Speaking the Board’s Language Builds Cyber Support

When the CIO of a Sydney, Australia-based international law firm stepped into his role nearly six years ago, its board was comfortable with cybersecurity as a subset of the firm’s broader IT strategy. “They wanted to make sure it was on my agenda, but it wasn’t an area that they wanted to drill into very deeply,” the CIO explained. 

Fast forward to today: Cybersecurity has its own dedicated strategy under the CIO and a dedicated reporting relationship into the board’s business risk subcommittee. What’s more, the board “wants to hear about cybersecurity at every single meeting,” the CIO said. Last year, the CIO became a permanent member of the risk committee to provide his perspective on business risks.

That shift, the CIO says, came about not only as a consequence of market pressure and the unrelenting drumbeat of cybersecurity breaches in the news, but also the ongoing cybersecurity education he has provided to board members. 

The law firm’s board now understands that cyber risk is a critical aspect of business risk, the mitigation of which they must take a lead role in overseeing — a trend underscored in Mimecast's Behind the Screens: The Board’s Evolving Perceptions of Cyber Risk eBook, which highlights business and security leaders' perceptions of cyber risk at the C-suite and board level. The research revealed that boards increasingly recognize that any weak link in security architecture can put an organization in jeopardy. Further, boards are beginning to consider fundamental business decisions within the context of cyber risk management.

Knowing Your Audience

The natural talent of the law firm’s CIO is in software development, but over the years he developed a strong aptitude for communication and an appreciation for the importance of knowing his audience. That’s particularly valuable when working with board members of varied cybersecurity experience, most of whom are partners in the firm. 

“We've spent a lot of time on communication, learning to translate cybersecurity information into the business language of the board,” the CIO said. “There’s a lot of cybersecurity terminology that they just don't — and shouldn’t — care about.” What they do care about are business operations and business risk. “I'm not just saying, ‘Here's a new technical thing we need because it reduces this technical risk,’” the CIO said. “Speaking the board's language has been absolutely pivotal.”

When big breaches are in the headlines, the CIO is proactive about addressing them. “I make an assessment about whether our executives or the board will want to know about it. Then I explain the things we are already doing to mitigate that particular risk in our environment. It helps to build trust and shows that we’re being proactive.”

To confirm he was on the right track communication-wise, the CIO would check in with different board members to gauge how his updates were received. “I’d ask them ‘How is that landing?’ or ‘Did that resonate?’ or ‘Do you want me to do anything differently?’ to make sure I was giving them what they needed rather than what I thought they needed.”

In many cases, much of what the cybersecurity function does is invisible to the rest of the firm. But there are situations in which addressing an emerging cyber risk means shaking up the status quo. In those cases, which are more frequent, the CIO explains his rationale to the board. “There are quite a few things that we are doing now that may add friction or require changing processes,” the CIO said. “So, we have to make sure we are bringing the board along and helping them understand how this is reducing a risk.”

The CIO is leading a new data governance effort that he expects to impact “business as usual”. “The firm’s position had been to keep all the data that we can,” the CIO explains. But the more data the firm accumulates, the more data there is that could be weaponized against the firm. The CIO’s goal is to get rid of data that is no longer actively utilized. “There will continue to be cases where partners or clients want us to go back to cases from 20 years ago. So, we’re having those conversations about the tradeoffs involved.”

Building Trust, but Enabling the Board to Verify

The CIO’s reports to the board have been essential to securing support for cybersecurity strategy and investments. So, too, have the CIO’s invitations to board members to come to him with their concerns. “It all comes back to how can I get the board to trust me, but also provide them enough data points to verify that they can trust me,” said the CIO. “I want to show them whatever they need to know. They can ask me anything.”

That opens the door to ongoing dialogue about what the board members are thinking about and how the CIO’s team is addressing those issues. “We’re building that level of trust, but also showing them that these are the controls we have in place and why I think they’re good. That gets them to think about what other issues they might want to understand through a cybersecurity lens, too.” 

Last year, an insider fraud incident in the news got some board members wondering about malicious insider threats to data. “They wanted to drill down into this particular risk type and really get an understanding of how it happens and what we’re doing to manage that risk,” the CIO explained. The CIO partnered with HR and Finance to explain the layers of existing controls the firm uses to manage insider threats and flag suspicious activity. “There was an active conversation with the board as we explored the various avenues a malicious insider could pursue, whether the aim was theft or a technical attack. We were able to give them some confidence in the fact that this wasn’t the first time that we had thought about these risks and that we already had a mature risk program in place to deal with these threats.”

Managing Third-Party Risk

Cyber risks the firm is exposed to by suppliers is another hot topic at the board level. In the cloud computing era, “people can just buy a service off the shelf and give whatever data they want to these suppliers,” the CIO said.

Recently, one of the firm’s vendors was breached. “We felt how that can impact us and our clients. That’s really sharpened the mind as to what else we can do there.” Board members were looking for assurance from the CIO that the firm has sufficient protections in place to mitigate third-party supplier risk, and the CIO was looking for support from the board to increase those protections with new workflows for onboarding suppliers. “It’s about understanding the types of data our third parties have and how they’re protecting it to make sure we’re comfortable with how they’re managing and securing that data on our ꟷ and our clients’ ꟷ behalf,” the CIO said. 

Because the risk of a data breach is ever present, though, the CIO is also reassessing the firm’s own incident response capabilities. “On the assumption that a breach will occur, we do simulations of what that will mean and how we respond,” the CIO said. “The processes, technology, and staffing required to aid us in that have been a part of our recent board conversations.”

Making Cybersecurity Everyone’s Job

Technology and security leaders know well the limits of security tools in protecting their organizations against cyberthreats. The vast majority of data breaches involve human error. Yet at the law firm, as in most organizations, “there’s still that undertone of ‘Can’t security just handle this for me,’” the CIO said. “It’s understandable; there are a lot of controls that we alone do handle.”

The firm’s board, though, recognizes the impact that one person can have on the firm’s security posture and is supportive of the CIO’s security awareness and training efforts. The CIO sends out a monthly newsletter to the whole firm highlighting new or particularly cunning cyber ploys his team is seeing. “I’ve been getting good feedback that it’s helping people understand the types of attacks and the impacts that they could have,” the CIO said. 

The newsletter complements regular mandatory training modules, phishing simulation tests, and technical consequences for those who fail to participate. “We've come a long way from five odd years ago when cybersecurity training was done once a year, and everyone hated it. Now, we bring cyber training to the firm every single month, sometimes multiple times in a month. We keep pushing and saying there is more that we could do. And the board agrees, so we keep evolving our education program.”

The Bottom Line

Building a constructive relationship with the board takes time. Scheduled updates grounded in business operations and risk management as well as ongoing dialogue with board members about the latest threat vectors and security strategies help them better understand cyber risk. Over time, these efforts foster trust among board members that the cybersecurity team is doing the right things and also gives the board the ability to verify that the right protections are in place.  Read more in Mimecast's Behind the Screens: The Board’s Evolving Perceptions of Cyber Risk eBook.