7 expert-backed strategies to bridge the gap between boards and cyber leaders

Corporate boards and chief information security officers have never been great at speaking the same language—but it’s more important than ever for businesses to avoid making major data security mistakes.

The SEC recently enacted a new rule requiring that companies disclose material cybersecurity incidents within four days of the event, and include details about a company’s framework for managing cybersecurity risks in their annual reports. That means boards are motivated to ensure that breaches are rare and that a company is managing its digital infrastructure with the right people, resources, and systems.

So, what should board members expect from their chief information security officers (CISOs) when they’re reporting on cyber risks? And how should board members act towards their CISOs in turn? Diligent, the governance software provider, convened a panel of experts to discuss best practices in cyber reporting during its recent Modern Governance Summit. Here are the top takeaways from that session:

—CISOs should be thinking about the specific information the board needs to know. Boards have a handful of key duties, including monitoring possible future risks to a company, ensuring that capital is allocated properly, and overseeing a company’s long-term strategy. CISOs must know how to tailor their presentation to the board’s specific needs. “It is the job of all the operating executives to figure out and synthesize what’s important, what boards need to know to be able to do their jobs effectively,” said panelist Shelley Leibowitz, a board member at Bitsight, a cybersecurity firm, and Morgan Stanley, and former CIO of the World Bank Group

—Neither boards nor CISOs should assume that zero risk is the right amount of risk. In fact, a CISO who reports that a company faces no risk of a cyber attack would look suspicious, said Leibowitz. Thinking about risk that way is also plain wrong, said Walt Powell, field CISO at CDW, an information technology and services company. “If you think about an entrepreneur, you’re risking money to make money. That’s the whole point of being in business,” he said. One of the first questions boards and cyber teams need to answer together is “What is the right amount of risk for us?”

— CISOs should create measurable metrics for risk. Most companies compare their performance against their competitors and create “key performance indicators,” or KPIs. CISOs can speak the board’s language by converting cyber-related KPIs into “key risk indicators,” or KRIs, according to Powell. “You just throw some quantification against it and, boom, you’re off to the races.”

— Boards should ask CISOs for third-party assessments of a company’s digital security situation. “As a board member, I assume you’re all A-players doing your jobs, and I know that you are doing the very best job in protecting our organization against risks and threats—with confirmation bias,” said Leibowitz, speaking to hypothetical CISOs. “It’s not a criticism, it is not a value judgment,” she added. “I want an outside view.”

— CISOs need to know that sharing the general cyber threat landscape at an annual board meeting is not the best use of the board’s time. Telling boards about what’s happening in the world of cybersecurity means “you’re telling boards the wrong story,” said Powell. Boards want to know about the risks to their business. It might be that you’re not spending enough to reduce the risk of a cyber breach or you need to reduce costs for IT, he added.

— Boards should assess whether their CISO has the company’s entire software process in view. “The most significant leading indicator of great cybersecurity in organizations is how well they have all of their software production process under control,” said Phil Venables, CISO at Google Cloud. “The percentage of an organization’s software that is built and deployed in a repeatable, fast, high-assurance process is clearly important for security, but also for agility and productivity, reliability, a whole array of other things,” he added.

In his experience, very few companies are anywhere close to having a full view of their software production in one location, and some IT leaders have even questioned whether such accounting is necessary. However, Venables said that if a CFO were to say that a company’s financial records were scattered here and there across the company, “You’d think you need a new CFO.”

—Take your CISO out to dinner. While it’s not crucial to have a cyber expert on the board (most boards don’t, according to a new report by Diligent and the venture capital firm NightDragon), director education is essential, the panel said. Cyber lessons might happen in meetings, or directors might take courses, or the learning can happen informally. Indeed, Venables encourages CISOs and board members to plan one-to-one dinners, so that directors can ask basic technical questions without any risk of looking ignorant in front of their peers.

Lila MacLellan
lila.maclellan@fortune.com
@lilamaclellan

Noted

“We're moving into a business environment that's going to be extremely unpredictable for the next 10 or 15 years—due to politics, due to climate change, due to the changes in generational expectations. To cope with that kind of environment, you have to have a long view. You have to have some kind of long-term perspective related to your company's strengths and its purpose, or you'll just be changing your tune every three months.”

—Vincent Stanley, director of Patagonia philosophy at the retailer, spoke to Fortune about why boards should insist companies have a “well-established, agreed upon, written down, culturally recognized sense of purpose” as a “keel” to help steady the business. Stanley elaborates on this topic and the future of stakeholder capitalism, in a new book, The Future of the Responsible Company.

On the Agenda

👓: The latest Gender Diversity Index by the advocacy group 50/50 Women on Boards finds that women hold 29% of board seats among Russell 3000 companies, and women of color hold only 7%. Overall the pace of progress toward gender parity has slowed.

📹: Can you fire a “boardzilla” director without their cooperation? On The Startup Solution podcast, Heidi Roizen, a partner at Threshold Ventures, explains what’s technically doable and politically viable when a private company board member becomes an irritant.

📖: In a new briefing, attorneys at Skadden, Arps, Slate, Meagher & Flom outline why new stringent EU disclosure rules on ESG topics might lead to a trail of lawsuits on this side of the Atlantic. “The granular information required by the EU could feed litigation in the U.S. if the disclosures appear false or misleading, or are inconsistent with disclosures in other jurisdictions,” they write.

In Brief

 — Does a CEO’s age matter? It’s a complicated and awkward question to answer, but some experts say no, including Jim Citrin, head of Spencer Stuart’s North American CEO practice. Rather than consider a CEO’s age during succession planning, he suggests boards look at factors like “passion, energy level, health, vitality, adaptability, motivation."

—The CEO of Ikea tells Fortune that building products with a longer lifespan and discouraging excessive consumerism is the only realistic route to meeting climate goals. He also explains why the global furniture company extended its sustainability lens to its food menu, adding plant-based hot dogs. 

— Boards in every sector need to get serious about AI governance ASAP. Consider this: A new startup that uses bots to write corporate content just raised $100 million.  

— Lachlan Murdoch, now the sole chair of Fox Corp, waited one day after his father Rupert Murdoch retired from the company to make board changes. Tony Abbott, a former prime minister of Australia, and Peggy Johnson, CEO of Magic Leap, were named as new board nominees, while two board members will not stand for reelection, including Anne Dias, who had voiced concerns over Fox News coverage of former president Donald Trump following the January 6 insurrection.  

The Long Read

Over the past few years, companies have encouraged employees to bring their full selves to work, so that no one would feel the need to play down racial, gender, LGBTQ+, or other identities that make them unique. Now, the same movement is increasingly drawing workers of varying religious faiths who choose to be “out” at work, the New York Times reports. Simran Jeet Singh, executive director of the Religion & Society Program at the Aspen Institute told the paper, “It’s almost like, here’s a way for people of faith to say, ‘Think about us too.’”

Companies now need to be prepared for the conversations and possible frictions sparked by the trend, the paper reports. Singh says that workers “have real issues that they’ll be bringing to the table, and you have to be ready to address them.”