What Should the Board Ask the CISO? | Interview with Clar Rosso
Welcome to Secure and Simple podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. Hello. I'm Dejan Kosutic, the CEO at Advisera and the host of Secure and Simple podcast. Today, we have a very interesting guest.
Dejan Kosutic:Her name is Clar Rosso. She's the CEO of Rosso Strategic Advisor and the board member of Excelsior University. And she was also CEO of ISC2, very famous and the biggest cybersecurity training provider where she had a very cyber cybersecurity literate board. So she has lots of experience, cybersecurity experience from both management point of view, but also from the board point of view. So in today's podcast, basically, you'll learn what's basically the board members expect typically from CISO, from a security officer.
Dejan Kosutic:So welcome to the show, Clar.
Clar Rosso:Thank you so much for having me. I'm so glad to be here. I love your podcast. I'm always learning something when I listen, so I'm thrilled to be on it.
Dejan Kosutic:Okay. Thanks, Great to have you here. So do you think that board members still consider this cybersecurity as something technical or is this changing? So, is this, do they view cybersecurity more, a little bit more as a business issue?
Clar Rosso:I hope they view cyber, I hope board members are starting to view cybersecurity as a business issue. I actually think the best thing that has happened for cybersecurity in the boardroom isn't any big incident we've heard about, but it's actually AI. I actually think the focus on AI, AI governance has really also amplified that boards need to They understand that they need to do better oversight of cyber security, AI governance, technology. And so, really should have better digital oversight than they have today. I do think that that's growing in the boardroom, that understanding.
Clar Rosso:I don't know how well it's playing out when there are actually board meetings, if that makes sense.
Dejan Kosutic:Okay, but why do you think that AI governance has such a big impact, let's say, or influence on cybersecurity?
Clar Rosso:Because at the heart of AI is data. And if you aren't managing your data in a way that is secure, you're not going to get reliable results from your AI. So I think organizations are starting to, again, think about, we need an ecosystem approach to tackling this. We have to talk about our data governance, our data privacy issues, our data security, but at the same time, we need to understand the technology environment in which they're operating, what we're asking it to do, what's the validity and reliability, and what happens if we make big bets on AI and we have a cyber incident. All those things are interconnected and can't be looked at in isolation.
Clar Rosso:So where I believe that brings us back to is cyber has gone from, it's a technical operational issue for a business to its integral to operating the business itself and the business achieving its strategic goals. And that's gonna take a different approach for cybersecurity professionals when they talk to the boards of directors.
Dejan Kosutic:And from your experience, is the, let's say, most important information that board members should ask from security personnel or from security officer?
Clar Rosso:Well, is probably the best question of the day. I actually was on some webcasts this morning where they were trying to tackle that issue, and I'm not sure they answered it. First of all, I think it used to be. You got put on a board because of generalized expertise. And it is becoming increasingly understood by all sorts of boards, for profit boards, private boards, not for profit boards, university boards like the one I'm think on, that we need peoples on boards. We need directors with certain kinds of capabilities to understand the complex issues businesses are dealing with.
Clar Rosso:So, there's that. You need to have somebody who's a bit of an expert on your board, but there's also a need to elevate, I would say, the cyber literacy or digital literacy of all board members. And when I think about this, and I think, what should you know? Well, I don't think you have to know the whole body of knowledge to become a CISSP or a CISM. I think maybe, and I would love your feedback on this, I actually think maybe the starting point is for board members and therefore CISOs who are reporting to the board to think about digital resilience, because cyber resilience is part of digital resilience.
Clar Rosso:If we accept that there will be cyber incidents within our businesses, then maybe if a board can shift its focus to not just how do we prevent these incidents from happening, but what do we do once they happen? And I actually think for a CISO, starting at that point with the board is a great starting point because it really will help with if there is a problem, what do we do? And why are we positioned well from a cyber resilience or digital resilience perspective? So if I sort of dig into that a little deeper, what's the incident response plan? Where's the point at which a board gets involved in the incident response plan?
Clar Rosso:Take your Rather than talking for hours on end with a board about threat vectors, take them through a tabletop exercise where there's actually incident response going on. And I think actually that learning by doing is going to help board members understand the impact of cybersecurity on the business more than anything else, Will. I have lots more thoughts on that, but that's my starting point. I'm actually curious what you think in terms of start with cyber defense and say why you're all protected versus start with resilience and say, if something happens, this is why we're covered.
Dejan Kosutic:I fully agree with you that cyber defense is not enough, that this cyber resilience is kind of an upgrade, if I can use this word, let's say, the purpose of cybersecurity. This is visible also in some European regulations like DOTA, which basically is a Digital Operational Resilience Act. So it speaks, I mean, its name, you already have this resilience concept. So yes, I mean, this is certainly one, I would say, one of the key functions, if you will, cyber security department or role.
Dejan Kosutic:But do you think that there is something other than cyber resilience that or to rephrase the question, is there a way for actually cyber to help a business grow? Because resilience in its philosophy is basically protecting the company, right? Whereas can cyber help companies grow?
Clar Rosso:Absolutely. Absolutely. So it doesn't have to be thought of as backroom operations. It can be a strategic advantage for an organization. But here's what's required for that to happen.
Clar Rosso:We need cyber leaders to talk business. We need instead of teaching our board members, our executive leadership and organizations, cyber security, and that to some degree that needs to happen, our cyber security leaders need to start to speak language of business. They should be able to, off the tip of their tongue, understand what the strategic goals of the organization are, and both how a strong cyber posture can both help them achieve those goals faster, better, or the risk implications associated with not attending to the details that need to be attended to.
Dejan Kosutic:From that perspective, what should the board members ask, let's say, or how should they communicate with the CISO to actually begin this strategic discussion with regards to cyber?
Clar Rosso:That's a good one, and that's where, if we're honest, as board members, where we struggled a little bit from time to time. So, board member's job, as you said, really is to ask questions. A board member's job is not to jump into the operational weeds of the organization. So, it's really about how do we understand the high level questions that board directors should ask? And so, again, I learned this from someone I met in the cyber space that said he loved to take the organization's key strategic priorities and actually present his cyber report based on those strategic priorities.
Clar Rosso:So I think one question that board members could be asking is simply, how does our cyber security posture help us achieve these objectives? And what risks do we have related to the same? And then, of course, if there are risks, which we know there will be, how are we managing the risks, mitigating accepting the risk.
Dejan Kosutic:Great. And basically for, let's say, CISO to present these facts to the board, what is the best way to present these things? Because obviously speaking in technology terms is not a good way, right? But what then is a good way to present these facts to the board?
Clar Rosso:I have my top choice answer and my plan B on that. So I would say my top choice answer is if organizations are doing a really good job at enterprise risk management, they have developed a common common language with their board of how they talk about risk. And I know we're not just talking about risk here, but if you have developed a common language with your board about risk, so what is our risk appetite? And you're looking once a year at what the risk appetite for various parts of the business, of which your cyber leaders should be weighing in, in the boardroom, so that people fully understand if they say they have an aggressive risk appetite, meaning they're willing to accept a lot of risks, what's that actually mean in the particular context that they're looking at? So I think that if you have a rigorous enterprise risk management program where everybody understands their risk appetite, you are looking at what the key risks of the organization are and how they're being managed, you also know what the likelihood and the impact of those risks are, you're starting to make progress on creating that language and think about how am I reporting about cyber risk to the board.
Clar Rosso:I actually-- part of the reason I love that construct of using your enterprise risk management is it makes it a part of looking at the business as a whole instead of just looking at a single operational function. If that is not there, and in some organizations it's not there or it's partly there, I suggest you get there. But if that isn't the case, I really think from a cyber professional perspective, would, assuming you're in the boardroom and you're part of the other discussions going on, I would create a report and position it in term of the strategic objectives of the organization. And again, it down to where's our opportunity here and what's the risk. There's going to be other topics you want to cover, and hopefully those will emerge from conversation with the board, like what are we doing to create a cyber culture in our organization?
Clar Rosso:How are we educating our employees? What do we do when we're onboarding our employees? When we're talking about strategy for the organization, you're talking about marketplace factors that are impacting the organization strategy. Talk about what that means from a cyber perspective. For example, today, everybody's talking about geopolitical risk.
Clar Rosso:So what does geopolitical risk mean for organizations in terms of maybe it's an opportunity, but also in terms of risk. Does it mean that there's going to be increased risk of nation state actors going after critical infrastructure sectors. When there are economic downturns, and we did some of this research when I was at ISC 2, your insider threat within your organization goes through the roof. Because I think, well, you are gonna be quoting me on this, but I'll ballpark it and it'll be good enough. When we surveyed cyber professionals and asked who had been approached directly or knew of somebody who had been approached directly to create an insider threat, it was something like 70% of all cyber had been approached or knew someone who had been approached by a threat actor.
Clar Rosso:We know that in economic downturns, that's more likely to happen. So I think like the cyber leader kind of being a fully participating player in strategic discussions can really elevate the board's understanding importance of cybersecurity within their organization.
Dejan Kosutic:If I understood well, you mentioned that one of the aspects that needs to be discussed is really the market. So, how can actually cyber help, let's say, grow the markets or let's say the sales of a company?
Clar Rosso:Well, that's a great question. I think in this world where we spend we use data to get ahead with our businesses. I think an organization that is managing its information system security well is going to have a competitive advantage, because it's going to be easier, assuming there are guardrails in place, for them to work with third parties, to integrate with third parties. Also, cyber security is not just about making sure somebody doesn't steal your data, you know this. Also making sure that when we rely on that data, that it's valid and that data has integrity.
Clar Rosso:So the more valid and the more integrity, the more reliable our data is, the faster we are to make decisions and go to market with new products and new ideas. That's all part of cybersecurity. I think people sometimes view cybersecurity as only the people who make sure somebody doesn't hack into their systems. But if you really take the full meaning of what it means for cyber defense, it goes much deeper than that, and that can create a competitive advantage in the marketplace. Great.
Dejan Kosutic:And then these are obviously the topics that should be discussed at the board level together with CISA, right? Yes. Okay. And you mentioned also this concept of the, let's say, level of risk that basically would, that should be accepted or not. So, what kind of, let's say, how should, let's say, a CISO describe the, let's say, risk appetite?
Dejan Kosutic:Right? Should this be displayed on some kind of a scale or should this be more, let's say, or there some other way to describe it?
Clar Rosso:That is a great question. I think sometimes when you see risk appetite statements, they're narrative, and I'm not sure people walk away from reading a narrative definition of the risk appetite with the same idea. So I love your idea that you just suggested is normalize a scale. If we think there's a risk in this space, what's the likelihood that risk is going to happen? And depending on where our posture is, we're going to say, we're willing to accept that risk, and we understand what the likelihood it might happen.
Clar Rosso:Obviously, it's going to be arranged and it's going to introduce lots of opportunity for discussion, certainly within management of organizations before they go to the board meeting. But I would suspect also in the board room, would be engaging people and saying, Hey, you're saying the risk of that is forty to sixty percent? Okay, I don't know if I'd agree with that. Well, you've engaged them then. They've asked a really good question, and you can negotiate what that percentage is if there's, you know, a bit of evidence to back it up.
Dejan Kosutic:Okay. And besides these, let's say, information about the level of risk, what other KPIs would or should the boards look from or ask from a CISO?
Clar Rosso:Well, I think that, again, that's going to depend. I do believe that, and we haven't really talked about this yet, but board members need to understand the compliance requirements as well. I'm not saying they need to understand the ins and outs of DORA, but maybe they need to understand, we need to be compliant with DORA. We need to be compliant with the Cyber Resilience Act. We need to be compliant with NIST two.
Clar Rosso:So, I do think part of the KPIs are understanding what, how you are, how you're doing as it relates to compliance, you probably want your board to know, not the details, but at a high level, that you are using standardized cybersecurity risk frameworks to help manage your cyber risk within your organization, whether that's ISO or NIST, right? You want them to understand that. Then what I would say is I think the specific KPIs will vary from organization to organization because frankly, that's how and maybe even within the organization from year to year, it will vary. So, you know, you may want one organization may want to have a little more detail on how they're managing access controls. Another organization may want something about you know, we talk about, like, the number of days it takes before you do a software or hardware technology update.
Clar Rosso:Update. They may also want some data, and maybe it's not data you present all the time. You know, we know that with things like ransomware, it's really important that beyond any defense that they have, all their defense and depth, etc, organizations need to be backing up their data. Well, where all that advice then falls off is it forgets to tell organizations, not only do you need to be backing up your data, but you need to actually make sure that backup is usable. Because often organizations So, back up and I think there's a range of KPIs and it's gonna be a little bit board specific in terms of what they look at.
Clar Rosso:Do you have any specific ones that you like?
Dejan Kosutic:No, but what I wanted to ask you is, isn't this a kind of an information overload to basically show to the board that this kind of operational data, like, you know, access control, the the backup, and so on. Isn't this kind of too much?
Clar Rosso:Well, it probably is too much. And then it's probably okay. So we are all going to remember that my I had the most cyber literate board on earth when I was a CEO of ISC two. I think it may be too much to report on a regular basis, but when you're helping board members understand, even at a really high level, what are important aspects of cyber defense, these may be, to me, understanding even at the highest level that you're actively managing access control within the organization, frankly, and I'm sure there are those that wouldn't agree with me, I'd rather know about that than have somebody tell me the latest report from the phishing email tests. That's what I think boards get now is they get, Oh, we sent out five phishing emails and we had this many people click.
Clar Rosso:And that's important, but it's not as important as knowing that your organization is regularly doing backups. They know how to use their backups, they're managing their access control. I may be crossing the line from board member to CEO as I answer that question.
Dejan Kosutic:No, no, it's fine. These are all interrelated things. Okay, we discussed these regulations just a little bit. So do you feel that there is a changing, let's say, a board role because of these regulations, especially in The States?
Clar Rosso:Well, we're kind of in a not so regulatory environment in The States right now. So there are state based regulations, but we don't see, while NIS puts puts out best practices, we don't see the level of regulation that say you see in the EU. That said, I believe, and I spent a lot of time talking to a lot of people all over the world about this. I think the realization of digital risk in organizations is going to ultimately take us to a place where we're looking at having third party digital audits are comparable to the third party financial audit that we all know and love today. Because, you know, third party financial audits got put in place because of financial risk to organizations, digital risk is becoming greater and greater.
Clar Rosso:I think we're gonna see movement in that space. I was just doing some research to see if ENISA and the EU were moving forward in their thinking about the cyber audit or the digital audit, and it does seem to me like that is moving forward.
Dejan Kosutic:Yeah, actually, DORA does require digital cybersecurity audit as part of all financial entities and actually needs to the directive for critical infrastructure companies actually requires the same for the critical infrastructure. So for these financial and critical infrastructure, this is already becoming a reality.
Clar Rosso:And what I think in that space, we're specifically going to see is much more standardization of what we mean when we say they're doing a cyber audit. Think right now there's there's a little more choice than there probably ultimately will be related to these kinds of audits.
Dejan Kosutic:Yeah. I also noticed a couple of years ago, there was a talk that US SEC, so the Securities Commission, will actually introduce the obligation for actually a cyber security, for the board member, at least one board member that will be in charge of cybersecurity. So this actually didn't go through, right? No.
Clar Rosso:So that aspect did not really happen. We actually talked, when I was at ISC2, we talked to the SEC about that. And because we said, you need to have What's your standard in terms of somebody with the right level of cyber literacy or cyber expertise? And they didn't really want to go that road. And so what they ended up doing that was in a bit of a surprise move because we thought things were just still under discussion, was put rules in place about incident reporting and the timing of reporting incidents.
Clar Rosso:So that's the direction they went to instead. But I will tell you, there's an organization in The US, National Association of Corporate Directors. I'm a member, I'm certified by them. They tell you, and most boards will tell you, we need a level of cyber expertise on our board. Need to understand better what's happening in that space.
Clar Rosso:Again, resiliency reasons and for risk management reasons. And as you brought up earlier, for competitive advantage reasons as well.
Dejan Kosutic:Yeah, definitely is going in the direction. Question is only how much is going to be regulated, I mean, on the board level. So it's it's something that we have to see what what will happen. Now because of, you know, many of these cyber breaches that are happening in the last couple of years, do you see that the, let's say, attitudes in boards are are changing? Are they changing drastically or or or only to a smaller point because of these breaches?
Clar Rosso:I think they're changing. So I've had the opportunity to work in the governance space of both sides, both as management and as a board member for about two and a half decades. And I'll tell you, two decades ago, I wasn't hearing any cyber reporting in the boardroom, and I hear it now. Is it evolving some boards? Is it only once a year?
Clar Rosso:Probably. Are we will we hopefully move to a place that it's a regular part of both the enterprise risk management reporting and the strategic planning for an organization? I hope so. Because I think that that's really our ultimate goal is we had great director of cybersecurity at ISC too, and one thing he put in place was having security business partners, kind of like companies have HR, human resource business partners nowadays, the idea was both to give the security team member a chance to understand a part of the business better, but also to make sure those major initiatives were being introduced. We were thinking about security from the start.
Clar Rosso:It wasn't an afterthought. It wasn't what what I don't know if you experienced, but I sure experienced is that's the day before the CRM launches and you realize that everybody has superpowers within the CRM that you haven't locked anything down. Right? It was I lived through that. Not at ISC too, might I ask.
Clar Rosso:But, you know, we've evolved and we'll continue to evolve. And I don't think the hyper focus right now on AI is necessarily going to distract from that. I think the hyper focus on AI is going to force us to rather than look at areas like kind of by the business unit in silos, it's going to force to look at the ecosystem within our technology footprint or our digital footprint and how that impacts the organization.
Dejan Kosutic:Okay. Now, when a breach happens, what role should the board take? I mean, we all know in general what would the CISOs should do, but what actually the board should do if if a cyber breach happens?
Clar Rosso:So, you know, that's where your incident response plan is really important. And it should be clearly outlined. The board should understand their role. I do think, and I am very pleased that I have not had that experience, but where anything got to the point where we had to go to the board. But I do imagine within organizations, for example, if you've been locked down by ransomware, that there's conversation at the board level with input from experts, legal insurance and others, of what the course of action is and get the board's agreement to that course of action.
Clar Rosso:I think when you have lesser incidents, they're not necessarily immediately board reportable. What I have found in working with boards, and I have found as a board member, is it opens the opportunity to conversation, conversation, to to just just allow allow the board members to understand how it happened and what you're gonna do to try and prevent it in the future and how impacted your business continuity.
Dejan Kosutic:Okay, great. Now, one of the last questions that I wanted to actually ask you is, when do we think about the roles and responsibilities the CISO and of the board, so what is actually the line and actually who owns what when it comes to cybersecurity? So what is it that the board needs to own and what is something that the CISO needs to own when it comes to cyber?
Clar Rosso:Okay, that's a great question. So, the board has responsibility for oversight, insight and foresight. And foresight's kind of a new thing with the board. As we talk about evolution of boards, like what's out there, what's ahead, what's coming. So there is a responsibility for the board to ask questions to make sure that management is actively managing the business, both in a way that protect us today and positions us securely into the future.
Clar Rosso:I think of all the things we've talked about, and this is why it's so complex, because there's so many things the CISO could do and so many stories they could tell, is I really think the CISO has to step back and say, be a systems thinker within this ecosystem of an organization that I am working in, understand what the business outcomes you're trying to achieve are, how through your cyber program you're helping achieve those, and that you're minimizing risks to the organization. And then I do love the idea of resilience. How are we going to manage the bounce back when something does happen? Because something's gonna happen at some point. So how are we gonna manage the bounce back?
Clar Rosso:And what do we have in place to manage that? And I think that a cyber professional who can do that with their board, maybe take them every once in while through a tabletop exercise, is really going to enhance the importance of cybersecurity within their organization so that it's no longer thought of as a backroom function, but that is something of strategic importance and value to the organization.
Dejan Kosutic:Great, well, you for this insights, Clar. It's really been a pleasure talking to you and I learned a lot today.
Clar Rosso:Oh, thank you so much, I appreciate it and I look forward to talking again.
Dejan Kosutic:Okay, thanks again Clar and thank you everyone for listening or watching this podcast and see you again in two weeks time in a new episode of Secure and Simple podcast. Thanks for making it this far in today's episode of Secure and Simple podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living. On Advisera website you can check out various tools that can help your business. For example, Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients.
Dejan Kosutic:White label documentation toolkits for NIS 2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients. Accredited Lead auditor and Lead implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS2, DORA, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients workforce. Check out the links in the description below for more information. If you like this podcast please give it a thumbs up, it helps with better ranking and I would also appreciate if you share it with your colleagues.
Dejan Kosutic:That's it for today, stay safe!
