How Board Members Can Help Align Security and the Business
When the SolarWinds Corp. cyberattack was discovered at the end of 2020, it sent a shock wave through security teams across the world. Overnight, they were faced with the realization that third parties can leave their organizations just as vulnerable as if they had forgotten to lock their own back doors.
And yet it wasn’t only security teams that felt the impact—SolarWinds’ boardroom reporting structure also underwent change. As CEO Sudhakar Ramakrishna commented at a virtual event three months after the attack, “We are creating an independent organization to build that level of capability, comfort, and seat at the table with regards to our CISO [chief information security officer].”
The fallout from SolarWinds was widespread from federal agencies to Fortune 500 companies. But it is by no means the only example of a lack of aligned practices between the business and cybersecurity efforts.
Business-security alignment is fundamental to protecting business value and creating resilience. Organizations should elevate the cybersecurity discussion so that the board and its leaders are more involved in helping secure the business. Yet, a year and a half on from SolarWinds, there’s still work to do to close the gap between business leaders and security leaders.
We all recognize the crucial role board members play in the governance and oversight of the business. But as key influencers in the direction of the business and its outcomes, they also should fully understand every moving part—which, from a security perspective, means what types of risks are being taken, what mitigating actions are in place, and whether the level of risk is acceptable for the enterprise.
Here are three questions board members should consider when helping their organization see cyber risk as a business issue:
Is our security strategy aligned with the business strategy? As SolarWinds’ Ramakrishna recognized, the security function should have a seat at the table and fully participate in the development of the business strategy and its priority initiatives. Boards should own cyber risk and exposure alongside disruption and systemic risk as their organizations embrace more digitalization; this is about overall business risk, not just information technology (IT) risk.
Where’s the value in our cyber capability investments? Board members can help in assessing the value that the organization is getting from its cyber investments. By scrutinizing spending on cybersecurity against the outcomes generated, directors can better enhance capabilities that enable the business strategy, risk reduction, and improved business resilience.
Do we understand our organization’s vulnerability posture? SolarWinds highlighted the importance of third-party supply chain risk and that remains a key vulnerability issue today. Board members should be aware of the organization’s crisis management capabilities, its incident response capability, and the risk posture of business partners and third-party providers. Handling a major incident involves the enterprise and key crisis ecosystem partners—from law enforcement to crisis communications to cyber forensics and response to external counsel and beyond—and the board is equally responsible for rehearsing its own response to plan for a major incident.
Board members should be able to tell whether the organization’s leaders are working collaboratively and effectively with the cybersecurity function. Is the only time the board has cyber risk on the agenda when the CISO is in the room?
By insisting that cybersecurity is part of broader business discussions, there’s greater ownership across the whole business. Cyber risk is a business risk, not just an IT risk. Yet, many organizations still do not have the right balance; cybersecurity is seen as an IT issue that the CISO and chief information officer need to fix, without any sense that there is business ownership as part of a collaborative duty.
In an earlier article, I pointed out that the US Securities and Exchange Commission’s latest cybersecurity proposal would require publicly traded companies to disclose certain details about an organization’s board’s cyber expertise, and how it governs cybersecurity. It’s a recommendation that could fundamentally alter board behavior and could help protect organizations when the next, inevitable cyber incident happens. These actions are likely to increase pressure on private and nonprofit boards to take similar steps.
Boards have an opportunity to get in front of this issue. If board members can strengthen boardroom behaviors and cyber-risk oversight, they can not only reduce cyber risk, but also enhance cyber resilience and better business outcomes.
Bob Kress is a managing director at Accenture Security, where he is the cochief operating officer and the global lead for quality and risk.