A

You're listening to the CyberWire Network powered by N2K.

B

Welcome to ThreatVector, the Palo Alto Networks podcast where we discuss pressing cybersecurity threats and resilience and uncover insights into the latest industry trends. I'm your host, David Moulton, Senior Director of Thought leadership for unit 42.

A

How do I make sure that my board's paying attention? How do I support my CEO in making sure that the board's paying attention? But how do I not over dramatize it? How do I give them the assurances, the confidence that we're on it, but at the same time not being afraid to ask for help?

B

Today I'm speaking with Abby Alderman, CEO and founder of boardspan. With a background that spans Wall street, executive search, board governance and entrepreneurial leadership, Abby has advised hundreds of corporate and nonprofit boards, from Fortune 100 giants to mission driven early stage ventures. Today we're going to talk about how boards are evolving to meet modern cybersecurity challenges and how cybersecurity leaders can structure their communication and collaboration to align with the board's strategic priorities. We'll explore the ORS framework and how it helps leaders and board members row in the same direction. Why is that important? Because cybersecurity is no longer just a technical concern. It's a board level issue that impacts business resilience, brand reputation and regulatory exposure. And yet many CISOs still struggle with how to effectively inform and engage the board. Abby is here to help us bridge that gap.

A

Foreign.

B

Welcome to Threat Vector. I've been looking forward to this conversation for months and I'm so glad that you're here today.

A

Thanks. I'm glad.

B

Also, David, you've led Board Span for what, over a decade and in that time you've worked with hundreds of boards. And I recently saw you share some insights on LinkedIn about how boardroom expectations around cybersecurity are evolving. Can you talk about how the tone and the urgency around cyber risk have shifted maybe in the last few years and what you think is driving that specific change?

A

One of the things that we are commonly saying at Board Span is the work of the board is hard and getting harder. And that's frankly the reason I started the company. And how do we see that what's contributing to that are the same things really that you're talking about in the cyber area, which is the world's much more complex. We do business globally. We are much more reliant on technology. A lot of our actions and reactions are data driven. And you and I both agree that it's not the data, it's the insights that come from the data. So it's just everything is moving at such a breakneck pace. People are throwing out Moore's Law already, and that's what's making it so complicated. And it's a hard world for boards to keep pace with, but they don't have a choice. If you want to be on the board, you have to keep pace.

B

Today we're going to be talking about how cybersecurity fits into boardroom conversations and why it matters, how it's changing, and how leaders can communicate more effectively. So, Abby, let's start with the OARS framework. You shared this idea with me during our prep call, and I actually thought it was really clever and easy to remember. Can you walk us through what each component means and then how you use that to structure your board level conversations around cyber risk? That oars?

A

Absolutely. And it is one of my favorite things to talk about because we do try to simplify it just to help give boards a bit of a grounding in how to think about their role and responsibility. So, as you mentioned, the acronym is OARS stands for Oversight, Accountability, Risk, and Strategy. Those are the four cornerstones of good board, effective board performance, and effective board governance. So in, in this conversation, David, risk is the obvious place to start. And although the work of risk has to be done in conjunction with all the other three cornerstones of good governance, I just want to be clear, it's not the board's job to manage the risks, cyber or otherwise. It's the board's job to provide that oversight and ultimately be accountable and think about how it affects the strategy. So that's how all the pieces of ors come together. When it comes to risk. In particular, we encourage boards to think about, first, the likelihood of a risk happening, second, the business impact of that risk, and third, what are the mitigation plans that management has in place? So that's the oversight aspect. Again, the board doesn't mitigate the risk, they provide the oversight.

B

And how does that framework help CISOs when they're preparing? Maybe the messaging and how they're going to align what they're going to talk about with board's expectations.

A

Yeah. So the conversation with the CISO and the board is we can go in a lot of directions on that topic. I want to first start off by saying that the best way to use a board most often is as thought partners, allowing them to ask the hard questions, challenge your thinking, satisfy themselves that you've really thought through all the possibilities and can figure out what are the more likely and the higher impact ones and what are ones that are maybe as a CISO or somebody on your team, people are thinking about, but are going to have less of a, of an impact on the organization and maybe don't even need to be discussed at the board level. They're just confident they're being taken care of. You don't want to draw the board into the weeds is sort of the point I'm trying to make on that. But, you know, in terms of the conversation that a CISO does want to have with their board, it really is about finding that balance. You don't want the board to have their head too far in the clouds and not care about it and say, not my problem, because ultimately it could be. Nor do you want them coming in and checking every line of code you've written.

B

I was just on a conversation with another CISO and he was talking about trying to find the right story to tell and the right level. And, you know, if you're at the firewall, rules too deep. But if you're, you know, telling a story and you're using too much humor, maybe that's not serious enough. And so it sounds like this framework, while not necessarily the way he described it and the way that you're, you're talking about approaching things, actually really works well to give that, that thinking partner. I actually really like that, by the way, as you said that. I was like, that is a, that is a crafty way of thinking about this really smart group of invested people, but to come back and help them understand what risks you're accepting or what risks you're not accepting? And then if you're not accepting it, what are the controls that you have confidence in that you're going to be able to deploy against those risks that you don't accept? Are boards asking about the actual cyber risk posture? You know, from your experience, is that something that they're talking to CISOs about, or is that not quite the right language to go into a board conversation?

A

Yeah, so many are. And candidly, it's going to vary a lot, both by industry as well as board member expertise. So when I say by industry, think about are the core assets digital and the impact of a hack potentially being existential to our business? Those board members and that CISO are going to think about it a little bit differently than a physical products company. I mean, you know, obviously no one wants a breach of any sort for a physical products company. It can be painful, embarrassing, but it might not put them out of business. Whereas for other types of businesses, particularly those that are, you know, in software and data gathering, et cetera, you know, they, if you're putting your customers and your business partners at extreme risk, that can be really devastating. So it does. That's, that's when I say depends upon the industry and the business you're in. As far as the directors themselves, look, some may be super sophisticated about cybersecurity and really understand it because they used to work at a cybersecurity company or they've gone and done their own deep education around it. Others are going to take their insights from you as the ciso, from their fellow board members or what they're reading. And so they're not at the same level of savvy. And figuring that out is so important to success. So I think of storytelling as another way to think about it is case studies, giving some examples. And my first piece of advice around that is to make it relevant. If you do tell a story or use some case study that just isn't part of something that's realistically going to happen to our company, then you're kind of signaling you can tune out and go check your Facebook during this part of the meeting. And you don't want to signal that you want to keep them engaged by keeping it real. The second thing is to meet the board members where they are, which is something we talk about all the time at Board Span. And that means doing your homework about your board in terms of their level of sophistication and how much they're likely to going to want to engage and their comfort in engaging in this sort of daunting topic of cybersecurity. Some may really surprise you and be super fluent and sort of want to ask some fair but tough questions. Others may need just the core basics explained to them. It's not uncommon because of how boards are built, that you'll find that you've got a couple of cohorts, different people that can talk at different levels of savvy about these issues. And if that happens, my advice is go to your CEO in advance and talk a little bit about that and offer them, hey, maybe we have an optional pre meeting or post meeting session for those board members who want to go deeper or those board members who need the education. And as a ciso, that gives you a chance to work with a smaller group of board members again, meet them where they are is my advice.

B

Abby, you've mentioned that you've worked with a lot of CEOs and you said, you know, in some of those situations where you've got two cohorts within your board, those that are maybe a little bit more technically savvy and maybe those that need some education, you might work with the CEO ahead of time to get that education or that follow up. Are there other roles that the CEO can play in helping support those conversations at that board level?

A

Yeah, yeah, absolutely. And the CEO most of the time will have a high level of influence on setting the agenda for the board meeting. And so they can make space for this conversation. And they can also, if they feel like it does, doesn't need board attention or have some concerns about bringing the board too far in the weeks, they might, you know, sort of put some blockers up around it. So knowing where your CEO is and how much he or she thinks the board needs to know about it is the great place to start. One reason that these topics can get on the agenda is going back to the cornerstone issues I raised in the beginning are oversight. And so the CEO knows that the board has that oversight responsibility and wants to help them fulfill it because ultimately both management and the board are accountable. And so helping find that right tone is really important. And being a thought partner and I would encourage the CISO to be a little empathetic to their CEO as to, you know, what is the right level to bring the board in. So be careful what you ask for. If you want an opinion, you're probably going to get it. The one thing I'll say about sort of collaborating with your CEO to figure out what's the right level to of discussion with the board is to not take it personally if the CEO doesn't get you on the agenda because it doesn't mean what you do isn't important. It might mean that there's something else that is a higher priority or the CEO feels like we're over concerning the board. And so you really want to be able to have that candid, you know, thought partnership conversation with the CEO as well. Typically, cybersecurity will come up in the boardroom about twice a year. It might even be once. It doesn't usually come up at every board meeting. And as most people know, board meetings are usually quarterly. So nobody should be offended if cybersecurity is not on the agenda at every board meeting. There's a ton of things that have to get squeezed into that eight hour meeting and, and it's actually a good thing and it shows a lot of confidence and deference to management. If it's not on the agenda all the time. So don't be offended. Take that as a pat on the back in most cases.

B

Abby, let's switch gears a little bit and talk about accountability. Boards want to know who owns cyber risk. So where does the buck stop?

A

Well, I'm glad you raised accountability, because just to remind everybody, that was one of the four cornerstones. Right. And you know, I'll be really direct about this. The board's buck has to stop with the board. They cannot pass that off to anybody else. And that means that they have to make sure they've asked all the right questions, that they have received sufficiently comprehensive answers, and that they're satisfied in the judgment that the risks are being appropriately mitigated. They just can't point fingers at somebody else. So they have to, at that level, say, we have done our homework and we understand what can happen and that we're appropriately on top of it. But let's face it, bad things can happen even with the best cyber defense plans in place. And that's no one's fault. As long as management was thoughtful and thorough and the board provided that oversight that I just described, that's going to happen. And so the real issue is if the board falls down on its job or management falls down, that's where you have an accountability problem. Because somebody didn't do their job well, and that's where oversight comes in. Again, the four cornerstones are all tied to each other. And there's a reason for that.

B

Yeah, it seems to me like it's the word ors, but I'm picturing puzzle pieces. Right? Like they're all interlocked with one another and it doesn't work if you don't have all four. Can you talk about how high performing boards define and reinforce that accountability that we're talking about?

A

Yeah. So it has a lot to do with making sure that cybersecurity and related risks do come up with the right cadence. I mentioned earlier that typically it's once or twice a year. If you're not on the agenda at all, then that's a little bit of a concern. Is anybody paying attention? So the accountability should be driven by both sides. And the reason I say that is if it slips on one, the other is going to remind them. I mean, the truth is that boards and management are a collaboration and a partnership, and they have different roles and different responsibilities. However, when things are functioning well, things are really effective. It really is the value of that partnership. It sounds straight to say, but one plus one equals three. And I'll give you A really specific example. Crisis preparedness is a responsibility of the board. It's one of those ones that is a little hard for many boards, and I don't fault them for it, because crisis preparedness is thinking about what could go wrong and do we know what we're going to do when that act action happens? It's a little different than risk. Risk are known possible things that could go wrong that we are mitigating for in advance and mitigating at the right level Crisis are the things that could go wrong that we can't mitigate for. And so thinking about if we have, no matter how well we've mitigated for a cyber risk, there are some things that are going to happen that are out of our control. What would we do? That's what crisis preparedness is. So it's around communications authority and accountability. Who's talking to whom internally, who has the responsibility to speak externally, whether it's to the press or the shareholders or customers, depending upon who's affected, how often are we going to keep each other updated on what's going on in the middle of a crisis? How do we reach each other quickly? These are all part of a good crisis preparedness plan, even if the best mitigation was in place and it didn't work.

B

Years ago, I was at IBM and we were talking about this type of thing, this preparedness, and to bring your board in and to bring in your PR team as part of your practice. And I remember Caleb Barlow at the time sharing the story that during one of those sessions, they got all the way to the point in the simulation where you call into the Zoom Chat or the webex chat, whatever it was, and everyone had these laminated cards and the Playbook was there, but it didn't have the password. So at the very critical moment where you're like, okay, we have our. Everyone have the card? Everyone has the card. Good, good, good. Let's try this out. And then nothing. It was like, well, that's the end of it. And then on the backside, they hadn't saved personal phone numbers into each other's phones. So there was this scramble to try to figure out who could talk to who, because the simulation said that internal comms were shut down or compromised. And it was just kind of a, oh, okay, how do we get there? So before the crisis can even be discussed, you got to have the password.

A

I love that story. Because it's the simple things that sometimes go wrong. And. And a lot of times you'll hear the wrong person spoke to the press and they're like, well, I couldn't reach the chair because they were on vacation or I didn't know we weren't supposed to talk about it. That's all part of crisis preparedness, including what's the password for the confidential phone line. I also like what you just referred to, David, which is tabletop exercises. And a lot of people talk about them. Not as many boards do them because again, it's something where you have to say, okay, we only have eight hours to talk about everything. Are we going to really carve out 45 minutes to do a tabletop? They can be really, really valuable because that's how you can kind of future proof some of these little things that you forget to think about. And so a tabletop exercise around a realistic crisis and cyber security, cyber hacks, that's a realistic potential crisis for any organization. So I would, as a CISO or somebody who's, you know, sort of paying attention to the cyber issues for your organization, I would encourage the board to do a tabletop exercise once a year around that.

B

I agree. I think there's so much that comes from doing rather than talking. Right. The workshop versus the, you know, endless review of your content. And, and it is interesting to see how you respond under those types of circumstances as well. You know, some folks have a natural cool cucumber factor to them and you don't get that in the calm conversation. And then some of us are maybe a little bit more, a little bit more panicked. And again, good to know during that 45 minute exercise than when it's real. And yeah, I think the, I think the table topping is a really valuable and maybe underutilized way of bringing together that, that board capability to be your thinking partner with some context and not just a ciso, but particularly in the cyber domain. I think that that's a, that's a really smart move. So you've heard it here from Abby. Maybe once a year try that out.

A

Sam.

B

Abby, cyber resilience is absolutely like this strategic issue. How should CISOs and their security teams frame their programs so the board see them as business enablers rather than as cost centers?

A

I am so glad you asked that question, David, because when we get to talk about strategy, everybody lights up and it's fun. And it's not that risk isn't incredibly important and, and some of the other sort of cornerstone issues, but strategy is, is a great way to get people to really lean in. So if you want to convince your board that security is strategic, make sure you believe it Yourself is where I would start off. I'd start by jotting down a few thoughts of your own. You know, why do I see the cyber resilience as strategic or some other aspect of of cyber and the work that you're doing? Because your conviction as a CISO will matter more than anything else. And then I go back to that storytelling that we were just talking about. Look around for case studies or examples where cyber might have helped another company make a significant change or perhaps a breakthrough, and see if you can relate that to your own business. Third, I would ask other people for their input. You can ask CISOs at other companies if you've got a peer group that you talk to, or people on your own team, or even your fellow C suite colleagues. And then, of course, I ask a lot, my favorite AI bot for ideas on topics like this. And I did that in anticipation of this conversation. And it actually helped me frame cybersecurity as a strategic imperative because it reminded me of a few things that I would share today, which is cyber security can be very closely tied to business continuity and resilience. No board will deny that's important. Cyber is also incredibly intertwined with trust, brand and reputation. Right. It can be integrated into a lot of different strategic initiatives. As you think about new products and new ways to go to market, you need to know that they're secure. Cyber also is closely tied to your ability to quantify your risks and to benchmark those risks and how you're doing. And then, and finally, I would just say that it's very much a governance and fiduciary imperative. And no board will deny that they want their governance to be strategic and forward thinking. So making sure that cyber is sort of baked into good governance is a strategic conversation. Now, I have a huge bias about governance, but that is my point of view.

B

Well, I tend to agree with you because I think that things that are poorly governed, if it's a little bit too cowboy, you end up with a moment where it becomes out of control and there's a lot of finger pointing. And if you're on the other side of that, when something goes wrong, as a customer, consumer, whatever it is, you lose that core trust, right? Things go wrong. How did you respond? And if you respond poorly, that's the end of the relationship. And it goes back to had you manage this well, did you have a point of view? So I don't mind the bias. I think that it is one of the areas and it's part of why I spend my time in cyber heavy is that this is an area that strangely feels underserved with people's attention when we have strung the entire world together on the duct tape and bubble gum of software and networks. And the original sin was that security wasn't baked in. And now we're trying desperately to wrap it around, infuse it where we can. That's a tough job. And I like the idea that you've go to your favorite chatbot. I'm curious, maybe off the mic we'll, we'll share who you're talking to. I, I like to think of them as a thinking partner. The them. Did I say them? It.

A

You know, they work better when you think of them as them, supposedly. Yeah, they work better. But I, I, I love the point you're making and I'd like to think. Sorry, I didn't mean to.

B

No, go ahead.

A

The point I'd like to think I kind of had a guess that you value the governance aspect too, or else why would you be spending time talking to me? But actually, your comments remind me of something I learned many, many years ago. My very first job at a school, little known fact. I was a metallurgical engineer for my undergrad and I worked at US Steel. They've been in the news lately. We made steel and I was in the quality control department. And the single biggest challenge was, is that you'd make the steel and then check the quality. And that's very expensive. If you had made, if you check the quality while you were making the steel, then you would be doing a much lower rate of disposition, which was part of what the QC group did. Was just saying, oh, that's no good, Send it to the scrapyard. That's no good. And that was our job. Not didn't make the production guys all that happy because, you know, they got paid by the piece and we would send it to the scrapyard. The point is, is like the best companies integrate the core tenets of what makes for a successful business or a successful product into the manufacturing process. And so to your point, cyber fully integrated from day one into the software and the data and anything else that you're making makes so much more sense.

B

Yeah. Years ago, Roland Cordier gave me this quote that he was CISO at ADP at the time. Security is an ingredient in quality. And I haven't been able to get that quote out of my mind because I think it is so true. It's not the only ingredient. And maybe we don't need a ton or maybe we need a little bit more, depending on what we're trying to make. But if you have no ingredient, no security, the quality is lower. And I think that governance is one of those manifestations of how you make sure that you're putting a quality ingredient in like security. I am curious, do you have advice on language that works especially well or language that you would say, don't use these phrases when you're talking to those boards about how security is part of a strategic imperative rather than another call center. Are there any, like, key phrases that jump out?

A

Yeah, Well, I would say that being calm is really important. You know, if, if you're excitable and a little dramatic to try to make your point, that might backfire. So what the board is frankly looking for is reassurance. And I'm not suggesting that you go in if you've got an issue and you really need their attention, their advice, their budget, that you should artificially, you know, sort of be too much of a cool hand Luke. However, you don't want to be dramatic about things either. So that, that's one point. The other point I would say is given how busy the board is, as important as your area is, they are juggling of topics at any given board meeting. I'm a big fan of the TLDR approach, which is instead of doing the dramatic build up to what's, you know, the story in your punchline, you can lose people along the way in the boardroom doing that. And you've got 10 or 15 minutes maybe to make your point, maybe 20, that time's going to fly by. So I'm a big fan of telling them right in the beginning. Here's the conclusion. I'm asking for budget or I'm asking for thought partnership or feedback, or I'm asking for you to sign off on this program, whatever it is you're asking for. And here's why. And I just want to put that why, like double underscore capital letters to tell them why you're using their 15 or 20 minutes is so important. That's going to get their attention and it will. You know, we all have our own personal presentation style. And I'm not going to try and micromanage other people, much less try and do something broad stroked here. But when I talk to boards, and I do that a lot, all the time, every week, I've honed my own style to suit the needs of that board, meeting them where they are. I said that earlier. And really saying, look, this is the results of your assessment. Here's why it's important. Let's dig in and get into a few details in 15 minutes. And then you summarize again. This is what we learned, and this is why it's important. That's what we do at Board Span, and we find that to be very effective because we're fighting for the same, you know, 20 or 30 minutes on the board's agenda that a CISO is or a chro is or anybody else. And that's how we try to make best use of their time.

B

Yeah, I hear you saying that. And there's this mantra that I have of be bold, be brave, be gone. When I talk to executives, and I'd rather them have questions and come seek me out than wish that I would shut up. So when I can remember, I try to use the be bold, be brave, be gone. You've mentioned storytelling a number of times. Do you have advice for CISOs that are trying to land that one powerful message in that really short, 10, 15 minute timeline to tell those good stories?

A

Yeah, I. I think the most important thing is, is. Is to keep it real and keep it relevant. And so telling a story about a company that sounds cool but has nothing to do with us, it's sort of like, I could have read that, you know, so it's your own credibility and your own signaling that I understand what's on your mind. I'm a huge believer. And. And everybody at Board Spin is sort of bought into this as well about empathy. We think it's the most powerful tool in communications, regardless of what business you're in. And so as the ciso, and this applies for everybody else in the C suite, including the CEO, is be empathetic to your audience, understand where they're coming from. Again, that's a little bit about meeting them where they are, but I think telling them a story that helps move them along. Super valuable. Telling them a story that is irrelevant, not so much.

B

Abby. As boards become more diverse and digitally savvy, and I think I've heard this a number of times, that boards are asking better questions and are more aware of cyber risk. Can you talk about what skills or experiences are most valuable to add to the boardroom to strengthen their ability to provide that cybersecurity oversight?

A

Apart from the technical understanding of what are these security issues and how do we mitigate them, There are some broader based, what we consider board competencies that are super valuable and will not only help a ciso, they'll probably help some of their colleagues as well, running different parts of the company. The first one is curiosity. You want your board members who will engage with you intellectually. So. So that's a great competency. To look for a second one is practicality. You know, it's always. It always helps to have a board that understands how to balance both near term and long term, to understand costs as well as rewards, the pros and the cons. So having a really pragmatic approach is really great in the boardroom. And then the third thing I'd call out is resilience, because things can go wrong, particularly in the topic of the area of cybersecurity. And no matter how great a job the CISO is done, you can't get everything right. And what you want is a board that will recognize that and not get rattled too easily. And you want them to be resilient and calm, especially in a storm.

B

Abby, thanks so much for this conversation today on how cybersecurity fits into boardroom conversations, and then articulating, like, why it matters, how it changes, and how leaders can more effectively communicate. I've really appreciated it and learned so much.

A

Well, thanks, David. It was really fun for me too. And I have to. To say for anybody who's a naysayer that talking about cyber security and governance, you know, is not a great joyful experience. I'm gonna. I'm gonna refute that.

B

Agreed. Maybe we do with the next one over a glass of wine and some pizza.

A

You're on.

B

That's it for today. If you like what you've heard, please subscribe wherever you listen and leave a review on Apple Podcasts or Spotify. Those reviews and your feedback really do help me understand what you want to hear about and. Or you could reach out to me directly at my email, threatvectorloaltonetworks, and tell me what you think of the show. I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenny Miller, Joe Benecourt, and Virginia Tran. Elliot Peltzman edits the show and mixes our audio. We'll be back next week. Until then, stay secure, stay vigilant.

A

Good.

B

Goodbye for now.

A

Sam.