Duaine Styles, CISO at Torchmark & Affiliates, talked about explaining cybersecurity in the language that boards understand.
“We CISOs get a lot of board interest today, and we want to be a trusted advisor,” began Styles at the outset of his keynote presentation at the 2016 Chief Information Security Officer Leadership Forum held on September 13 in Dallas. Here are some trends he’s noted in cybersecurity governance:
• Increasing board-level involvement at many companies—a maturity driver for any specific entity
• Increasing regulatory oversight—a maturity driver in many industries over time
• The FFIEC (Federal Financial Institution Evaluation Criteria) IT Examination Handbook for Management (Revised Nov. 2015) states: In the past, the office of the CISO was considered a technology function, but the role has become a strategic and integral part of the business management team. The CISO should be an enterprise-wide risk manager rather than a production resource devoted to IT operations. To ensure independence, the CISO should report directly to the board, a board committee, or senior management and not to IT operations management.
Styles pointed out that using the phrase “information risk-management functions” is better than using the word “security,” because security is an emotional term that means different things to different people. "Risk management tends to evoke math, probability, likelihood, and impact. This needs to be our language when talking to boards."
“Information risk-management functions” is better than the word “security,” because security is an emotional term that means different things to different people.
“The number-one thing not to talk to the board about is technology,” advised Styles. “There are two reasons for this—first, this is the CIO’s and CTO’s job, and second, we’re paid to relate that stuff into a risk posture the board can understand. Finance is the international language of business. To the board, we need to relate threats, vulnerability, and risk of financial exposure and the likelihood of these risks. Executive leadership owns risk.”
“Finance is the international language of business. To the board, we need to relate threats, vulnerability, and risk of financial exposure and the likelihood of these risks.”
Enterprise security architecture can be distilled into the following perspectives, said Styles, all of which are included in the facility manager’s view:
• The business view—strategy, regulations, threats, and risks
• The architect’s view—ISO/27001/27002-aligned policy and standards & security strategy
• The designer’s view—security programs that define what services are necessary by risk levels
• The builder’s view—protocols, procedures, logging, detection, and other security mechanisms
• The tradesman’s view—firewalls, IPS, AV, SIEM, identity-management tools
“The information security shop must excel at explaining to the board what needs to be done and why,” stressed Styles. “We need to talk the language of business—finance. If we talk about how the security program is linked to revenue generation, we’ll get a lot of traction. Regardless of where your company is on the maturity scale, you can express your goal as an information-risk appetite that everybody can get behind, and you can do this in a way that conveys that your job isn’t to prevent security events and data breaches but to manage those to the risk appetite of the leadership. As the company matures, the leadership may choose to change the company’s risk appetite as a result of your relationship with them."
“If we talk about how the security program is linked to revenue generation, we’ll get a lot of traction.”
Styles summed up the primary considerations in reporting to the board:
• Content must fit the character of your board
• Summarize using NIST factors or ISO policy level
• Can be used to discuss compliance with individual privacy laws
• If you partner with a third party, compare against your peer group, industry practices, or corporate goals
• Compare against a maturity target or a risk appetite
• Trend analysis over time
• Comparison of attestation information to independent verification
• Use stoplighted or C2M2-styled measurement
• CMMI, NIST, CSF, or other measurement scale can be used
“In terms of measurement, there’s a lot of flexibility,” concluded Styles. “At the lower maturity levels, the most important part is agreement with your third party, because you’re going to need their support. It’s important to have an executive on the board who’s involved in your industry and whose credentials can’t be questioned in order to move board and senior executive opinion.”
ABOUT DUAINE STYLES:
Duaine has over a decade of experience leading security programs designed to protect a company’s valuable information and personnel assets. He's currently the Chief Information Security Officer for Torchmark and its affiliates. Torchmark is a Fortune 1000 company with holdings that include life insurance, health insurance, printing, and manufacturing entities. The most well known of its companies are Globe Life and United Assurance insurance companies.
A native Texan, Duaine holds a Bachelor’s degree in Accounting and a Master’s degree in Information Systems from the University of Texas at Arlington. Additionally, he holds active certifications that include CPA, CISSP, CRISC, CISA, ISO27001 Lead Implementer, and SABSA Foundations. Duaine believes it's important to give back to the profession and is a founding member of both the Cowtown ISSA Chapter and the Dallas Information Security Leadership Forum.