Get the board on board: leading cybersecurity from the top down

By Lauren Buckalew, Kevin Delaney, and Eran Levy

Nothing derails a company’s momentum like a major cyberattack. So it’s no surprise that security has become a regular topic at board meetings.

This was supported by a recent CIO study by Cisco, in which cybersecurity was cited as the top issue that CIOs raised to their boards, outpacing any other technology-related topic.

But are the right questions being asked in those meetings? Are the board and executive leadership teams using their influence to build cyber-resilient cultures across all corners of their organizations? And are they leveraging the right knowledge and expertise within their companies and beyond?

In a separate series of interviews, CIOs, CIOSs, CEOs, and board members revealed their best practices for shifting the fundamental perception and execution of cybersecurity. Along with their fears, which are fueled by sensational headlines around the most costly breaches.

“This topic is getting worse and worse,” a board member from an automotive manufacturer told Cisco. “I think basically people are confused, they’re worried.”

Among top-performing companies, however, a more positive vision of cybersecurity is emerging — one that goes beyond the common image of a purely defensive shield. These organizations view it as a growth driver, a key to innovation, and a competitive advantage. (Roman and medieval shields, after all, were used for defense and for pushing forward in battle.)

But for all that to happen, companies first need to get all senior leaders working — and communicating — in concert.

CIOs and chief security officers, for example, have a key role to play in guiding these high-level discussions. In many companies, however, technology leaders have yet to be granted a proverbial seat at the table. Others have gained a voice, but can’t present cybersecurity in the language of the business.

At the same time, board members and CEOs fail to assume their own, more expansive role in cybersecurity, which will be essential for maintaining brand equity and forward momentum in the face of relentless cyberthreats.

In short, cybersecurity is bigger than IT, and it’s bigger than the board or the CEO. To create a pervasive, cyber-resilient culture, security must span divisions, silos, and hierarchies.

“Integrate cyber into the business practice of whatever organization you have,” said John Stewart, Cisco’s chief security and trust officer, “not treating it like it’s an IT issue, not treating it like it’s a security teams issue. It’s actually foundational to the very fabric of the way you operate the company.”

In today’s threat landscape, the defenses, preparedness, and resolve of companies large and small are under constant siege. And that will only increase as rapidly changing technology and end-user demands upend the very assumption of a network perimeter or firewall defense.

Every organization needs to ensure that it’s firing on all cylinders, and that cyber-awareness extends to every level and across the company culture. Unfortunately, many companies are falling short. One study reported that the average security program only covers 67 percent of its organization.¹

Top-down leadership is essential for creating a 100 percent cyber-resilient culture, but the board’s inaction is a key reason why many fall short.

“Boards are trying to get their arms around all of these different moving pieces,” said Steve Durbin, managing director of the Information Security Forum, “and need clear guidance from the security folks on what it is they should be doing. That for me is still one of the biggest gaps, one of the biggest challenges.”

To capture key insights on the board’s role in creating cyber-resilient cultures, and the kinds of questions they should be asking their own tech and security leaders, Cisco conducted more than 30 interviews with senior leaders — including CEOs, board members, and CIOs, all from mid- and enterprise-level firms in the United States, Asia, and Europe.

The challenges: shape-shifting threats and organizational blocks

Cybersecurity Ventures predicts that cyberattacks will cost $6 trillion globally by 2021.² And the average cost of an individual data breach is $3.86 million.³ So no company and no business leader — at any level — can afford to look the other way.

Malware, ransomware, and other threats grow more sophisticated all the time, with many intrusions “shape shifting” on a daily basis to avoid detection. The fallout from a major breach can be massive in terms of disrupted operations, financial losses, and theft of critical data, personal information, and intellectual capital. Not to mention, erosion of brand equity and customer trust.

Yet another consequence is CIOs and CEOs losing their jobs following a breach, a trend that Gartner and others expect to accelerate.⁴

One obstacle in fighting cyberthreats is organizational structure. In many companies, IT is still considered to be a cost center. The CIO — when perceived in this strictly functional support role — often reports to the CFO or the COO, who in turn view cybersecurity as a traditional risk.

In reality, it’s anything but.

Given the stakes, today’s leaders can’t afford to view cybersecurity as a purely defensive strategy. As our expert interviews revealed, it’s an enabler of future growth, productivity, and innovation, demanding full attention from the highest levels in the organization.

In some cases, however, it’s still the CFO or COO who is expected to lay out the cybersecurity strategy to the board.

“The CFO is often not technical enough to truly lead IT on cybersecurity needs,” said one board member in media and entertainment, “or even understand the core issues.”

When CIOs or CISOs do address the board, the discussion can swing too far in the other direction. Cybersecurity is presented from an IT-centric perspective, in terms of number of attacks, systems analysis, network downtime, etc. At the same time, clear lines of accountability are often murky, with no defined chain of responsibility should a breach occur (and it will), much less a plan of action to respond.

“Many traditional board members aren’t really even sure what the threat is, or whose responsibility it is,” another board member told Cisco. “We certainly hear about these giant disaster breaches in the news, but we’re not even positive what our accountability is.”

In short, board members want to know more. In our conversations with CEOs and board members, all stressed that their level of concern had risen greatly over the past five years. In a separate study we conducted of CIOs, cybersecurity threats were named as the No. 1 topic they have raised to the board or senior leadership team.

As cyber fears mount, business anxiety grows

Today’s attacks don’t just steal information; they can completely paralyze an organization. And heavy media attention only accentuates their effect on brand reputation.

“The impact,” another board member said, “would be around potential to corrupt, to effectively destroy key systems and data. Denial of service attacks, business interruption leading to lost revenue.”

All of which interrupts the forward motion and strategy that are the life blood of a company’s future competiveness.

As the CEO of a large multinational financial institute told Cisco: “Cybersecurity is no longer a threat to operations. It is a threat to strategy.”

AI, quantum computing, and other emerging technologies promise to up the ante even further, for attackers and defenders alike. The widening gap in understanding will only breed further uncertainty and anxieties among senior leaders and board members.

However, since many board members overlook their own role in cyber defense, they can place too much faith in technology as a be-all, end-all solution. Given the magnitude of the risk, the heightened complexity of threats and defenses, and the need for concerted, organization-wide strategies, that approach is destined to fall short.

“Cybersecurity isn’t just about technology,” said Durbin. “A very significant proportion of cybersecurity is about people, it’s about the culture of the organization, it’s about how we perceive our role in that technology/people interaction. And I think leaving it all to the CIO is a mistake.”

Build the shield, but don’t hide behind it

Robust cybersecurity is more than just a shield. That common metaphor is accurate — it does protect assets, resources, and in some cases even lives. But again, it’s good to remember that shields also enabled armies to push forward into the thick of battle.

So, too, with the cyber-shield. When examining your cybersecurity practices and defenses, it’s critical to evaluate their ability to protect the company’s “crown jewels” from intruders. Equally important, however, is protecting the business continuity that will maintain strategic partnerships and customer relationships, research and development of digital products and services, and the ability to “push forward” by continuing to execute all aspects of a competitive digital business.

The more cybersecurity impacts are reduced or avoided, the more your organization will continue to grow and seize opportunities with agility and speed.

Without doing so, companies suffer in indirect ways. Research from the University of Florida reveals the impact of cyberattacks on research and development.⁵ Beyond that, there can be an erosion to a companies’ willingness to experiment, drive new initiatives, and risk the sort of failures that become important stepping stones to success

That kind of fallout can be much longer lasting than the short-term losses immediately after a breach. All of which comes back to the notion of treating cybersecurity as fundamental to the very heart, soul, and culture of a competitive organization.

Ensuring compliance is another example of how good practices translate into competitive advantage, as a board member explained.

“It cost us a tremendous amount of money to certify all of our systems as GDPR compliant,” the board member said, “and that became a huge advantage for us because many of our competitors couldn’t or didn’t or wouldn’t.”

Compliance practices also translate to better security overall. Cisco’s Data Privacy Benchmark Study found that GDPR-ready organizations suffered fewer breaches than those that lagged in their efforts.⁶

Speak the language of the board

These days, nearly all boards include cybersecurity as part of their standing agenda for annual meetings, while more mature organizations discuss it quarterly. Regardless, it’s the nature of the discussions that differentiate the most sophisticated firms.

In short, tech language won’t translate; business language will.

As one CIO told Cisco, “You should not overestimate the board’s awareness nor underestimate their intelligence. They have limited knowledge about cybersecurity, but they quickly learn.”

The best way to present cybersecurity to the board is by couching it in financial terms. Beyond a risk to be mitigated and contained, it needs to be seen as a function of digital business strategy, and it needs to be described with this expansive outlook.

Moreover, these discussions need to be held on a consistent, regular basis.

“I’m not trying to knock the technology people,” one board member said. “But overall, I find that when you ask the cybersecurity questions, and I don’t even know the exact questions to ask, it’s usually like, ‘Oh, that’s a good idea, we’ll report on that. We’ll have the IT person come in and report on it at the next board meeting.’ ”

Too often, however, that next meeting doesn’t address the problems in understandable ways.

“Most IT people, including the security people, including the CSOs, are not very good at expressing to the business, ‘What does this mean to you?’ " another board member said. “They talk in terms of the technical implications. It’s actually rare to be able to have a business discussion about security.”

At the same time, senior leadership teams need to listen. Many CIOs share their frustrations in seeking greater investments in cybersecurity. Their failures can’t all be chalked up to shortcomings in their own communications skills.

“[The CEO] is looking at it like an insurance policy,” a retail CIO said, “but until I actually get a major breach he doesn’t want to pay for the insurance. And I keep on telling him, ‘You don’t want to wait and become be the next Target that’s written up in the newspapers because we got breached.’ ”

Third parties, of course, can be a bridge between separate factions. A vendor or consultant with technical, business, and industry expertise can transcend the language gaps and speed strategy planning.

Support from the board. It’s SIMPL.

Every board is different. And what works for one organization might not work for another.

Regardless, board members can play a unique role in driving cybersecurity and moving it past the IT domain and into the business conversation. To make that happen, the board may need to add additional cybersecurity expertise, bring in third-party consultants, or conduct seminars.

Moreover, while the level of expertise on the board and the level of support it ultimately provides are related, expertise alone is no guarantee for advancing an organization’s cybersecurity position.

As traditional companies transform into digital ones, many IT organizations feel as if they are playing catch-up on security, with much attention and budget focused on patching vulnerabilities, putting out proverbial fires, and wrestling with employees (and customers) to undo behaviors that put the company and its information at risk.

With the right support from the board, however, the cybersecurity program can evolve from a cost center to a business enabler.

Our research showed that CEO and board support for cybersecurity programs — not security expertise — is the biggest predictor of cybersecurity sophistication in an organization.

But how do board members offer this level of support for their company’s current stance and future direction in cybersecurity, all in the face of a security “language barrier”?

Cisco’s interviews with CEOs, board members, and technology and security executives reveal a multi-step (but SIMPL!) process for making it happen:

Take a Structured Approach. Focus on and prioritize the risks, threats, and possibilities that are both high impact and highly probable. That means evaluating your own tolerance for risk; the value of your company’s “crown jewels”; your points of vulnerability; your employee awareness; and your level of investments in cybersecurity. Again, don’t dwell too heavily on the lower-impact, lower-probability issues. But make sure the company’s cybersecurity posture is updated at least quarterly so that new threats are detected and shared with the board in a timely manner.
Create Inter-disciplinary Teams. Cybersecurity is a business problem that demands collaboration among IT, HR, finance, legal, and other functions — as well as all employees and key partners. Technology is part of the solution, but so is awareness and, increasingly, behaviors. Outside technology vendors or business consultants can be invaluable, especially when communication between the board and IT is challenging.
Measure Progress. Metrics is one of the keys to success for any cybersecurity program. While IT needs to maintain technical metrics on the stability and strength of digital defenses, metrics alone aren’t suitable for business-risk conversations. Ask for a “cybersecurity score,” and a breakdown of the value of — and risk levels to — priority assets. Use a format that is repeatable to gauge progress and highlight key updates and decision points for the board. Acknowledge that, similar to a credit score, there’s no high score or perfect score, only continuous improvement (and sometimes damage). Board members can also ensure that information is shared from company to company, creating benchmarks for success. “What the community could do better is learning from the attacks that happen,” said Robert M. Lee, founder and CEO, Dragos Security. “You’re learning from what had actually happened in the community, and doing a gap analysis.”
Project to Protect the Future. Data of record means little when the threat landscape changes so quickly, and can even hinder growth if the board or ELT is overly risk averse following a previous breach. Leading cybersecurity practices like scenario planning apply inputs that include the value of their assets and size and location of vulnerabilities, to project and plan for various risk scenarios. As you review your organization’s cybersecurity score and upcoming investment options, frame cybersecurity in terms of how it will help the business move forward.
Leverage Your CIO or CISO. As one board member told us, “Unless the CIO, CFO, and their direct reports are good, you could have the best board in the world, but it’s not going to matter.” To that end, they will need the authority to command and corral the resources they need. In return, senior leaders can hold them accountable for making the right investments in cybersecurity, to protect business value through business continuity and agility. Not seeing eye-to-eye with the CIO on cybersecurity investments and initiatives is a red flag, and could undermine the security of your organization. In the end, most momentum on cybersecurity comes from the CIO and other security experts within the company. So, it’s essential to establish a climate of trusted engagement.

Create the cyber-resilient culture

No organization believes that its risk level is zero (nor should it). What separates the leaders from the laggards is preparedness, with the overall goal of a pervasive, cyber-resilient culture. Such organizations are aware of the dangers and risks confronting them, but have made cybersecurity investment decisions in concert with the business, while formulating a tightly rehearsed plan for how to bounce back — even accelerate — out of a cyber-attack.

On average, it takes companies 197 days to identify a security breach and 69 days to contain it.⁷ That certainly leaves much room for improvement in terms of visibility into the network and efficiency of response plans.

As Steve Durbin stressed, the cyber-response playbook needs to encompass everything from technical and financial recovery to public relations and even liability.

“Everybody from the boardroom down needs to be very diligent about going through these cyber-security response exercises,” he said, “understanding the playbook, really getting it down. Because we’re expected to respond almost immediately as to what the impact is, what we’re doing to get things back up and running, and how we’re going to compensate potentially if we’re in the consumer-focused area.”

The more you know, however, the scarier it gets. Our research showed that even CIOs with the most advanced cybersecurity programs are deeply concerned about the risks they confront — often more so than their peers with less robust cybersecurity postures.

Penetration testing and white-hat hackers can expose those weaknesses in sometimes disturbing ways. But such exercises, along with periodic drills, clarify security priorities while providing key metrics.

“When we do our annual penetration tests from the outside and inside,” a CIO for a law firm said, “things will be assessed on a rating scale. Like, ‘This has to be patched,’ ‘this version needs to be updated.’ ”

It also enables security teams to present risks to the board in a quantified manner, either with their own metrics or in combination with the new breed of insurance agencies that are assessing cyber risk to companies.⁸

“[Cybersecurity] is a risk that boards and C-level executives, CEOs in particular, don’t understand,” a CIO added. “They’re afraid of it. But what if we’ve actually partnered with an insurance company with the ability to calculate the risk. So you’ve translated this cyber risk into the kind of risk that boards understand. There’s a technical component and then there’s an insurance component.”

Our own data shows that cyber-insurance is an indicator of cybersecurity maturity. It’s a great forcing function (worse security equals higher premiums) and teaching tool (checklist of risk profiles) for improving cyber-readiness each year.

The all-important security drills can hone responses to that risk into fast, coordinated, and decisive actions. All of which demands leadership.

Paul Sean Hill is a former NASA flight director who today advises business leaders on crisis management. He stresses that for cyberattacks there is no such thing as too much preparation — or clear-eyed leadership.

“You have to go through all of those types of thought processes in the calm light of day,” he said, “when you’re not under attack. Then you have to practice the decision-making in simulations, like we do in space flight, to make sure that when it happens you really are going to decide that there’s not something that you missed. And you have to hold people’s feet to the fire to do it.”

Again, the differentiator between the best and least mature is not the level of confidence, but the level of preparedness. According to our research and interviews, key elements of that preparedness can include:

IT threat defense and mitigation: investing in the talent, technology, and culture changes to prevent attacks and limit damage
IT attack response and recovery: preparing for the return of all business operations soon after an attack occurs, while reassuring partners, customers, the media, and other stakeholders.
Supplier and customer integration: ensuring that partners, third-party vendors, etc. follow similar risk mitigation standards.
Customer experience: building cybersecurity and trust into the overall customer experience.

Security’s ultimate end user: the customer

Cyberattacks will happen – if not to your organization directly, then through a vulnerable supplier, or a customer. A degree of risk will always be present, even for the most cyber-resilient organizations. But even a well-publicized breach isn’t the end of a company’s success.

By integrating cybersecurity into customer experience, companies can enhance brand equity and consumer loyalty.⁹ Customers demand a seamless, fast buying experience and they want to know it’s secure. What they don’t want is clunky, frustrating security and ID measures that slow them down. Attention spans are short, and competitors often a click away. By ensuring security and trust with an intuitive end-user experience across multiple devices, companies can win new customers and confirm old ones.¹⁰

A European telecommunications CIO told Cisco that building a solid reputation in privacy and security can even support new business models.

“We’re one of the highest-trust brands with respect to technical capabilities," the CIO said, "with respect to privacy, with respect to transparency, so we have a good brand image. So indirectly, we could choose our trust and our security strengths as a selling argument for getting into new types of businesses.”

Customer experience and trust are just part of a pervasive approach to cybersecurity as a growth opportunity and a competitive advantage. Every company will be attacked. And some of the inevitable breaches may be bad enough to spark negative publicity. However, with the right (i.e pervasive) preventive measures and a comprehensive response plan in place, forward-looking organizations can shrug off the headlines and move forward.

But to do so demands concerted, coordinated efforts from the CEO, the CIO, the business side, and partners — with the board exercising its unique role in tying it all together.

The board’s cybersecurity check-list

All organizations have an opportunity to rethink how they move forward, knowing that cyber-risk is real and inevitable. Building security into the customer experience is but one aspect of a proactive, growth-centered approach to security.

These 10 best practices, compiled from our expert interviews, can guide board members and other senior leaders as they formulate their cybersecurity strategies:

Set cybersecurity strategy with a cross-functional team of experts and functional leaders
Conduct quarterly conversations on cybersecurity along with extra sessions with expert guest speakers
Include cybersecurity as a standing agenda item at least for audit & risk or governance committees, if not the full board
Speak the language of business in board-level security conversations
Schedule annual (at least!) drills for responding to cybersecurity breaches
Launch white-hat hacking intrusions, along with red/blue team competitions and war rooms
Add a cybersecurity expert on the board
Quantify and project cyber-risks beyond spend (for example, customer attrition, revenue impact, partner relationships)
View cybersecurity as a competitive, differentiating asset of the company, including in customer experience
Evaluate cybersecurity posture in terms of goals and future needs, not the sting of a past breach

¹ "Four Cybersecurity Questions Every CEO Must Ask,” Accenture, Oct. 9, 2018.

² “2019 Cybersecurity Almanac: 100 Facts, Figures, Predictions and Statistics,” Cybersecurity Ventures, Feb. 6, 2019.

³ “2018 Cost of a Data Breach: Global Study,” IBM, July 2018.

⁴ “Eight Reasons Why More CEOs Will Be Fired Over Cybersecurity Breaches,” Tech Republic, Nov. 11, 2018.

⁵ “The Impact of Reported Cybersecurity Breaches on Firm Innovation,” Journal of Information Systems, He, C. Z., T. Frost, and R. Pinsker. 2019.

⁶ “ Cisco Study Finds Fewer Data Breaches at GDPR-Ready Firms,” Dark Reading, Jan. 24, 2019.

⁷ “ “The Average Cost Of A Data Breach Is Highest in the U.S.” Forbes, July 2018.

⁸ “ Are Insurers Adequately Balancing Cyber Risk and Opportunity?” Price Waterhouse Cooper, 2018.

⁹ “ Cybersecurity & The Customer Experience: The Perfect Combination,” Radware, May 22, 2018.

¹⁰ “Cybersecurity Is Putting Customer Trust at the Center of Competition,” Harvard Business Review, March 4, 2019.

###

We welcome the re-use, republication, and distribution of "The Network" content. Please credit us with the following information: Used with the permission of http://thenetwork.cisco.com/.