Just as important as Scholten's board updates are the active education and awareness programs he conducts. "We're really aggressive with respect to training and keeping people abreast of new trends. Questions from the board become better as result."
Ideally, you should institutionalize a process for providing updates on threats and corporate risk assessments, whether to the audit committee specifically or the board as a whole, says Boyd.
Such updates could be presented via risk scorecards, heat maps, IT security dashboards or some other format, says Gleason. "There are a variety of ways to present it, but the goal is to communicate what the risk looks like holistically, and how it's changed since the last update," he explains.
Building trust amid uncertainty
Since Angelo gave his first cybersecurity presentation to the board in 2011, his interactions with directors have evolved. There were two zero-day exploits in the press in those early days. "It generated a ton of questions. My email would light up," he recalls. He found himself having to schedule meetings with board members and executives to discuss the incidents. "But that was fine," he explains. "Once I was able to explain that it had no impact on our architecture, the issue went away."
Fast-forward to this February's management committee meeting and the huge Anthem breach, and the difference is clear: He no longer gets sidelined by the latest headlines that ultimately have little to do with the state of security risk at K&L Gates. Committee members were certainly aware of the big breach, but they trusted that Angelo was on top of it and didn't interrupt his regular cybersecurity update at the meeting with questions or concerns. "A year ago, it would have dominated the discussion," Angelo says. But this time, he says, "I was able to stick to the facts."
Still, CIOs must have a realistic message because of the ever-evolving threats. "One thing I always close with--and they're probably tired of hearing me say this--is 'Things can change overnight.' You can go to bed feeling secure and wake up to an exploit that we're vulnerable to," Angelo says. "The bad guy only has to be right [once]. We have to be right all the time." The committee understands that, but members are confident in the company's security posture because of the transparent way he discusses security strategy with them.
"There is a growing persistent threat. Whether it's from state-sponsored attacks or organized crime, there are so many easy ways to monetize data to make it a profitable venture," says Boyd. "At the same time, the sky is not falling. We don't have major issues every day. The threat is more sophisticated, but so are our protection mechanisms."
Boyd says his regular communication with the Shale-Inland board makes that clear. "It works very well. And it's a mature way to present the issues and enable the board to become a partner in guiding what we want to do," he says. "Every IT person would like to say, 'Just trust me to put in place what we need.' We can't do it all, and we can't do it fast enough. We don't want to create a false sense of security."