Julie Ragland was CIO of vehicle manufacturing company Navistar, and has held IT leadership roles at Adient and Johnson Controls. To Ragland, who also sits on several state agency and non-profit boards, one of the greatest responsibilities for today’s boards is in governing cyber security risk. And while board members are generally tuned in to the importance of cyber governance, they don’t always understand the true risks with cyber and their own governing role.
“Most boards fall into the trap of thinking that cybersecurity is a technical issue, and focus too much on technical protections and whether the right tools are in place to protect the organization,” she says. “But we know that more than 90% of cybersecurity incidents start with human behavior error. Cyber incidents are as much a communications and legal challenge as they are a technical challenge, so when boards focus too much on the technical, they miss key areas of responsibility.”
Knowledge is power
As is often the case with boards and technology, there are some common causes for a gap in understanding. “Boards typically don’t have technical expertise, so they’re sometimes intimidated by the topic and just want the company’s CIO and CISO to take care of it,” says Ragland. “So it’s incumbent on the CIO to provide the right board-level cyber education.”
She boils cybersecurity governance into investment prioritization and incident response behaviors, neither of which are technical. “The dollar amount to cover the totality of a cyber landscape for an organization can be huge,” she says. “The board needs enough understanding of cybersecurity to help prioritize these big investments.”
This “pre-incident” investment role is second only to the board’s role when there’s a cyber incident. “Once the company determines an incident is reportable, the board has an important role to play,” she says. “What are our obligations to customers, employees and suppliers? How do we communicate to the outside world? Should we pay a ransom? What parts of the business are impacted and what is our highest recovery priority?”
If boards don’t fully understand their role until they’re in the middle of an incident, they bring unnecessary risk into the company they govern, and it falls under the CIO to educate the board on the primary risk of a cyber incident and how to prepare.
CIOs can start by arming their boards with the right questions, none of which are technical. For instance, have we undergone an external assessment of our cyber recovery plans, and what’s our action plan based on that assessment? Another area ripe for board investigation is whether or not there’s been penetration testing or any other tests that mimic the actions of cyber criminals. Are those tests done regularly and how’s our performance?
Developing areas of expertise
External assessments, says Ragland, are powerful tools for CIOs, too. “With boards seeking external validation on risks, just as they would financial fiduciary through an audit, it’s the executive responsibility of CIOs to provide them with that information, as well as having a fresh set of eyes on an always changing landscape,” she says. Audit and IT services have cybersecurity practices, and The National Association of Corporate Directors has recommendations for external assessments.
Boards want to build up their role in cyber, and they’re changing board member selection criteria as a result. “Boards shouldn’t limit their addition of technology expertise to security,” says Ragland. “Yes, security expertise is critical, but so is a board member who can address the strategic opportunity that technology brings to organizations. How are we using technology to advance our strategies, products, and customer engagements? As boards look to technology skills, they should look for someone who can bring both flavors into the board room.”
But appointing technologists as board members doesn’t let legacy board members off the hook. To Ragland, there are two things all board members should understand about technology. “First, technology is a repository for the critical data of the organization,” she says. “Boards should understand the kinds of data they’re governing, and the risk factors associated with that data if it were lost, destroyed or exposed.”
Second, boards should see that IT systems are, at their core, the automation of business processes to generate data. “Boards need to understand that some processes are highly automated in their organizations, and some are not,” she adds. “Some processes are more crucial to the organization’s financial results than others. From this lens, when CIOs talk to the board about vulnerabilities or investments, they understand the impact on processes and data, the most important investments. They don’t need to understand how the technology works.”
Cybersecurity executive leaders, whether CIO or CSO, have tremendous responsibility for bringing up their board’s cyber acumen. “CIOs should step away from technical presentations and move to a risk management format,” says Ragland. “Focus on business risks and how IT contributes to protecting the organization.” And don’t stop with the formal boardroom. In addition to presenting a few times a year, meet board members in less formal meetings. “CIOs should find a few people with the highest technical acumen to meet in more conversational settings,” she says. “The chairs of the audit and risk committees are usually a good place to start, and CIOs can leverage their CEO to jumpstart those meetings.”
With the current exuberance around IT, many CIOs are facing an onslaught of board level AI fervor. Since education is the best defense against hype cycles, CIOs must insist on a business strategy discussion before making big AI investments. “Boards need to understand that hype cycles are not about technology,” says Ragland. “They’re about business strategy. The board needs to treat AI like any other emerging capability.”
For decades, we’ve been asking CIOs to leave the acronyms at the door and focus on business impact. With cyber and AI threatening to disrupt business strategies, it’s even more important today that CIOs contextualize technology in business terms the board understands.