Speaking at the Gartner Security and Risk Management Summit in London, Gartner director analyst Sam Olyaei said that the topic of “questions on security and risk that you must be prepared to answer at your board meetings” was one of the most popular subjects.
He said that the company was getting around 100 enquires a year seven years ago on this subject, and now that number is over 700 a year. Pointing at Gartner research from 2016, which said that by 2020 “100% of large enterprises will be asked to report to their boards of directors on cybersecurity at least annually,” he said that we’re getting close to that number, as 2018 research showed that 91% of billion dollar companies had briefed the board on their cybersecurity program at least once in the last year.
Olyaei said that this shows the “cultural disconnect between security and the business” and that the business has “expectations for security and risk that we cannot manage.” Olyaei added that it is not enough to say that we are creating an impact, but security practitioners have to show evidence, data and examples of what they are doing.
Olyaei argued that most security leaders feel that the board is monitoring risk, and feel that the board understands the risks and monitors them on a regular basis, “but we find most board members are not that confident in their security leaders to manage risks on their behalf.”
He said: “We feel that in a couple of years, your performance as security and risk leaders will be on demonstrating value at enterprise risk level.” This is because the board care about three things:
- Revenue/mission and operating income
- Future cost avoidance and immediate decrease in operating expenses
- Risk, including regulatory and compliance, especially brand and reputation
“Most board questions are based on the maturity of the organization,” he said, explaining that a new board will be unfamiliar with compliance requirements, and ask “trade off questions” that security practitioners “would call stupid questions.” The questions are as follows:
The trade off – Questions like “are we secure?” and “can we prevent this from happening?”
The risk – What is an appropriate risk? accounts for 80% of questions, Olyaei said. Boards also want to know what keeps security practitioners up at night.
The performance – Boards want to know about return on investment and see benchmarks, and want to know what other companies are doing, spending and how many staff they have.
The threat landscape – “A lot of board members listen to webcasts and sit on other boards, and ask about an incident at company X, or an increase in ransomware attacks, and a lot of the time the board wants to ask legitimate questions as they are concerned about threats,” he said.
The incident – Olyaei said that security has moved to a phase of “if, rather than when,” and security practitioners should be prepared to talk and answer at board level about issues around security incidents. “When an incident happens, the first action of a board member is to panic,” he said. “Provide details on impact and keep at a point where you don’t dwell on the past.”
Olyaei concluded by saying that there will likely be more questions in the future, and encouraged delegates to know the make up of the board and any security leaders involved. He said that the typical “wave” of questions are as follows:
- Why is security so expensive?
- Are we secure and compliant?
- Why can’t security move faster?
- Why can’t we have competitive advantage from security?
- Why can’t we be a digital company?