The full partnership model between CISO and board: Full and frank security discussions are more than just a ‘nice to have’. The SEC has indicated it expects public companies with senior leadership to be transparent in how they assess and communicate cybersecurity risks.By extension, CISOs have an important role in communicating risks to senior leadership and the board. To provide strategic insights, CISOs need to avoid excessive technical details and instead use consistent frameworks, risk registers, and resilience metrics.At Liberty Mutual, cybersecurity is reported to the board as both a standalone topic and as part of broader technology strategy discussions. “There’s value in reporting to the full board so that all directors have some exposure to cyber trends and the health of the cybersecurity program,” says Liberty Mutual CISO Katie Jenkins.Jenkins finds both approaches valuable, with the standalone conversation narrowing in on risks and mitigation strategies, while the integration into technology discussions demonstrates that security is not an isolated function.”Effective security outcomes depend on a cross-functional commitment across the organization,” she says. “When I present to the board, my goals are to educate on current trends and emerging threats, clarify risks, avoiding both underrepresentation and overrepresentation, and instill confidence that we allocate our resources effectively to align with those risks.”Jenkins aims to develop a “dialogue over a monologue” to understand the board’s most pressing questions and tailor her presentation to provide greater clarity or incorporate relevant examples in line with their focus.To do so, Jenkins is guided by three principles in her presentations. Firstly, be clear about relating risks to business impact to make the issues more tangible and relevant to board members. “When discussing incidents or risks, I connect them to their potential impact on business operations.Use demonstrations to show threats in action. This provides clarity and helps build trust, moving beyond “just trust me on this” to show real-time examples of our efforts. “In a recent board update, I used demos to show the ease of use of toolkits favored by adversaries and showcased the before-and-after effects of implementing specific security controls.”Finally, Jenkins also makes a point of highlighting how security is also a driver of innovation. “I emphasize how security enables innovation by providing guardrails, which serves as a nice complement to the more defensive aspects of our work.”Shifting away from purely committee reporting isn’t just a tactical move. It reflects the growing need to have CISOs provide input into many business initiatives. Jenkins believes CISOs can offer valuable input into AI adoption, operational resilience, technology modernization, data and digital transformation, mergers and acquisitions, supplier and procurement strategies, and geopolitical risk management.”Our contributions extend beyond just cybersecurity incidents; we also play a vital role in enterprise risk management and crisis response,” she says.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3999922/get-out-of-the-audit-committee-why-cisos-need-dedicated-board-time.html
