A topic that is becoming increasingly critical to companies of all sizes in all industries: making cybersecurity a board-level imperative.
Data breaches and advanced threats generate headlines on a daily basis. The need to protect organizations from regulatory compliance and business continuity risk may be top of mind for cyber and technology leaders and their teams but far too often, the topic is only paid lip service at the board of director level.
With the cost of the average data breach now topping $4.35 million, according to the IBM Cost of a Data Breach Report, it is more critical than ever for boards to appreciate the impact that information security can have on the business. Boards should treat security as a top business risk as well as a top business opportunity. As a three-time chief information officer (CIO) and chief information security officer (CISO), Jay Pasteris speaks directly to this issue.
Security: What is your background? What are some of your responsibilities at GreenPages?
Pasteris: I am a technologist. For the past 20+ years, I have worked at a senior level in IT and cybersecurity for organizations in technology, financial services/investment management, learning and development and global medical research.
Currently, I am CIO and CISO at GreenPages, a national IT and cybersecurity services firm. I oversee our growing intellectual property and services portfolio, systems security, compliance, and quality assurance, and lead our technical pre-sales and business advisory services teams. I also am an executive sponsor and security advisor to our key enterprise clients.
Security: It is more critical for boards to appreciate the impact that information security can have on the business. Why should boards treat security as a top business risk and a top business opportunity?
Pasteris: Corporate boards must support, if not mandate, companies’ investment in cyber maturity and defenses and push executive management to treat all adversaries and threats - whether hacking groups, malicious insiders or plain old human error by employees or contractors as a core business risk. The reason is simple: threats are continuously increasing in size, sophistication and frequency. Companies can no longer assume it will not happen to them. They must be proactive in implementing cybersecurity readiness plans to minimize operational, financial and reputational harm. It has to become part of their DNA. Companies in highly regulated industries such as financial services and healthcare and publicly held organizations have an even greater risk as insurers are requiring certain cyber standards and shareholders will demand continuous oversight.
Security: How have you advised boards in the past and how are you doing it in your present role at GreenPages?
Pasteris: At GreenPages, we’ve developed a comprehensive cybersecurity program that we have applied to increase the security posture of hundreds of customers in several industries. This playbook includes a holistic framework design to quickly and effectively assess, modernize and manage their cybersecurity program. The framework removes the complexities and the “intimidation factor” of a cybersecurity program including how to effectively communicate at the board level, the investments being made, and the manner in which these investments contribute to making the organization stronger, better protected, resilient, more competitive and a better place to work and do business with. Cyber can be a competitive advantage.
Security: How can CISOs better communicate cyber risk and metrics in terms that resonate with the board?
Pasteris: It is critical to remember that most board members lack the technical background, experience, and frankly, the appetite for overly technical terminology.
I have developed several best practices for communication with boards: Engage more regularly. Visualize (Heat Map) the risks, investments needed, progress against those risks and speak their language. Be brief. Skip the acronyms. Use analogies and anticipate their questions, objections, or concerns. Communicate how security initiatives align with and impact business priorities and outcomes. For example, “How might this risk harm the company?” “Is our security program maturing and keeping pace with our peers in the industry?” In my experience, board members are most concerned with - and justifiably so - visibility, organizational readiness and the need to continuously enhance or protect brand reputation.
By associating IT and cyber risks with business goals, objectives and outcomes, boards are able to understand and assign a cost justification to major initiatives. They can be the CISO’s greatest advocate when you work in tandem together to drive true cyber resiliency for the organization.
Security: Do you believe boards should have previous cybersecurity experience on board? Or does it fall on the CISO to brief the board on cybersecurity?
Pasteris: Absolutely. I believe this and have been preaching this message within my own organization and our client base. It is no longer optional for corporate boards to recruit and select members with real-world cybersecurity experience; it is now a business imperative regardless of a company’s size or industry segment.
The simple reason for this is security risks are business risks. Corporate boards need to be held accountable for the company’s actions - or inaction - with respect to taking a much more proactive approach to continuously protecting their employees, their customers, their intellectual property, their data and more.