Six things the BOD wants you to know
Cyber security conversations with boards of directors have evolved. No longer viewed as just tech experts, security teams are now seen as architects of business resilience against cyber threats. This shift is being driven by rising cyber attacks, geopolitics, and digital transformation.
Boards now want strategic insights from security leaders. They don’t just want to hear us report that we've installed the latest firewall or are compliant with regulations. They seek to understand how cyber tactics ladder up to business strategy and shareholder value. Dialogue is key. Boards want security teams to bridge cyber jargon with business acumen.
So, what does your board want you to know? What are their priorities? What do they want from your team? In this article, we’ll explore boards' cyber security priorities and how security leaders can effectively communicate with them.
In the past, boards viewed cyber security as the domain of tech teams in distant server rooms. Cyber risks seemed abstract, and intangible. No longer. Look no further than the aftershocks of mega breaches like Equifax and Colonial Pipeline. These attacks crippled enterprises to their core, inflicting outsized business impacts that redefined cyber risk as a clear and present danger.
New SEC security risk disclosure rules double down on this threat. By mandating rapid public reporting of material cyber incidents and annual disclosure of cyber programs, the SEC spotlights cyber risk front and center. “Whether a company loses a factory in a fire — or millions of files in an incident — it may be material to investors,” said SEC Chair Gary Gensler. The board must now be closely involved in evaluating cyber incidents, planning disclosures, and validating security programs.
While the board grasps the gravity of cyber risks, they often lack fluency in the esoteric language of threats, vectors, and controls. This gap poses a strategic communications challenge. Boards need crisp insights tying cyber risk to business outcomes and they require clear plans to tame those risks.
As security leaders, we should bridge the divide as translators, educating boards in plain business speak, not technical jargon. We must contextualize threats within business priorities like customer trust, service resilience, and market position.
The new SEC rules confirm cyber risk is permanently entwined with business risk. Our reporting should reflect this new reality. With boards on high alert, our mandate must be to illuminate the path ahead.
Ah, the conundrum of proving return on investment (ROI) in cyber security. The board is more involved in security investments than ever, but they're not expecting a dollar-for-dollar ROI. Instead, they want to know how investments in security correlate with a safer, more robust enterprise architecture.
Here's an interesting exercise: As you prepare for the next board meeting, don’t just pass along numbers – narrate impact, tell a story. No, not a fairytale—a real-life example of how your team's quick actions averted a cyber-disaster. You’ve replaced your VPN with Zero Trust Network Access and deployed a shiny new XDR system? Great. How did these affect your ability to protect users and reduce incident response time? You should still provide numbers, but make sure those numbers tell a story.
Of course, not every success is easily quantifiable. But even for intangible benefits like boosted reputation, we can proxy metrics to estimate value. The key is to tie programs and spending to risk mitigation that maps to corporate health and performance.
This framing shifts cyber security from a cost center to a strategic function that builds business resilience. Wise investments demonstrate how security acts as a competitive shield, allowing intelligent risks that enable growth. That bigger picture is the true ROI boards care about.
If we're slicing through the nebulous terrain of modern cyber security, the elephant in the room is Artificial Intelligence. As we stitch GenAI into the fabric of our cyber security strategies, the board is sitting up, taking notes, and, yes, raising eyebrows.
Why are they a bit antsy about AI? Let's take AI chatbots, for example – phenomenal for customer service automation, but what happens when they become the conduits for disinformation or data leaks? The board wants reassurance that proper governance, explainability, and fail-safes are in place as AI is adopted.
The ethical mazes around facial recognition, copyrighting AI, and a Pandora's box of deep fakes aren't just dystopian themes for a streaming series. They're real, and they're happening now. And to add another layer, our boards aren’t just passive observers. They are potential targets of AI-driven cyber threats. So, how exactly are we safeguarding them from becoming another vector for attack? The boardroom isn't just "discussing" AI; they’re questioning and probing, and cyber security teams are in the spotlight to provide some much-needed answers.
In boardrooms, the narrative around security is shifting. Increasingly, the board sees it as a culture rather than a department. It's the "Security is everyone's responsibility" mantra, but elevated to a strategic level.
While historically, human error has been the Achilles' heel of security — flipping the script can turn the human element into an asset. Employee training can be more than just a compliance checkbox; it can be a strategic weapon.
Picture this: A well-trained employee foils a phishing attempt that could have cost millions. Now, that's a narrative they would love to hear, right? The human element is not a bug—it's a feature. Let’s not continue to blame users when they accidentally click a malicious link. Instead, get employees involved and invested in cyber security and create a blame-free culture within your company. Wrap users with cyber protections that allow them to work safely and be more willing to report things they find suspicious. And don’t forget to include the board in your culture of security. Ideally, security culture trickles down from the boardroom and bubbles up from everyday actions.
Cast your mind back to the SolarWinds breach. Sure, we categorized it as a cyber security event, but wasn't it essentially a chapter in a sprawling geopolitical saga? Your board is keenly aware that the cyber security playing field extends well beyond the walls of your organization. It's an intricate part of the global landscape now.
Geopolitical dynamics have officially RSVP'd to the cyber security conversation, and they've brought along some complex plus-ones: Nation-state threats, hacktivists, data sovereignty, privacy, and international compliance issues. Remember, we've graduated from considering these topics as someone else's headache; they're yours now, too. And this is especially pronounced if you work in an industry considered "critical infrastructure."
What does this say about the scope of your responsibilities? It tells you you're on the same wavelength as the board. In your next board-level meetup, introduce some insights about how shifting geopolitical landscapes could play out in your cyber security strategy. Their ears will perk up.
Traditionally viewed as a cost center, cyber security has evolved into a business unit that contributes to strategic decision-making. This change in perception is the most significant paradigm shift for security teams in recent years. Your board knows this and wants you to recognize it, too.
So, what does this mean in terms of your dialogue with them? It's not just about laying out the latest intrusion detection stats or firewall efficacy. Instead, paint them a picture where cyber security is the keel stabilizing the corporate ship, allowing it to take on stronger winds and higher seas—read: Market opportunities and business innovations—without capsizing.
What's stopping you from becoming that strategic guru who seamlessly intertwines security considerations into the very DNA of your business model? Nothing, except perhaps old habits and outdated perceptions. Consider this your clarion call. The next board meeting shouldn't just be an update; it should be a revelation. The stage is set for you to transform from a guardian to a guide, from a gatekeeper to a pathfinder. Get ready to pivot.
Are we ready for this? Are we willing to pivot from the “Department of NO” to the catalyst that helps the company proclaim a strategic “Yes”?
To quote William Gibson, "The future is already here—it's just not evenly distributed." It's time we extend our cyber security wisdom more broadly within the organization, starting with the board. So the next time you hear the word 'boardroom,' don't think of it as a spectator sport – consider it an invitation to be a strategic player in shaping the future of the business.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
John Engates — @jengates
Technology Officer, Cloudflare
After reading this article you will be able to understand:
The paradigm shift of security as a department to a company-wide culture
How to up-level the security conversation in the boardroom
The importance of delivering impact over numbers