---

Chris, thanks for taking time to speak with me today. As you are aware, cybercrime has drastically increased since 2010, with attacks on Colonial Pipeline, SolarWinds, and Kaseya making headlines more recently. Considering this, I appreciate the opportunity to speak with you about the Chief Information Security Officer’s (CISO’s) relationship with the board and how cybersecurity—specifically, the U.S. Security and Exchange Commission’s (SEC’s) interpretive guidance—plays a role. With cyberattacks on the rise and damages from cyberattacks costing trillions of dollars, how does the C-suite—specifically, the CISO—go about aligning cybersecurity investments to overall business goals?

Good question, Eric. The CISO cannot protect what is unknown. This internal alignment starts with a comprehensive inventory of IT assets, external suppliers, contractors and employees. It starts with an understanding of an organization’s attack surface, the number and breadth of internal IT assets including supplier relationships and employee awareness. It is also important to understand the attack vectors an attacker can use to compromise your company. Then you can prioritize those IT assets based on business risk through a comprehensive risk assessment. This requires the CISO to engage various stakeholders across the enterprise, including but not limited to business leads; the risk management organization; and compliance, legal, and finance personnel. Once you have a 360-degree risk view, you can assign values across your internal IT assets with input from the various stakeholders. From there, CISOs can help prioritize your investments, your protections, and your strategies as you move forward. In fact, the SEC requires companies to maintain protocols that enable them to determine the materiality of cyber risks and cyber incidents as they pertain to their business, financial, and operational conditions. 

What types of reporting regarding the overall health of one’s internal cybersecurity program and material risks should be presented to the board?

The board typically comprises financial professionals, strategists, general risk management professionals, and former executives who have run various large enterprises and organizations. I find it useful to express cyber to the board using financial analytics and metrics that are very much in line with the overall business strategy, provided you have input from the various stakeholders across the enterprise and provided the enterprise risk assessment results are delivered to the board. Moreover, the SEC requires companies to disclose the board involvement with the oversight of cyber risk and how the board administers its oversight. A description of the relationship between the board and senior management, is also required by the SEC, as it pertains to the management of material risks facing the company. Ultimately, this gives the board something that’s actionable, understandable, and helps them exercise their fiduciary responsibility because you’re speaking a language that resonates with the board and can help execute investments and shifts in your organization to best protect the enterprise.

Circling back to reporting, to whom and where should the CISOs be reporting?

The CISO role is traditionally part of the technology function. The CISO deploys tooling—which is the implementation of technology controls to defend the enterprise—and responds to incidents, and quite frankly, continuously puts out fires. With that, you must strike a balance between the day-to-day operations, the independent oversight, and the independent reporting line outside of IT. Additionally, you want the CISO to strike a balance between reporting to a risk management function that also has some type of dotted line, or reporting line, to the IT function; this way you have the ability to provide a level of independence around identifying risk exposures and influencing the technological hygiene. The CISO, ideally, should not be reporting IT operations; CISOs should be outside of those day-to-day operations because their job is ultimately to provide a level of independent risk oversight that challenges how well IT operations are functioning and protecting the enterprise. You want that healthy balance between security and the organization’s daily IT operations, but also a level of independence so CISOs can effectively challenge the IT organization. This will then be reflected up to the Board of Directors through some type of risk committee or risk function that oversees cyber and includes other facets of risk that are relevant in the cyber domain, such as supply chain risk and operational risk.

We’ve discussed the functionality and the general role of the CISO, but how does the CISO build that essential trust within the C-suite, as well as with the board and other corporate executives?

The CISO, ideally, should be engaging with the overall company strategy. By doing that, they gain trust because they’re leaning in with the business to understand what motivates them, what supports their profit, and how their business strategy aligns to the overall enterprise strategy, and this serves two purposes. First, you’re showing interest that you’re not just dealing with or addressing the technological cyber side of the enterprise, you’re showing interest in the business. Second, it helps for you to calibrate your cybersecurity program accordingly by making strategic investments that best align to the company’s strategic business exposures. These strategic efforts also enable management to align cyber risk to business and financial exposure as expected, and driven, by the SEC.  You are building trust by temporarily taking your CISO hat off and having that dialogue with the business to express interest in terms of what motivates them and what their priorities are.

Sticking to the theme of communication, how can an organization’s CISO effectively communicate cybersecurity plans and procedures to the boardroom?

The CISO should present their overall strategy and roadmap, but more importantly, how did they arrive at that strategy. It is important to understand how that strategy represents inclusiveness across the broad range of enterprise executives and whether that strategy reflects the contextualization of cyber to business and financial risk. That should be the ultimate roll up to the board—the understanding of the aggregate of cyber exposure relative to financial and business operational risk. Pare down to those risk categories that are most material for your business—for instance, intellectual property theft, data loss, ransomware, or business interruption. Then measure and demonstrate how effective your company culture is, your investments are, your deployment of technological hygiene is, and your cyber defenses are to address and reduce that risk to a reasonable level. That reasonable level is what we call the risk acceptance level. That ultimately should be driven by the Board of Directors and the C-suite.

The CISO, ideally, should be engaging with the overall company strategy. By doing that, they gain trust because they’re leaning in with the business to understand what motivates them, what supports their profit, and how their business strategy aligns to the overall enterprise strategy…

This series of articles is provided courtesy of HKA Global, Inc. (HKA), one of the world’s leading privately owned, independent providers of consulting, expert, and advisory services for the construction, manufacturing, process, and technology industries. HKA’s global portfolio includes prestigious projects on every continent and in varied market sectors.

Christopher Hetner works closely with HKA to provide strategic advice on cybersecurity issues, but he is not an employee of HKA. The information provided in this series of articles represents the opinions only of Mr. Hetner, not of HKA, and is intended for general educational purposes only—it does not constitute legal, accounting, insurance, or other professional advice, and it should not be relied upon as the basis for any business decisions.