Getting company directors on board with cybersecurity

 |   Mark Anderson, National / Chief Security Officer at Microsoft Australia & New Zealand

Auckland City Panorama

As cybercriminals become increasingly sophisticated and collaborative in their attacks, organisations need to be equally collaborative and well-rehearsed in their response. With 156,000  business email compromise attempts detected each day according to Microsoft’s latest Cyber Signals report, Chief Information Security Officers (CISOs) and Chief Technology Officers (CTOs) are asking how they can communicate effectively with boards and senior leadership teams to ensure everyone understands their role in cybersecurity.  

This was a topic that came up frequently in conversation at Microsoft’s recent Cyber Innovation Tour in Redmond, attended by in-house security leaders from 30 major public and private sector organisations across Australia and New Zealand. How can we create the right cyber mindset to achieve buy-in at board level, without creating panic?     

Re-framing the issue in the right language 

The first step is guiding boards and senior executives to think differently about cyber security and not like they would a typical technology project that has a defined ending. It’s not like a typical implementation that costs X dollars and is done in 18 months, with Y return on investment. It’s an ongoing investment, which is always a harder sell. That’s why it’s key to emphasise the ongoing benefits (and risks) using the language that will resonate best with your board.  

For starters, not only does up-to-date security allow your organisation to maintain crucial operations and service, it also enables safer innovation in new areas (such as AI) with less risk, knowing that the guardrails are in place. On the flip side, the consequences of inadequate investment could be catastrophic, including loss of reputation, loss of customers, and even loss of the business.  

Boards talk in the language of risk. However, the risks will be different for every organisation. It’s important tech executives use examples and language that are relevant to the business they’re in. For a financial services organisation, potential losses in dollar values would carry huge importance. For a critical infrastructure business, it could be vital services that would become unavailable. For high-risk environments like mining, energy or railways, it could be the health and safety of your workforce that’s compromised.  

When having conversations with boards and senior leadership teams, knowing the things that are most important to them is crucial to painting an accurate picture of the cyber threat and achieving the level of awareness that ultimately drives action.  

Although images and charts might seem like the obvious way to explain the cyber landscape to your board, some of our customers on the tour have found the opposite. If you don’t have in-depth understanding of cybersecurity and what particular figures represent, it’s easy to misinterpret visual data. In fact, written explanations tend to get the facts across more clearly – provided they avoid using acronyms, which are just as likely to confuse the average business leader.  

Once they understand what the stakes are, the next question from any board will likely be how can they prevent these assets being compromised? Now is the time to jump into the practical side of things. Walk them through the steps that will help them mitigate threats or reduce risk to acceptable levels and educate them around the actions they can take.  

Take them on a tour of the landscape 

Most board members will be aware of the rising cyber threat, without being across specific details of what that looks like. As every cyber professional knows, understanding the changing trends is key to an effective defence. That’s why helping board members and C-suite executives understand the current means and motivations of cyber criminals is critical. Why might they attack? What would they be looking to gain? How would they do it? This allows leadership teams to develop up-to-date mitigation strategies – and back CISOs to do their jobs well.  

Microsoft’s Digital Defense and Cyber Signals reports are a helpful guide for these conversations. The latest insights around the rise of business email compromise and the increasing targeting of unsecured IoT devices will be particularly relevant. Arranging to present these kinds of reports at board meetings when they are released – couched in the relevant risk language of your leadership team – is one way to keep everyone informed.  

We are hearing from CISOs that one of the biggest hurdles to overcome is helping boards of directors to understand that the risk will never be anything less than high. Companies often seek to “get to zero” – zero waste, zero carbon, zero accidents, etc. An environment where there can never be zero vulnerabilities is confronting. That’s why reporting needs to “shift left”, providing broader context across the world and the business to illustrate how cyber strategies and defences are keeping up with change, and how this is supporting business objectives. This means reporting on threat intelligence regularly, even if the figures don’t change much, to demonstrate how things are holding steady. 

Whose job is cybersecurity? 

Many CISOs told us they’re facing the same challenge of trying to take on the entire security response themselves. However, if an incident happens, recovering the digital environment is “the easy part” (in a sense), as there is an industry dedicated to finding and ejecting adversaries from networks and rebuilding these. It’s repairing stakeholder and customer relationships that generally takes more time and resource.  

In a cyber crisis, the board’s role is to chart the path through and ensure that the organisation comes out the other side in the strongest possible position. They are the ones who need to communicate with stakeholders and customers to provide ongoing updates and reassurance in the event of an attack and decide which actions to take in the event of a ransom demand or legal challenge.  

Customer retention and reputation management requires a whole of organisation response. Encourage the board and senior leadership team to develop a cyber response plan that clearly reflects everyone’s responsibilities, so every team member knows what they need to do – and as CISOs, you can get back to the front-line of defence.  

If your organisation already has a cyber response plan, it could be time to review it and simulate a breach. CISOs should call for this to be tested at least once a year, using different scenarios. Some organisations mentioned that they had a crisis plan, but when the worst happened, it identified gaps in the strategy – things such as who needed to advise regulators or manage customer enquiries. It simply isn’t possible for one person to do everything when the situation is unfolding at speed, and while the media are on the phone. Testing crisis scenarios is a good way to highlight any flaws in the current system, and a great way to get boards really on board. 

It’s also key to throw in curveballs. If everyone always uses the same fire exits in a simulated evacuation, there’s no opportunity to test what happens if that exit is blocked, or someone is injured. Adding a little chaos to the plan is the best way to stress test the resiliency of an organisation’s response. 

Playing the long game 

The road to complete recovery after a cyberattack is a marathon. There is no easy answer as to how long this will take, depending on the severity of the attack and the data compromised – it could be a year or more before the company is back to where it was. This will take up a high proportion of the board’s time, with out-of-cycle meetings and ongoing stakeholder and customer communications. It could be worth talking to them about forming a specific committee to create and enact a recovery plan.  

CISOs are calling for more tech professionals on boards to support in this. This will be even more important with the forthcoming Security of Critical Infrastructure legislation in Australia that requires every board member to sign-off on risk management strategies. In the meantime, directors are often afraid to ask “stupid questions” because these will be noted in the official records. Regular learning sessions, away from formal board meetings, provide a critical but safe forum for cyber communication.  

Ultimately, it’s tough to govern what you can’t understand. A few simple communication strategies can make aligning on cyber risk much easier for CISOs and boards alike.