Engaging Your Board on Cyber Security: Three Models

As cyber threats to organizations both large and small grow in volume and sophistication, many boards of directors are now looking at how an organization protects its most critical assets. Throughout October, Woodruff Sawyer is joining up with the National Cyber Security Alliance to spread the latest news and best practices for personal and workplace cyber security.

According to a BDO Cyber Governance survey in 2018, 72% of corporate board members say that their boards are more involved with cyber security now than they were 12 months ago. While this statistic is a step in the right direction for board governance, we also believe that making the most of cyber security updates at the board level is key to good governance. A board update on cyber security should include three key characteristics:

• Cadence
• Consistency
• Common language

Cadence

Cyber security has broad impacts on all aspects of a companies' operations and reputation, and as such requires proper board oversight. Updates from a cyber-security-focused executive, such as the Chief Information Security Officer (CISO), to the entire board of directors on cyber security should occur at least annually, if not more often. If a specific sub-committee is responsible for cyber security, updates can often occur on a quarterly basis. The specific cadence will vary by organization depending on their risk profile and the maturity of their cyber security program, but the key feature is that the updates are given priority by the board at regular intervals.

Consistency

Once an appropriate cadence to cyber security updates is established for your organization, creating consistency in the updates is the next key feature. Consistency in your cadence, consistency in your metrics, and consistency in your messaging are key to organizing a discussion with the board. Identify metrics that work for your organization and use those metrics consistently to tell your cyber security narrative through consistent dashboards which can show progress in your cyber security maturity.

Common Language

One of the keys to engaging with your board of directors is ensuring that you are speaking the same language. Many times, chief information security officers come from a technical background, and their natural inclination is to speak in technical jargon and acronyms. Unfortunately, many directors do not share the same technical background, leading to situations where limited time in front of the board is spent trying to educate on very complex technical issues. Soon, your board cyber security update session is off track.

To ensure that you're speaking the same language as your board of directors, try setting the stage by using a cyber maturity model as your reference point. A cyber maturity models is a useful tool to provide varying levels of detail depending on your audience. A good cyber maturity model will include multiple levels of detail, allowing a CISO to speak at a high level with their board, a moderately detailed level with their executive team, and a highly detailed level with their technical team.

Three Cyber Maturity Model Options

It is hard to know where to begin when looking into different cyber maturity models. Here are three that provide a good view into your cybersecurity maturity.

1. NIST Cybersecurity Framework

The NIST Cybersecurity Framework was originally developed in 2014, and most recently updated in 2018, by the National Institute of Standards and Technology (NIST) in response to a presidential directive to secure critical infrastructure in the United States. It has evolved as a voluntary framework to help organizations assess and manage cyber risk across their enterprise. The NIST Cybersecurity Framework contains multiple levels of detail which allow for cyber security conversations to happen with various parties concerned about cyber security.

The Framework consists of five main functions: identify, protect, detect, respond, and recover. These five main functions serve to provide very high-level, strategic views on cyber resiliency across an organization. From these five main functions, the Framework lays out 23 categories which go into more detail on specific areas of focus to ensure each Function is addressed, as well as 108 sub-categories which provide very specific outcomes to be achieved in an organization's cyber security program.

From the framework core identified above, there are also framework profiles and implementation tiers. Framework profiles allow an organization to identify the current state of their cyber security program and aspirational future states. Each profile allows an organization to customize the Framework to their organization and prioritize which outcomes are important to their company. The implementation tiers are used to assess an organization's risk management practices over a range, from partial (tier 1) to adaptive (tier 4).

2. Cybersecurity Capability Maturity Model (C2M2)

Originated by the US Department of Energy, the C2M2 program is designed to help organizations improve their cyber security resiliency through a voluntary evaluation process against effective cyber security controls. Notably, the C2M2 model is focused on controls around both Information Technology (IT) as well as Operational Technology (OT). The model is designed as a view of cyber security practices across 10 key domains that contribute to the overall cybersecurity posture of an organization.

There are three distinct versions of the C2M2 program: a generic version for all organizations, a version for the electricity subsector, and a version for the oil and natural gas subsector which include additional reference materials and sector-specific implementation guidance.

3. Center for Internet Security (CIS) Top 20 Controls

The Center for Internet Security (CIS) top 20 controls are similar in nature to the NIST Cybersecurity Framework in that they have three distinct levels which allow for greater communication across multiple stakeholders in any organization. The Top 20 controls are broken into controls considered basic, foundational, and organizational. The controls follow a prioritized set of actions to help organizations protect their networks and data from known attack vectors, and are often used as a means of implementing other frameworks such as the NIST Cybersecurity Framework.

Boards of directors often have many competing interests for their time and a seemingly unlimited number of initiatives which require board discussion and oversight. By aligning with the board on the cadence of updates, using consistent metrics and dashboards to organize the discussion, and communicating in the same language, executives can put their organization in a much better position to engage the board of directors in proactive ways around cyber security.