts with the ultimate goal of raising their security IQ. Boards need to hear regularly from security experts who live in both worlds, who understand the issues at stake for security practitioners and risk managers.
Choosing the right person for the job, be it the CIO, CISO, or another qualified security leader, will depend on the board and the organization that it leads. There is no single correct answer here; boards will need to meet with experts and select the best candidate for their organization.
Equally important is that the board’s security “guide” leads them through productive security conversations. That means focusing on relevant questions and providing constructive feedback. They should also seek out other meaningful ways to contribute outside of normal board working hours, including consulting with outside security experts, and holding security subcommittee meetings.
External cybersecurity partners such as Google Cloud are available to help boards and executives understand their unique threat profile and risk exposure, and translate frontline intelligence into actionable information.
You can read more about Google Cloud’s security guidance for boards of directors in the full report, “Perspectives on Security for the Board,” second edition, here.
