In today’s rapidly evolving technology landscape, it is more important than ever for Boards and executives to stay informed about the latest developments and potential risks in technology and capabilities. in digital.
In this Help Net Security interview, Alicja Cade, Director, Financial Services, Office of the CISO, Google Cloud, offers insights on how asking the right questions can help improve performance and cyber readiness, improve responsible AI practices, and balancing the need for cybersecurity with other business priorities. Cade shares valuable advice for leaders who want to ensure their organizations are equipped to navigate the complex digital landscape of the modern world.
Organizations face an evolving cyber threat landscape these days. Can you provide examples of probing questions that Boards, CEOs, and other executives should be asking about technology and digital capabilities and how these questions can help improve cyber performance and readiness?
The threat landscape continues to remain dynamic and complex, and we expect these trends to continue in 2023 and beyond. In most cases, cybersecurity leaders understand the need for better intelligence on cybersecurity threats, but most of them often make decisions without fully understanding who is attacking their organization and why
Boards can drive to bridge these intelligence gaps and ensure that this information plays a key role in risk management decisions. To help encourage this connection, Boards should ask the CISO three key questions at least every three months:
- How good are we at cybersecurity? Boards need to learn more about the people and skills of the cybersecurity team, and their experiences. This is important because Boards cannot rely solely on compliance dashboards and cybersecurity controls to answer this question. Boards should work to better understand their team’s practical capacity to respond to events. Of course, dashboards can be a great source of information, but do they show what organizations can measure, rather than what they should be measuring?
- How strong are we? Boards should ask the CISO, technology leadership: CIO, CTO and business leaders how prepared your organization is to keep the business going through an event like a ransomware attack. Have we tested and verified that the designs provide the level of failover required under various scenarios? Can we use our core business services in a degraded state?
- What is our risk? At a minimum, Boards should ensure that the cybersecurity risk assessment addresses five key areas: 1) an assessment of your organization’s current threat exposure; 2) an explanation of what cybersecurity leadership is doing to mitigate threats; 3) examples of how the organization tests whether controls are effective; 4) an assessment of the consequences if threats occur as incidents: are we ready to respond and recover; and 5) an assessment of risks that you cannot mitigate, but otherwise accept.
Addressing cyber risk is a challenge for many companies, so it is especially important for Board members to exercise relevant oversight and help guide risk management priorities. You can read more about these considerations in Google Cloud’s inaugural Perspectives on Security for the Board report.
What top-of-mind cybersecurity challenges are organizations facing today, and how can Boards play a more active role in promoting responsible AI practices?
One of the biggest challenges for organizations today is navigating how to tap into the power of AI. We are just beginning to see the potential for AI to enable organizations to improve, scale, and accelerate the decision-making process across most business functions.
As Boards consider how best to support their organizations on this journey, we encourage them to recognize the beneficial and transformative potential of AI. At Google, we were among the first to introduce and advance responsible AI practices, and these principles serve as an ongoing commitment to our customers around the world who rely on our products to build and safely develop their businesses.
To maximize the benefits of AI technologies and minimize the risks, we recommend that Boards work with the CISO to develop a three-pronged approach to secure, measure, and transform – deploy secure AI systems, use the power of AI to achieve better cybersecurity results at scale, and stay informed of developments in this space to anticipate threats.
How would you suggest Boards balance the need for cybersecurity with other business priorities, such as innovation and growth?
Boards continue to view cybersecurity as a quiet priority. Traditionally, we have seen a growing trend around investing in cybersecurity, but not in modernizing the foundational technology behind it.
To balance the scale, Boards must encourage deeper collaboration between the C-Suite – especially the Chief Information Security Officer, Chief Information Officer, Chief Technology Officer, and Chief Compliance Officer as well as business leaders – to can build better security into all products and services compared to the security of an add-on.
What are common misconceptions Boards have about cybersecurity, and how can they be addressed?
One of the biggest misconceptions is that a company’s security is the sole responsibility of the CISO and their team. Cybersecurity is a team sport.
Board interactions around an organization’s security should not just come from a CISO, and Boards should expect all lines of business — the CIO, CTO, CRO, and other leaders — to be involved. about cyber risk as part of their strategies. When discussing a launch or new strategy, it is important that Boards ask all business and technology executives about the broader set of risks, including security, that need to be considered.
How can Boards ensure they are adequately prepared for potential cybersecurity-related regulatory obligations?
Governments around the world are increasingly implementing regulatory measures to raise mandatory cybersecurity baseline standards, including requirements to report cyber incidents to relevant government authorities. As regulatory risk increases at the federal and state levels, Boards’ understanding of cybersecurity is more critical than ever. Boards play a key role in how organizations respond to these trends and must prepare now for this future state.
We encourage Boards to adopt the following three principles for effective cyber risk oversight:
- Educate about key topics to ensure that cyber and broader technology risk is included in the organization’s operational risk and strategic discussions and decisions.
- Engage with the CISO, other C-Suite leaders and key business stakeholders to build better relationships, and understand critical gaps and resource needs while ensuring that this risk is considered a priority by all stakeholders. executive – not just the cybersecurity team.
- Stay informed about ongoing reporting activities, inquiries, and work with the CISO and other leaders to understand cyber risk metrics.