RSAC 2019: 5 Ways to Revive a Broken Board-CSO Relationship

Yes we can.

That was the gist of the message to the standing-room only ballroom who turned up at the RSA Conference to hear security expert Richard Clarke explain how to fix the often-fraught relationship that exists between chief security officers (CSOs) and their boards of directors.

It’s hardly a new topic. The lack of effective CSO-board communications and the resulting impact on enterprise security has been the subject of countless discussions at trade shows and industry conferences in the past. But there’s new urgency to get it right nowadays as companies more fully recognize the business threat posed by data breaches.

Against the backdrop of an increasingly dangerous threat landscape, boards of directors are more open to the idea that a nexus exists between cyber security and corporate governance. But getting from A to B sounds easy on paper. In practice, it’s made harder by the absence of a language that both sides can speak.

“I’ve been on boards and briefed boards and see it from both sides. "Boards don’t want words they don’t understand,” said Clarke, the CEO of Good Harbor Security Risk Management. Instead, they want numbers.

All too often, however, they wind up getting something completely different.

All too often, however, they wind up getting something completely different.

“We have a tendency within this business to sound a little geeky and use terms that board members are not going to understand,” said Clarke.

There were knowing nods from the audience when Clarke said that. But how to break that bad habit and reach a point where the board and the company’s top risk officer are on the same page? Clarke put forth a framework to serve as a reference guide. It comes with the unwieldy acronym MMGBE – short for Messaging, Metrics, Governance, Budget and Exercises.

Here’s how it breaks down:

• Messaging:  You’re going to be hard-pressed to find an electrical engineer on a company board and the fact is that most of these folks are not clued into goings-on in the cyber-security world. Clarke said that security executives shouldn’t assume that their boards know much about the big news events rocking the security world. This is where he suggests a regular series of emails and stories earmarked for the board. “Call it cyber news from me,” he joked. “It doesn’t require elaborate work or response…. It’s water torture – drip, drip, drip, drip, framing their perception of the world.”

• Metrics: When it comes to speaking the board’s language, Clarke says to save the jargon and replace it with measurable data. “Every board meeting that I’ve ever been in, it’s numbers, numbers. They want metrics,” he said. He added that the key is to provide metrics that you can improve upon. So stay away from charts at the beginning of the budgetary process talking about how everything is fine. “We all have a tendency to say, `I get all A’s.’ It’s better to go in with a set of metrics that shows there’s work to be done. And in the course of the next 2 or 3 years, you can show milestones and justify your budget,” he said.

• Governance: Clarke elicited laughter when he asked whether there’s anyone on the board who really cares about cyber. (Actually, he used a saltier term but you get the drift.) That’s why he said the security side needs a champion on the board. Ideally, he said, that’s going to be somebody who is already serving. If not, make an argument that the board add someone to their ranks who is indeed cyber-literate. That would allow security execs to cultivate a closer relationship where they would also brief them more frequently than they might with the rest of the board.

At the same time, the CSO shouldn’t remain in a subservient role reporting to the CIO, according to Clarke, who called that arrangement “a rotten idea” as well as a conflict of interest. “The CIO has a different set of priorities: To make things easy and keep uptime going or to bring in that new digital experience or app and not worry about security before they put it online.” The security chief’s responsibility is, well, security. That’s why Clarke recommended a line to the general counsel as well as the right to appeal to the board in case there’s a looming problem that’s flashing red.

“It reminds me of a story I hear about the Space Shuttle explosion,” Clarke recalled. “There was a guy who said, `Stop don’t do the launch.’ But he was ignored. So, they did the launch and everyone got killed. One of the rules that NASA later adopted was that anyone on the launch team - right up to zero liftoff - can stop a launch. It might cost tens of millions of dollars and you don’t want to do that unless you’re damned sure you should.” He said the same authority should extend to security. “If you haven’t secured it, as part of governance, then you need authority to stop the launch until the CEO, and perhaps the board, get to review the risk,” he added.

• Budget: Budget leads back to metrics. Clarke said the security lead should come up with a road map so that the board is signed up to funding the plan. At a minimum, push for a 3-year funding plan so that there’s a multi-year plan backed by a multi-year budget.  

• Exercises: Lastly, conduct regular security exercises and involve the board to watch the emergency plan in action. The reason for exercises is so that when there’s a real crisis, everyone knows their role. The slogan Clarke uses is don’t let your big crisis be the first one that happens. Besides, this isn’t a crisis. It’s a simulation that can later serve as an educational tool. “It’s valuable for C-level people to learn what they don’t know,” said Clarke, who also served as a senior security official in the Obama and the second Bush administrations. He drew a parallel with the crisis planning that went on before the worst-ever attack on the homeland on 9/11. Clarke said the government continued to function despite the chaos of that day because each individual department had already done their own emergency planning drills and knew how to react. All the more reason to port that lesson over to the private sector and let board members watch what happens during a simulated cyber crisis. The experience, he said, would “be invaluable.”