Cyber Board Briefings: What Makes The Great Ones, Great
Cyber board briefings are vital for effective cyber governance and cyber risk oversight. Learn about the expectations you should have for your cyber board briefings.
What makes a great cyber board briefing great and why do you care? If you’ve ever wondered what a great cyber board briefing presentation should look like, then this is for you. First, why have a cyber board briefing in the first place. Does it make sense for every organization and/or for your organization. Should you have the briefing for the full board or just the committee charged with cyber risk.
It depends, well if its a briefing focused on specific cyber plans/goals, maybe not the full board but if it’s a broader strategic discussion on cyber and its business implications then the full board will provide addtional value and context. The risk profile of the organization also matters to determine the degree of engagement and commitment.
Once you’ve established why a cyber board briefing makes sense for you and your organization then it’s beneficial to get a sense of what great looks and feels like and why.
The elements / insights of great cyber board briefings are discussed under three categories of
Engagement
Commitment
Decisions
Board Leadership - Commitment
Clarity : Clear Outcome or Objective
Board Engagement
This article is the first in the series of three articles that are designed to equip board directors with three distinct, meaningful and actionable insights outlined below:
Three distinct insights are:
Compliance is crucially important but it can produce a false sense of trust.
Compliance without commitment (to the underlying intent) can have compounded second-order implications.
Compliance and commitment offers a better strategic approach than compliance alone.
In this article, we focus on the first. The primary objective of this article is to help directors avoid the common pitfall of focusing on compliance (in this case SEC Cyber rules) and inadvertently neglecting the required commitment to the underlying intent and stakeholder trust. Ultimately, our hope is that these insights will inform intentional actions that will increase effectiveness of cyber risk oversight.
1. Board Leadership
The role of the board’s leadership is important for effective board briefings in general but is especially vital for cyber board briefings primarily because without true commitment from the board chair, lead independent director and CEO, the cyber briefings will not be given the time they deserve. True commitment from the board leadership derives from a real heart-felt understanding of the business implications and impacts of cyber risk. Leaders in these roles should have a real appreciation for how cyber incidents are to tied to the financials and brand of the organization. They should have a keen awareness that data breaches are in fact predictable surprises that should be prioritized accordingly.
If a board chair simply understands that cyber is important because others say it is, then this is a low level of commitment. Or if they know that data breaches are bad because of unfavorable headlines, then this is a basic level of understanding and is not sufficient for them to develop the true commitment we’re referring to.
The board chair and CEO should have spent enough time with their cyber chief or have felt the heartache from cyber intrusions to fully appreciate complexity of the adaptive challenge of cyber risk oversight and management. Some questions to ask to determine board leadership commitment includes:
How often does the board chair/lead director and/or CEO request an outside cyber board briefing for the full board? Such a briefing can give the board an external perspective on the current and emerging risks. Such briefings will also serve to inform the board of actionable and strategic levers to consider as they exercise their oversight responsibilities. If/when such briefing requests are made, we suggest that you explicit specify that a board level perspective is maintained in the delivery and to take the time to explain what “board level perspective” means to you to avoid getting a briefing that is either too technical (in the weeds) or irrelevant to your organization. Briefing from multiple different sources over time will provide a more comprehensive view of elements involved. Some of the sources to be considered include:
FBI or other Federal law enforcement entities (e.g. Secret Service)
Legal Firms
Independent Consultants and Consulting firms
Security Vendors and service providers and cloud providers
PR firms that have a cyber practice or have dealt with cyber incidents
Insurance organizations
How often does the CEO talk about the cyber risk challenges and related mitigations in public or even internally within the organization?
2. The Right Focus
The right focus helps get/make the most out of director’s time, which is in very short supply. Often directors are dealing with crucial decisions related to a variety of topics ranging from capital allocation, geographical expansion, M&A and/or divestitures and more. Today a typical management cyber presentation to the board doesn’t maximize the board’s time. It basically attempts to inform the board of risk mitigating activities and/or their results and effectiveness.
For example, we do phishing simulations and 85% of our employees don’t click on malicious phishing links. Those that do (15%) are directed to attend more training. Or, we conducted x number of third-party risk assessments with no material findings or the results of our penetration testing exercise uncovered x number of vulnerabilities that we’re working to remediate. These are all good data points to be aware of and these functions within a cyber program are definitely required, but we believe this approach does not have the clarity and context that would be most effective and time efficient for the board.
We therefore encourage board directors to guide and coach management to consider alternative approaches and one of these is the one outlined below that was adapted from Ram Charan, the world renowned corporate governance expert and author.
Clearly Articulate what the issue or objective is. For example, current of future decision. Also clearly define the expectation from the board, what is or will be the ask from the board. Is it a board decision or not?
Provide relevant context surround the issue or objective. Relevant in terms of business implications that board members can relate to.
Outline the potential solution options and alternative actions that management has analyzed and considered
Share your recommendation and point of view on the way forward
Invite discussion, alternative view points and encourage engagement
Reframing the presentation using the approach above, we believe, will maximize director’s time. The updates from cyber functions can also be integrated or better still can be provided ahead of the board meeting for directors.
that we believe is more effective than a read out of cyber program functions.
Engagement
Commitment
Decisions
Clarity : Clear Outcome or Objective
Board Leadership Commitment
Engagement
Board directors sometimes, actually often, ask us if the cyber update given by the cyber chief (CISO/CIO) or respective leader was a good or great one. Generally speaking, the update they’re referring to typically involves a 15-20 minute presentation that talks about some key risk indicators or risk numbers (e.g. phishing rates, patching, vulnerabilities, etc) or updates on large security projects and/or “material” incidents. At the end of the presentation or during maybe, the one board member with a cyber background asks a couple of questions or may decide to go into the weeds about why a particular security project is delayed while the rest of the board (out of respect) waits impatiently to move on to more pressing items on the agenda. This is characteristic of a typical cyber board briefing update and we don’t consider this a great or even good briefing because it lacks the key ingredients of great briefings and the resulting effective cyber oversight.
A great one looks like this and this is why you care about great briefings and how to create one on a regular basis (at least quarterly for medium-high risk profile organizations)
There are three foundational and fundamental elements of a great board briefing on cyber risk. These assume you’re already committed to cyber and have board members who are actively engaged in their board governance and oversight roles.
A - Engagement : A great briefing has an unmistakable energy of engagement displayed by a majority of board members. You can feel the progress in the boardroom. Discussions, though cyber focused, inevitably connect with critical business strategy elements of the business. And this is why even directors without cyber expertise can engage passionately in the discussion. For example, a cyber briefing could be discussing the primary risk of business disruption by bad actors and the impact to the business and not just that the cyber team stopped a certain number of ransomware attempts
Talent - or talking about attracting and retaining cyber talent which naturally evolves into touchpoints with culture, employee engagement, compensation, etc.
A great briefing connects the dots and this is reflected in the engagement from board members. To create this level of engagement - three things :
a - Effective communication
b - Cyber expertise
c - Relationships
Decisions : Is it possible to have good board engagement and ineffective cyber oversight? Yes
Ultimately, strategic decisions about risk mitigation investments and potential opportunities must be made for effective cyber oversight. Thses typically will take on the form of proactive measures to reduce risk and potentially explore how to leverage such investments to elevate the brand or increase value to clients, customers and consumers. Some of these decisions may involve staying ahead of new cyber regulation and crisis preparedness. Whateever the form, these decisions are made by the board, effectively and decisively
There’s a clear understanding and awareness of the implications of these decisions on the business and all relevant stakeholders and these decisions are not reactive but proactive and they anticipate where the business is going and the associated risk velocity of the business. To create and allow for effective strategic decisions, here is what’s required:
Business strategy and vision : You can’t mitigate risk that doesn’t align with where the business is going. Well, you can but it’s not effective.
Courage to Challenge other perspectives and this courage is encouraged by establishing a safe zone; psychologically safety. Multiple perspectives helps. Challenging the effectiveness of existing investments
3. Board Engagement
Engagement
High level of engagement looks like what? Low level of engagement looks like the board session described earlier in the article. Once you have board leadership and the right focus, you have the foundation for having and sustaining a high level of engagement during a board briefing but it doesn’t happen automatically or without being intentional about it.
High levels of engagement on cyber creates a high level of effectiveness in the board room. The ingredients (in our view) of great board engagement include:
Digital & Cyber Expertise
Effective Communication
Good Relationships with Management
Digital & Cyber Expertise - Board members should be deliberate about increasing their knowledge and expertise in digital and cyber risk/security. This begins with intellectual curiousity about the benefits and risks of digital capabilities. Several board directors are naturally curious about a lot of topics and cyber and digital should be no different. There’s often some trepidation and anxiety for directors that believe they’re not tech savvy and are intimidated by the technology. But this should be an excuse to resign or neglect the required efforts to be at least curious about the benefits and to have a basic understanding of the implications . The goal is not to be an expert but to at least be able to carry on a meaningful conversation (at a dinner party if need be). We beleive this can be done and it can also be incredibly effective and fun for directors.
There are several ways to acquire expertise ranging from independent reading of cyber articles in board-focused publications such as the NACD, Directors and Boards, PDA, etc.) to more formal training courses such as the MIT courses. But where to begin. We suggest hosting a board learning clinic focused on cyber and the organizational cyber risks and challenges. This allows board directors to learn through meaningful stories and experience the learning collectively as a board. In this group format (in person preferrably for the first), questions from one director will trigger other thoughts from others and build on each others’ understanding. It can also be directed to the organizational struggles and provide context, etc.
Effective Communication - The next ingredient is effective communication, which is a lot of listening and asking questions. There’s a tendency for some board directors, ourselves included, to want to speak instead of listen. Instead of listening intently with our ears, eyes, heads and hearts, we try to focus on our point and what we want to say. But listening is what’s really needed for high levels of engagement. Humble inquiry is the mental frame of mind or model that should be employed here. For example, managemnet or cyber chief shares with the board that a 3rd party parter had a cyber incident but that some of the organization’s customers and suppliers may have been impacted but the organization itself was not impacted and hasn’t really suffered any material attack or data breach.
Aft first glance, it seems there’s no major action for the organization or the board, other than ensuring the organization is not vulnerable to the same thing as the the source of the incident at the 3rd party. Some questions to ask here include
If customers are impacted, does our cyber insurance policy cover these types of incidents and related remediation efforts that may be required?
What proactive steps can the organization take?
How does this incident potentially affect our brand or product launch?
Management Relationships - The last ingredient is to cultivate good relationships with cyber / digital chief. This is important for two main reasons. First it provides a baseline to ask tough questions in the boardroom without the cyber/digital chief thinking and felling they’ve been unfairly targeted or mistreated. When management officers know that board directors care about them and that they are genuinely interested in their success as well as the success of the organization, it makes a difference. Management wants the board to be engaged and they’d like to receive the benefit of an outside view and independent perspectives. Without such relationships, the psychological safety required in the boardroom required to actively and proactively engage is limited at best.
This relationship also provides learning for the directors and this in turn increases their confidence in dealing with digital and cyber topics and the value they can add and provide to the organization. How to cultivate these relationships? There are several ways to do this including :
X, Y and Z
But we recommend a simple informal method, one-on-one lunch
Commitment
Decisions
Clarity : Clear Outcome or Objective
Board Leadership Commitment
Engagement
A - Engagement : A great briefing has an unmistakable energy of engagement displayed by a majority of board members. You can feel the progress in the boardroom. Discussions, though cyber focused, inevitably connect with critical business strategy elements of the business. And this is why even directors without cyber expertise can engage passionately in the discussion. For example, a cyber briefing could be discussing the primary risk of business disruption by bad actors and the impact to the business and not just that the cyber team stopped a certain number of ransomware attempts
Talent - or talking about attracting and retaining cyber talent which naturally evolves into touchpoints with culture, employee engagement, compensation, etc.
A great briefing connects the dots and this is reflected in the engagement from board members. To create this level of engagement - three things :
a - Effective communication
b - Cyber expertise
c - Relationships
Decisions : Is it possible to have good board engagement and ineffective cyber oversight? Yes
Ultimately, strategic decisions about risk mitigation investments and potential opportunities must be made for effective cyber oversight. Thses typically will take on the form of proactive measures to reduce risk and potentially explore how to leverage such investments to elevate the brand or increase value to clients, customers and consumers. Some of these decisions may involve staying ahead of new cyber regulation and crisis preparedness. Whateever the form, these decisions are made by the board, effectively and decisively
There’s a clear understanding and awareness of the implications of these decisions on the business and all relevant stakeholders and these decisions are not reactive but proactive and they anticipate where the business is going and the associated risk velocity of the business. To create and allow for effective strategic decisions, here is what’s required:
Business strategy and vision : You can’t mitigate risk that doesn’t align with where the business is going. Well, you can but it’s not effective.
Courage to Challenge other perspectives and this courage is encouraged by establishing a safe zone; psychologically safety. Multiple perspectives helps. Challenging the effectiveness of existing investments
In summary here are the principles and practices that increase the odds in your favor if you desire to have effective cyber board briefings.
Summarize the required practices and actions.
This is what makes great briefings, great!
In summary here are the principles and practices that increase the odds in your favor if you desire to have effective cyber board briefings.
Summarize the required practices and actions.
This is what makes great briefings, great!