Related Expertise: Digital, Technology, and Data, Financial Institutions, Cybersecurity and Digital Risk
This is the fourth in a series of articles and interviews on the subject of improving cyberresilience—the ability of companies, organizations, and institutions to prepare for, respond to, and recover from cyberattacks. The series grows out of The Boston Consulting Group’s work with the World Economic Forum on this topic. BCG spoke with Cheri McGuire, the group chief information security officer for the global banking organization Standard Chartered, on the ways of promoting greater understanding and more effective governance of cyberrisk and cybersecurity issues at the board level.
As the group chief information security officer at Standard Chartered, Cheri McGuire oversees information and cybersecurity strategy and risk management, governance, policy, training and awareness, third-party security risk, vulnerability assessments and red teaming, exercises, regulatory engagement, and partnerships. With more than 25 years of industry and government experience, she has held senior roles at Microsoft, Symantec, the US Department of Homeland Cyber Security Division, the US Computer Emergency Readiness Team, and Booz Allen Hamilton. In 2017, the Monetary Authority of Singapore appointed her to its first international Cyber Security Advisory Panel. She also sits on the World Economic Forum’s Global Future Council on Cybersecurity, Europol’s Advisory Group on Financial Services, the board of George Washington University’s Center for Cyber and Homeland Security, and the board of the UK’s Cyber Defence Alliance. She is a frequent presenter on cyberrisk management and resilience, information sharing, and cybercrime, and has testified numerous times before the US Congress as an invited expert witness.
You might be interested in
You’ve worked in a number of leadership roles. What advice can you give about creating the internal understanding and knowledge base for cyberrisk that enables an organization to move from a reactive footing to a more forward-looking, preventive footing?
This can be a challenge for many chief security officers (CSOs) and organizations—building up the strength and maturity of their cybersecurity capabilities while also gaining the right level of internal exposure and support. Many organizations are still trying to get the basics right; they’re still learning. There are a range of reasons for this: legacy infrastructure for which security may be difficult to implement, lack of a focus or prioritization on cybersecurity as a business risk, or simply other business priorities in IT, such as digitization, mobile, and cloud. It can be a real challenge for the CSO and others—the compliance or chief risk officer, for example—to try to tip the scale from a reactive to a proactive stance.
What I’ve found particularly useful is the NIST [National Institute of Standards and Technology] cybersecurity framework, which many organizations are using today as an assessment tool for their cybersecurity postures. The NIST framework sets maturity levels of one through five measured against the core cybersecurity functions of identify, protect, detect, respond, and recover.
By centering your cybersecurity program around the NIST framework, you can create a solid blueprint for winning hearts and minds internally by aligning security considerations and business drivers. This is key to advancing a security program. Starting with fundamentals, a CSO can chip away at basic security hygiene issues and then move on to more advanced skills and security capabilities. This will help the organization move up the maturity curve and advance the overall approach to security.
There’s another aspect as well, which is making sure there is the right level of understanding of security issues within the organization. There can be a natural tendency, particularly among those of us in the security community, to simply assume that everyone understands what we are talking about—especially when we use of a lot of technical jargon—and that there is a common understanding of the threats and risks. That’s not typically the case, and it’s up to the CSO to do the translation into business terms and really educate leaders across the organization.
You might be interested in
Are there instances when the NIST framework, or something like it, becomes the basis for a conversation around budgetary planning?
When used as an assessment tool, the NIST framework helps provide an understanding of the organization’s baseline security posture. But that’s really just a first step to understanding where the organization’s strengths and weaknesses are.
The NIST framework provides a guide for understanding where your security controls are strong and where you need to shore them up. But in addition, you have to do the right risk rankings and prioritize your gaps, or weaknesses, and where you should be investing. Many organizations—especially large, global ones—have lots of silos of investment throughout their operations. They have competing interests for investment spending around the company and around the world, whether it is for this new technology or for that new product, or for this region, and so forth.
Oftentimes, organizations don’t have a clear view of what their overall security investment plan is, which actually creates more risk because they are not able to analyze the tradeoffs. It can be difficult to identify the most serious security gaps, and so they can’t prioritize their spending in a comprehensive way across the organization. In my experience, the NIST framework can help an organization get a fuller understanding of what their risk posture is and how to move forward with an integrated approach versus a siloed security program.
How do you make sure that cybersecurity and cyberrisk get their appropriate due in the board room?
It really depends on where the organization is in its prioritization of the issue and its overall risk governance, not just at a board level but also within the operations of the business. Is cybersecurity seen as part of the overall risk profile of the business, as opposed to just a technology risk? Is the overall governance around risk conducted from that perspective? If you have that understanding and that recognition within the business, then it’s much easier to have that conversation at the board level.
There is also an educational component with the board. When you look at different industries, some tend to have a better awareness of the complexities of cybersecurity than others. A challenge that many boards face today is making sure they have the necessary expertise sitting at the table. At Standard Chartered, we have an external cybersecurity advisor to the board. He attends the board sessions at which cybersecurity is being briefed and advises the board through an objective lens. This process also supports boards in building their own awareness and bench strength around cyber issues, which helps in their overall risk governance and oversight roles.
For CSOs, when we are speaking to the board about cyber as a business risk, there are two things that are very important. The first is providing context. It’s one thing for a CSO to present a metric to the board—for example, “There are X number of unpatched vulnerabilities.” That doesn’t tell them much. However, if this is communicated as, “There are Y number of unpatched systems supporting a critical business application, and these are the business impacts this risk exposure creates,” it is a much different conversation. The board can then ask the right questions of what the risk really means for the business and what is being done to address it.
The second important factor is the translation component. This is just my own perspective, and it goes back to what I was saying earlier—that for many of us in the security field, there’s an assumption that everyone understands our language. It’s key for the modern-day CSO to be a strong translator of technical and security issues. As the CSO, asking yourself some simple questions when preparing reports to the board can help ensure the right focus—such as, what does this metric or threat or risk mean, why is it important to the business, what are the potential risk implications and impacts, and what should we be doing about it from people, process, and technology perspectives? By preparing in this way, CSOs can be much more effective in their communications to the board, and in turn the board will have a much better understanding of the true risks to the business and can more effectively perform their risk governance function.
Part of all of this, of course, is making sure that, as CSO, you have the right metrics in place and these are being reported at the right level. This can be difficult to do and can take several iterations with the board to get the right focus and understanding of what is important to them and to your business.
Are there particular metrics that, in your experience, have been particularly useful in furthering board understanding?
Again, it is about asking the right questions. The traditional approach that many CIOs and CSOs take has been to provide only technical metrics to the board. While these are absolutely necessary to running IT and security operations, they also must have a contextual explanation and translation of what they mean to the business and the organization’s overall cybersecurity risk posture.
For example, some types of questions that provide the right insights are:
These are somewhat elementary qualitative questions, as opposed to quantitative metrics, but they are representative of the kinds of foundational questions and answers that boards should have.
Other types of questions a CSO should be able to answer as part of their overall cybersecurity engagement with the board are:
Again, these are pretty high-level questions, but they are the questions that a CSO should be able to answer with their board, which will provide them the ability to delve deeper into the organization’s current security maturity and risk posture.
To close, I’ll refer back to the NIST framework again, as it provides clear guidelines for how an organization should be identifying, protecting, detecting, responding to, and recovering from cyberthreats. You can go as deep into those core pillars as your organization is prepared to do, but from a board standpoint, they provide a solid roadmap from which to ask the right kinds of security and business risk governance questions.