Scare tactics get old fast. "I don't talk that way to board members. It's a little too Chicken Little," says Boyd of Shale-Inland. "Yes threats are pervasive, and the likelihood of any one company being breached is very high. But there may be things that you flat out don't care about protecting. What's more important is understanding the risk profile of the company. Where are the most critical assets and what are we doing to protect them?"
At Universal Weather and Aviation, Turpin had to break it to his board that it would take awhile to get the company's cybersecurity house in order. "They were like, 'What would it take to do it in half the time?'" he says. Short of fairy dust, he told them, it couldn't be done. "Even if we threw a lot of money at it, there were changes we had to make to the infrastructure and business processes and significant staff training that needed to be done, some of which was very challenging and would take time," he says. "I told them that as we proceeded, I would let them know if there were opportunities to move more quickly. When I walked out of the meeting, I had their full support."
Going beyond the headlines
While extensive media coverage of high-profile breaches has spurred board members to care more about IT risk than ever before, a daily diet of such headlines can sow panic. "You would think it would help, but it also hinders," says Boyd. "It can even desensitize the board because they know that the press can sometimes overhype things. They need a fair and balanced perspective of what is real."
Some news has value. "When [a breach] occurs in your industry or meets some threshold that allows you to reinforce the message that what you're doing is good or enables you to make a request that hasn't been approved yet, it might be a good use of the news of the day," says Cal Slemp, managing director and head of the IT security and privacy practice at Protiviti. "But we don't recommend a steady stream of [such news]."
Angelo also worries about overplaying the scary headlines. "If you're going to talk about Anthem or Home Depot or Target, you'd better make sure it's relevant," he says. "I keep that stuff out of my presentations. Everyone can read it on their own, and that's what got us before the board in the first place."
Turpin scoured various reports of security incidents and unearthed an attack outside his industry that illustrated an issue that Universal Weather and Aviation was facing internally. "I found an example that clearly showed something that could happen to us and what the impact would be if it happened," he says. "It was the best example of a worst-case scenario. It was clear to [the board] how devastating it would be to the business." When major vulnerabilities are exposed--a Shellshock vulnerability or a Heartbleed bug--Turpin sends out a companywide message to let everyone know that his office is aware of the issue and has plans in place to handle it.
Keeping the board on board
If giant banks and government agencies can get hacked, how can the average business protect itself? That's a question Jerry Irvine, CIO of IT services firm Prescient Solutions and a member of the National Cyber Security Partnership, gets a lot. "Everyone would like to get that magic cape to throw over their systems to protect them from the rest of the world," he says.
Irvine doesn't have a magic cape, but he suggests something better. "Give [the board] something to touch and read and understand that shows you are making progress and getting things done," he says. "What the board wants are metrics to keep on top of what's happening." Some key metrics include an inventory of known and authenticated devices and software, vulnerability scans, and the business continuity measures "that would be necessary in case of a security breach or incident," Irvine says.
CIOs and CISOs can partner with board members to figure out what information would be most useful. "What we see work most effectively as boards are pushing into this area is working collaboratively with executives in the organization to work through what's important and settle on series of communications and metrics on governance for cybersecurity," Irvine says.
There are no rules about how often to communicate with the board about IT risk. "You don't want to over alert. But, then again, you don't want to paint too rosy a picture," says Peretti at Alston & Bird. "The goals should be to create meaningful and consistent reporting that establishes credibility and paints an honest and accurate picture."
Boards don't need daily--or even weekly--updates, but they do need to see the big picture. "The board should be focusing on managing risks, not detailed operations," Turpin says. "They need to be informed enough to support strategy."
Most CIOs and CISOs talk directly to the board about cybersecurity every quarter.
"It has to be frequent communication. It can't be once a year. That's not going to give a sense of what's occurring and how well positioned we are," says Scholten. He meets with this board five times a year and also provides a cybersecurity report at each monthly executive team meeting. "Things change so much, it has to be frequent," he explains. "From that report, we can choose what should go on to the board." Scholten also has ongoing interactions with Principal's audit committee, with whom he conducts a "deep dive" into IT risk every year.