"Boards need education first and foremost to get them up to speed on the critical issues: What lexicon they should use, where they need to spend money, when they need to buy insurance," says Gleason of the NACD. "They need fulsome reporting to get their hands around it because it's not something they manage every day."
In 2011, K&L Gates chairman and managing partner Peter Kalis worried that the law firm--which has access to the corporate secrets of thousands of companies--could be the weakest link in his clients' cybersecurity frameworks. "He came to the conclusion that we were as big a target as anyone else," says Angelo, whom Kalis hired for his IT security skills.
The first time he stood before the management committee, Angelo delivered his high-level definition of risk: In order to have a risk, you need to have not only a vulnerability but also a threat that corresponds to that vulnerability. "As an organization, you're going to be managing thousands of vulnerabilities every day. But they're passive," says Angelo. "A vulnerability is like a piece of dynamite. You can kick it around. You can throw it. But without a wick and someone to light it, it's not going to go off. I wanted them to focus on what the true threats are."
That's where Angelo's background in intelligence came in. He started thinking about the types of people who might be interested in the data the law firm had access to, how they might try to get it, and how best to protect against their attempted break-ins. "That's an easier pitch. Then you know where to spend your money," says Angelo. "That there is the secret sauce."
To stay on top of potential threats, Angelo digests a steady stream of third-party research on the changing security landscape. "It used to be difficult to get that kind of information, but it's becoming much more readily available," he says.
The business of risk
"Cybersecurity is not an IT issue. It's a business issue," says Lloyd Boyd, CIO of Shale-Inland Holdings, an industrial supplier of pipe, valves and fittings. "In our business, we're not dealing with consumer data or health information, but we know that an attack has the potential to impact business operations. And my board wants to know what that risk is and how we're managing it," he says.
But while the board has become aware of the importance of cybersecurity in recent years, directors don't deal with it every day like Boyd does. "They don't know what they need to know," says Boyd. "It's important for us as CIOs to effectively communicate these issues in practical terms. We're going to be a victim at some point, and we need to be prepared."
To garner board support for making the necessary preparations, Boyd applies the "human action model" developed by Austrian economist and philosopher Ludwig von Mises for instigating change: Create uneasiness with the current situation, deliver a clear vision of a better way, and create a safe path forward. "To get the board interested, you have to make it clear why they should be interested," he says.
"Security should be about protecting your current ability to earn and retain revenue, and reducing the risk for new business in the future," says Turpin. "A lot of times, it's seen as a subset of IT, but in reality it's about business risk management."
Gleason agrees. Cybersecurity, he says, "has to be seen by the board as part of the enterprise risk structure the company must address."
At Principal Financial Group, the board knows that incidents are going to happen. "The bottom line is that they want a sense of whether we're taking prudent steps to manage that risk," says Scholten. Is the defense-in-depth approach working? Has monitoring proved effective? Is the company capable of responding to incidents? Scholten doesn't just provide IT's own assessment of Principal's cybersecurity posture; he also brings in third parties to evaluate the state of security.
Getting real about cybersecurity
Chances are most board members have heard the attention-getting cliche that there are two types of companies: those that have been breached and those that don't yet know they've been breached. "It scares the pants off of them," says Gleason. "But then they're scratching their heads thinking, 'So, all right... we're somewhat protected? What does that mean?'"