Many boards still wrongly believe overseeing cybersecurity is different from managing other risks, says the chief information security officer (CISO) of Google Cloud — and infosec pros are partly to blame.
“There’s a little bit of fear that cyber is a dark mysterious art that is difficult to manage,” Phil Venables told Mandiant’s mWise cybersecurity conference in Washington, D.C. on Tuesday. Mandiant is a division of Google Cloud.
The fault, he added, lies in part with security teams who underestimate the ability of boards to understand what they’re talking about.
“Expect more of the boards in understanding these risks,” he said. “There’s a little bit of a tone in the industry … that we need to somehow dumb down communications with the board. That is actually doing the board a disservice. Most boards in most industries have tremendous depth of expertise, whether it’s doctors and practitioners on health care boards, or specialists in financial risks on bank boards — the list could go on. There’s no reason why today’s modern digital business shouldn’t have a plethora of not just cyber experts, but digital business and technology experts on the board to be able to provide oversight.”
For their part, boards should have a higher expectation of not only security leadership but technology leadership, Venables said. “The board should be asking the CIO or a CTO, ‘Do you have all your software under control? Is it in one controllable place? Is it in continuously integrated, deployed and tested? Is it under constant management? Do you understand the software supply chain dependencies of your entire digital asset base?'”
Some infosec pros think that’s too much detail for a board. But, Venables said, imagine a board talking to the chief financial officer and asking, ‘Do we have all our accounts under control? Is the ledger in one place? Is the cash flow reconciled every day? Do we understand our entire financial position?’ The CFO would be fired for answering ‘Well, that’s a bit difficult, I’m not entirely sure. There are lots of different places where the finances are ….'”
Boards, Venables said, should be asking CISOs questions like this:
-what are your most critical assets and services?
–what are the risks facing them?
–what are the security controls that will mitigate those risks?
–are those controls continually effective?
–what are the residual risks and who in the organization has deemed those residual risks acceptable?
–and what is the end-to-end process that constantly validates that the organization is identifying and staying on top of the risks?
“In that whole paragraph I never used the words ‘technology,’ ‘cyber’, information security,'” Venables stressed.
That’s because the approach behind those questions is the same as the one boards use to manage business, strategic, and financial risks.
“The more boards get used to that — and especially the more their security teams can answer that question in a coherent way –” the better, he said.
“If a lot of organizations are honest, they’re not doing a good job of answering those [cybersecurity] questions,” he added. “and the boards are not doing a great job of holding the security, technology, and risk teams accountable for answering those questions.”