CISO Partners with CIO and CFO on Board Relations
For the CISO at a financial services company, collaboration with peers in management on board communication yields ongoing support for cyber strategy.
• A mortgage services provider’s first CISO enlisted business partners in building a constructive relationship with the board of directors.
• The CISO partnered with the CIO to triage talking points that align with the board members’ level of cyber knowledge.
• A monthly budget meeting with the CFO is an unusual but effective means to prioritize cyber budget requests and review ROI before bringing them to the board.
• A “no exceptions” approach to cyber awareness training means everyone, including the board, is involved in creating a strong cybersecurity culture.
In a heavily regulated industry like financial services, cybersecurity is a growing concern. Not only are regulators paying closer attention to how companies safeguard their data, but so are corporate boards. The job of the CISO keeps growing in importance in this industry, and a significant element of the role is working with the board of directors to manage cyber risk.
That’s certainly been the case for the CISO of a mortgage services provider. He joined the company in 2021 and was tasked with improving its security posture, which had been under the supervision of the IT department. “Cybersecurity has the full support of the executive team and everyone here,” the CISO said. “You have a good amount of power to wield because it's that important to the company. I've never felt more backed.”
Founded in the wake of the 2008 housing market crash, the company offers solutions to mortgage lenders and servicers, and has recently been in high-growth mode, expanding its operations 540% in the last three years. Such growth brings added security concerns, and the company had committed to a number of investments in information security, including the new CISO role. Its board members understanding of cybersecurity, however, had been limited.
Two years into the CISO’s tenure — thanks to strong executive support, close working relationships with key business peers, and frequent communication with the board — it’s all hands on deck in managing cybersecurity. “In my career, I've experienced boards and CEOs that really treat cybersecurity as an 'I have to do this once a year' type of thing. They tick the box, and there's not much more involvement,” the CISO said. “The company that I'm at right now, it's a 180 from that.”
As noted in Mimecast's Behind the Screens: The Board’s Evolving Perceptions of Cyber Risk eBook, many companies now recognize that strategizing on cybersecurity must be a board-level priority. In-depth interviews about perceptions of cyber risk at the C-suite and board levels underscored the need for security and technology leaders to clearly communicate cyber risk and the critical role cybersecurity strategy plays in business operations in order ensure ongoing board support.
Open Doors and Ongoing Communication
It’s important to have clear lines of communications both top-down and bottom-up, the CISO explained. Everyone at the company, from the board to his own staff, knows they have a “bat-line” directly to him for any security concerns. And board members have not been shy about using it. Several directors reached out to him in the wake of reports about the Log4J vulnerability and the SolarWinds supply chain attack, for example.
In addition, the CISO meets with the board at least once per quarter — more often if a major cybersecurity issue surfaces. The CISO sees the company’s CIO as a partner in board communications. Together, they determine the most important topics to bring to board meetings at a level relevant to the board’s cybersecurity understanding and business risk responsibilities. “There are certain things that you don't want to say because people would run around with their hair on fire if they truly understood the innards of what goes on,” the CISO said. “You have to formulate these things in a manner that makes the most sense for that audience.”
A roadmap divides the company’s cyber priorities into three categories: regulatory issues, client concerns, and internal security assessments. Together, the CISO and CIO score the company’s performance in each area and present results to the board in chart form. The quarterly reports keep the board apprised of the overall effectiveness of cybersecurity as well as the CISO’s and CIO’s top security concerns and goals for reducing risk.
Every month, the CISO also provides a written update on security to top management as well as a video report sent to all employees. His five-minute videos might cover how the company has performed during a recent phishing simulation or new threats to watch out for, along with a five-question assessment on pertinent cybersecurity subject matters.
The CFO as Fiscal Ally
The company’s commitment to cybersecurity is reflected in its funding of it. The CISO has been able to increase investments in tools and staffing, most recently hiring a cloud architect to bolster security for the organization’s multicloud environment.
When it comes to budgets, the CISO is deliberate and selective when approaching the board. The company’s CFO is the conduit for those requests. The CISO meets with the CFO once per quarter to review the cybersecurity budget and parse any upcoming requests to avoid catching the C-suite or board by surprise. The approach is a departure from other companies, where “in October, everybody runs around to make up their budget for the next year,” said the CISO. He and the CFO will then prepare a deck for the board with a three-year workout on key cybersecurity expenditures and how they are expected to pay off in security improvements.
“It doesn't always mean that because it's in the budget, it gets bought,” the CISO explained. “It just means that they know there are line items we’re anticipating a need for purchasing in the future.” Some expenses can have a material impact on the financials of the company, so it pays for security to be conscious of the conditions at the company and maintain transparency about what expenses might be necessary to keep evolving security, he said.
Evaluating Business Decisions for Cyber Risk
The company is also frequently audited by its own clients, which includes mortgage lenders and servicers. Those companies would pull their business from a partner who doesn’t show sufficient measures to secure their data, the CISO noted. So, having cybersecurity baked into business processes is crucial.
The CISO is also involved in significant business decisions at the company, such as reviewing vendor agreements and evaluating potential acquisitions in the context of cyber risk. His team will evaluate the other party’s controls, policies, procedures, and risks. “It’s not an afterthought,” he said.
The company’s leaders have yet to call off a deal as a result, but the CISO believes they would if necessary. The practice also provides an early indication of possible remediation costs that would follow once the transaction closes to consider as part of negotiations.
Equal Opportunity Cyber Awareness Training
The CISO’s involvement in business decisions and the board and C-suite’s involvement in cybersecurity strategy is all part of a culture of shared responsibility, continuous communication, and collaboration around cyber. That starts from new hire onboarding and flows throughout the organization, the CISO noted.
“Security is tough. You're trying to get a lot of work done through other people that you don't control,” he said. “If business groups, peers, and the executive leadership team don't align with that, the company’s culture is not ideal for fostering a healthy cybersecurity environment.”
That’s not the case at this company. It has a “no exceptions” rule when it comes to security awareness training and practices, for example. InfoSec works closely with HR and training teams to deliver cyber awareness training, track learning plans, and manage reporting and communications. Everyone from the CEO and board members to front line employees take part in training and phishing simulation exercises. Those who score below a certain threshold must complete a short training module. Anyone who continues to underperform or fails to complete the training can be terminated.
With a near 100% completion rate for cybersecurity awareness training, however, the CISO has never had to enforce that rule. “We lead from the top on that,” he said. “That's how we actually carry this around and say: ‘Look, our CEO is doing this. Why aren't you doing it?’”
The Bottom Line
The importance of board-level support to the cybersecurity function can’t be overstated. But it must be cultivated by the CISO with ongoing education and communication, tailored to the understanding and needs of busy board members. Wise CISOs enlist C-suite peers like the CFO and CIO to strengthen board relations and secure investments for cybersecurity tools, talent, and awareness training. Continuous communication — through regular security updates and an open-door policy — also help foster a closer relationship with the board and a stronger culture of security.
Read more in Mimecast's Behind the Screens: The Board’s Evolving Perceptions of Cyber Risk eBook.
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!