Shoemaker’s CISO and Board Walk the Talk on Cyber Risk

The CISO at a well-known shoe manufacturer and retailer is in an enviable position. His company’s board of directors recognizes cybersecurity as a key business priority, maintains a reasonable understanding of the topic, and fully supports the CISO’s efforts to maintain a cybersecurity posture in step with the company’s business objectives. 

That wasn’t always the case, though.

Building that relationship with the board is something the CISO put concerted effort into from day one. During his first 12 to 18 months on the job, he focused his interactions with board members on building trust and improving their cybersecurity understanding. Maintaining open lines of communications, placing cybersecurity in the context of business priorities, and providing continuing education has proven to be a productive framework for enlightening the board and enlisting them as allies in managing cyber risk.

Now three years into his role, the CISO describes a board of directors that is cyber aware and taking an active role. Cyber security is addressed in a detailed review every six months, as well as in regular meetings of the board’s audit and risk committee. “It's not just a page turner subject,” said the CISO. “We go into quite a lot of detail with regards to achieving the level of maturity we want to achieve.” Some non-executive directors will come directly to him to ask questions and discuss their concerns. 

That level of engagement and knowledge is critical. Mimecast's Behind the Screens: The Board’s Evolving Perceptions of Cyber Risk eBook, a report based on in-depth interviews of security leaders, notes: “The injection of cybersecurity insight at the board level increases the likelihood that leaders will invest in the right mix of technology, tools, and training the business needs to combat cybercrime more effectively.” The report also indicates that having a board filled with members who are willing to learn and grow their knowledge is an advantage for cybersecurity leaders.

Welcoming Board Oversight as an Opportunity

In some organizations, security leaders fear the board — and, more specifically, the board’s audit and risk committee — because they may point out where the cybersecurity team falls short. But that’s the wrong viewpoint. “I see the board as a friend to push my agenda,” the shoe company CISO said. 

If an external audit raises a red flag, the board can play a crucial role in pushing for an increase in budget or a change in operations or process to mitigate that risk. So, rather than fear board level reviews or input, the CISO welcomes them.  He said, “I normally view it as: ‘Show me where it's going wrong. If I've missed anything, let's go and fix it’.” Understanding those gaps creates an opportunity to close them by building up a team or adjusting strategy, the CISO added.

Building a Mutual Understanding 

Taking time to understand each director’s area of responsibility also goes a long way toward fostering positive relationships with board members. “If you've made time to understand their area of business,” the CISO said, “they will make time to understand your area as well.” 

Indeed, the directors at the shoe manufacturer have shown interest in activities such as lunch-and-learns and cyberattack simulation training. The board members are busy people, but they find the hands-on training useful. “There's a lot of interest in self-learning and self-studying, which I've never seen before in any organization,” said the CISO. “I do think it's an indication of cyber risk being one of the prime risks for most, if not all organizations today.”

In addition to providing those educational opportunities, the CISO can also ground the board’s perception of cyber risk by putting it in the context of the company’s business objectives. “You need to make it real to the board in terms of what effect it could have on the business,” the shoe company CISO said. If, for example, a security maturity improvement in marketing would slow down that department for several weeks, those changes might be delayed since the level of risk is low. 

The Importance of Being Aligned 

While some level of security maturity is the goal, it should not be achieved at the expense of operations. After all, the company’s goal is to sell shoes, not security, the CISO said. Any decision he makes has to align business strategy. “Am I investing just for security purposes or is it actually going to add value to the business objectives?” he asked. 

That requires understanding the organizations’ appetite for risk and evaluating what level of security maturity the company can achieve in certain operations without slowing the business down significantly. “In my experience, cyber risk consideration depends on the type of activity and its potential impact to the business,” said the CISO. “If a risk is raised, we would measure how the cyber risk could impact business risk, or we measure cyber risk versus business risk, which then influences how we manage that risk.”

This applies to the company’s engagement of third parties as well. The CISO often reviews the security maturity of suppliers the business is considering working with, examining the contract during negotiations to ensure that security and privacy clauses are sufficient and flag any potential risks. There have been cases where the CISO has indicated that the supplier under consideration lacked certain security controls and the business walked away from negotiations to find someone else.

Over the past several years, the CISO has made significant investments in cybersecurity awareness training, implementing controls and technology, and growing his organization to a staff of 13. With talk of possible recession and many companies looking for ways to tighten their belts, the CISO sees an opportunity for optimization. Looking forward, he says, the focus will be on “improving and maturing that investment, rather than just asking for money for the sake of asking,” he said. Cybersecurity can best contribute to business goals by identifying opportunities to consolidate without sacrificing security. 

Inciting Action without Alarmism

When communicating cyber risk to the board, don’t be an alarmist, the CISO warned. Slide decks showing lawsuits and regulatory fines as a result of data breaches won’t move the directors – they are likely already aware of the risks making the news, he said.

The CISO doesn’t present to the board tallies of blocked emails or detailed breakdowns of incidents averted, either. He does, however, provide briefings on particular threats in the news when requested. Recently, the board asked for an update on the Log4J vulnerability, seeking reassurance that the issue would not cause security concerns within the company. 

The non-executive directors can often bring a supportive perspective based on what they’re seeing in their own companies. “It's good to have someone there to help your agenda,” he said. “It makes decisions much easier.” 

Board members are also involved in the management of certain security incidents. Three board members as well as other officers (such as the regional president where the incident took place, for example) participate in the emergency response team. They receive daily reporting on the response and mitigation activities. The report, issued at the end of each day, “allows us to continue working on managing the incident, so we're not just focusing on reporting and sending comms out.” 

Even when security incidents happen, the reporting is not focused on placing blame. That is a very important mindset, the CISO noted. His board understands that security incidents do happen — something he has made clear to the board of any company for which he’s worked. “Any CISO telling you can have 100% security is lying to you. It's more about what we're implementing to manage the business out of that incident successfully and protect brand and share price,” the CISO explained. Hearing that message from the start and participating in incident response gives the board confidence in the company’s cybersecurity stance. 

The Bottom Line

Maintaining and maturing cybersecurity is a two-way street: informed and engaged board members take on part of the collective responsibility for the company’s security posture, and the security staff also takes an active interest in the board members’ areas of operations and how security measures can affect operational flow. Cybersecurity awareness training programs can help improve knowledge and bring board members to the table, but the security team has to keep in mind the business objectives of the organization as well. 

Read more in Mimecast's Behind the Screens: The Board’s Evolving Perceptions of Cyber Risk eBook.