To Tame Risk, Strengthen the Board-CISO Relationship

“Today, every CEO—whether they like it or not—is a technology CEO,” said Bob Kress (pictured above), a managing director at Accenture Security, where he is the co-chief operating officer and global lead for quality and risk. “I can’t name a single business process that isn’t underpinned by technology or being disrupted by technology to deliver different services in a different way.

As you think about your roles as board members, are you helping the C-suite identify that sweet spot of being aggressive enough in leveraging technology to re-engineer operating models while also understanding the risk associated with that and the underlying capabilities in the organization? If you get too far on either end of the spectrum, you’re putting the organization at risk.”

These comments launched a roundtable discussion on emerging technologies and new threats in cybersecurity, hosted by NACD in partnership with Accenture. Led by Kress and Vikram Desai, managing director and products lead at Accenture Security, the directors who assembled at New York’s Harvard Club last week had the opportunity to pose questions—and share their own experiences—about how boards can best approach the risks and opportunities presented by technology.

Within an organization, the executive most likely to understand technology risk is the chief information security officer (CISO). Because the CISO should be deeply rooted in the company’s information technology (IT) function, and be responsible for putting processes and policies in place to mitigate top cybersecurity risks, a natural tension may arise between this person and anyone looking to introduce new, potentially disruptive forms of technology due to differences in risk appetites. “As both an investor and a board member in financial services, [I’ve encountered] fintechs that say, ‘Please don’t introduce me to your chief technology officer,’” one director quipped. Legacy processes—and the mindset that the disruptors are somehow “doing it wrong”—can quickly stanch the innovative deployment of new technologies.

To overcome these ingrained reactions, collaboration is key. “The CISO really needs to understand the business objective,” said Desai. “Outline the potential risks associated with what you’re trying to roll out, and come armed with solutions as to where you can mitigate those risks. And you can even answer that a particular risk is acceptable. Everyone needs to recognize and acknowledge that we’re in the same boat together.”

Breaking down some of those traditional barriers may become easier as the board’s understanding of what makes an effective CISO matures. “You go back maybe five or ten years ago, everyone who was becoming a CISO had a strong technology discipline,” one director with prior experience as a CISO observed. “These days, a lot of the more successful CISOs were never coders. A lot of them have liberal arts degrees, and they understand risk really well. So, I think [the stock response] went from being, ‘I’m going to say no to everything,’ to ‘Let’s learn what’s involved. Let’s look at it holistically.’ Now when you build a program, it may be spearheaded by the CISO, but that person is also bringing together the chief privacy officer, chief risk officer, head of [human resources], head of physical security, and making it a more fulsome risk discussion. People always say when you’re a CISO, it’s about people, process, and technology. I think there used to be a focus on technology. Now it’s really about people and process.”

Even though the CISO may be the most knowledgeable on new and existing technologies, that does not mean they should be the final decision-maker when setting the organization’s risk appetite around cybersecurity. As one director admitted, this is a place where boards can easily get stuck.

“To me, it’s a business risk decision. It’s not a CISO decision,” Kress said. “If it appears that the CISO is making that call, I would tell you that you have a problem. They should be coming to the board to discuss where they’re at and what they’re recommending. And from a business perspective, what risk do we want to take? What level of risk appetite is there? Because you’re never going to be 100 percent secure. That’s not going to happen. And, if they come to the board saying, ‘We’ve got it all under control, we’re in good shape,’ you should run out of the room.”

Just as the technology landscape is constantly evolving and presenting new opportunities, the risk landscape is changing along with it. As a result, companies that are now a leader in their cybersecurity practices may quickly lag behind if they fail to continuously revisit their processes and re-tailor them to better fit the demands of new cyber-risk environments. While boards may depend on their dashboards for information pertaining to speed of identification of or recovery from a cyber-incident, direct communication with the CISO or chief information officer (CIO) is indispensable.

“At a minimum, I would expect the board to have the CISO or CIO reporting to and updating the board at least on a quarterly basis,” Kress said. “They should be giving you a perspective of where your cyber capability is today compared to industry peers. They should be giving you an update on what the cyberstrategy is and how they’re progressing against it. They should be talking about critical incidents—what they were, how they happened, and what the company did about them.”