Cracking the Code on Board Reporting

Every week it seems like there is news of another cyber breach. As companies and organizations grow more cyber aware, there has been increased focus on the board of directors’ role in overseeing cyber risks. According to the What Directors Think survey by Spencer Stuart and NYSE Governance Services [1], 61% of directors surveyed indicated that their Chief Information Security Officer (CISO) meets regularly with the board to discuss cybersecurity.

Among Financial Services Roundtable member companies, this frequency is given that most CISOs and Chief Information Officers (CIOs) report quarterly to a board committee as well as the full board. With all this board reporting, one would think CISOs and CIOs in the financial sector have figured out the best way to keep their directors up-to-speed on the firm’s cybersecurity posture with metrics, charts and graphics to show progress over time and against key goals.

As it turns out, many CISOs and their boards think they have some work to do to enhance board reporting, as noted in another recent survey of board directors by Bay Dynamics and Osterman Research [2].  This report found that 85% of board members think that CISOs and CIOs could improve the way they report to the board.

So, what’s the problem?

Some think it’s too much “tech speak” on the part of CISOs and CIOs. Some think it’s the lack of technology and security expertise on the part of directors. And others think it’s the lack of a clear standard for assessing and measuring cybersecurity. The answer is most likely a combination of all of the above.

FSR’s Technology Policy Division, BITS, recently convened a number of CISOs and CIOs, to discuss this challenge and ways to better inform boards at financial companies. Some of the top recommendations and takeaways included:

  • Think like a board director – Board directors tend to focus on governance, process and risk. They don’t need to see the details of how you map your cyber controls to various required guidelines and frameworks but they will want to know that you’ve done that work. To help focus directors’ attention and foster a discussion on risks, a heat map such as the one below can be a good visual to display the main risks your firm faces.
  • Show business value – Align cyber briefings to the board with other business priorities the board may be discussing. For instance, how will moving to a single sign-on not only improve the customer experience but also improve identity and access management? Or how can cybersecurity support cloud adoption? Connecting cybersecurity to other aspects of the business will clearly link how the CISO or CIO is a business enabler.
  • Recognizing that cyber is a business service and a customer experience helps align a company’s business and cybersecurity leadership. It is also a clear indicator to the board that product and risk tradeoffs are well understood.
  • Metrics never scratch the itch – One of the most-asked questions from CISOs is what metrics others use before their board of directors. FSR’s CISOs and CIOs agreed there is no magic set of metrics and that they often don’t satisfy the desire to measure cyber risk and a firm’s maturity level. Much of cyber risk management requires expert judgment and quantifying risk can still require a lot of assumptions. Metrics to help support a topic under discussion can be useful, particularly those that measure an area of operational effectiveness, rather than merely compliance with regulations.
  • Use field trips – Taking your board of directors on a field trip to visit your cyber operations center and to talk to your critical operating staff can be a good way to help them better understand how the firm protects against hackers. As the saying goes, “a picture is worth a thousand words” so seeing cyber operations firsthand can be a great tool.

For more on these topics and others, like handling tricky board questions, see BITS’ most recent white paper on board reporting

[1] “What Directors Think. Guarded Optimism Amid a Shifting Landscape.” 2017 report by NYSE Governance Services and Spencer Stuart.
[2] “How Boards of Directors Really Feel About Cyber Security Reports.” Bay Dynamics based on an Osterman Research survey.