You can go and have the most secure home. But if you go back and you have trouble getting in every day, then what’s the point?”
Governance, Risk, and Compliance (GRC) and security is on the agenda of the board of directors’ meetings for every public company. Learn key lessons from ServiceNow’s CISO Ben de Bont on successfully reporting to the board.
This also relates to one of ADAPT’s 12 Core Competencies, Align the CEO and Board, which discusses this topic at length.
The Five Stages of Cybersecurity Reporting
The crisis stage – Notification of breach from the internal security team as a result of internal compliance failure and failure to be externally certified.
The reactive stage – Preparation for trending security issues across your industry.
The pre-emptive stage – Security, as a regular agenda item to address data classification or governance, phishing, vulnerability metrics, and identity management.
The proactive stage – Considering potential threats, building internal teams to hack yourselves, having a third-party assess your environment, making detailed competitive assessments to show the board your position amongst competitors in cybersecurity.
The North Star – When you see competitors get attacked, you know you would be prepared for the same and could confidently say in front of a government inquiry that you did everything, you reasonably could to protect your customers’ privacy.
Detect, Respond, Recover
Recent events such as the CapitalOne breach means that regulated scrutiny has been passed on from financial institutions to all organisations, so did pipe metrics from your vulnerability tools, incident response products, your GIC, and risk registry. Another effective, common method is to use the NIST cybersecurity framework to communicate the measures to the board. This includes identifying, protecting, detecting, responding, and recovering from complex cybersecurity threats.
Reporting back to the board
Consistently report to your stakeholders and find a regular way to communicate how you understand the current and future threat landscape and are prepared to manage potential risks to reputation of the organisation. You must balance security with scalability, availability, and usability to align your stakeholders.
- Reach the most proactive level of cybersecurity reporting when you feel securely prepared as your peers are attacked
- Security must be balanced with scalability, availability, and usability.
- Consistently gather stakeholders and communicate how you’re managing and preparing for the complex threat landscape.
ADAPT Research and Advisory clients can access the full keynote video of Ben de Bont’s presentation. Visit our page to learn more and gain access to hundreds of keynote videos from our Edge events.