Giving Cybersecurity Its Due in the Boardroom: An Interview with Standard Chartered’s Cheri McGuire

Cybersecurity in a Fractured World

By David Mkrtchian

This is the fourth in a series of articles and interviews on the subject of improving cyberresilience—the ability of companies, organizations, and institutions to prepare for, respond to, and recover from cyberattacks. The series grows out of The Boston Consulting Group’s work with the World Economic Forum on this topic. BCG spoke with Cheri McGuire, the group chief information security officer for the global banking organization Standard Chartered, on the ways of promoting greater understanding and more effective governance of cyberrisk and cybersecurity issues at the board level.

About Cheri McGuire

You’ve worked in a number of leadership roles. What advice can you give about creating the internal understanding and knowledge base for cyberrisk that enables an organization to move from a reactive footing to a more forward-looking, preventive footing?

This can be a challenge for many chief security officers (CSOs) and organizations—building up the strength and maturity of their cybersecurity capabilities while also gaining the right level of internal exposure and support. Many organizations are still trying to get the basics right; they’re still learning. There are a range of reasons for this: legacy infrastructure for which security may be difficult to implement, lack of a focus or prioritization on cybersecurity as a business risk, or simply other business priorities in IT, such as digitization, mobile, and cloud. It can be a real challenge for the CSO and others—the compliance or chief risk officer, for example—to try to tip the scale from a reactive to a proactive stance.

What I’ve found particularly useful is the NIST [National Institute of Standards and Technology] cybersecurity framework, which many organizations are using today as an assessment tool for their cybersecurity postures. The NIST framework sets maturity levels of one through five measured against the core cybersecurity functions of identify, protect, detect, respond, and recover.

By centering your cybersecurity program around the NIST framework, you can create a solid blueprint for winning hearts and minds internally by aligning security considerations and business drivers. This is key to advancing a security program. Starting with fundamentals, a CSO can chip away at basic security hygiene issues and then move on to more advanced skills and security capabilities. This will help the organization move up the maturity curve and advance the overall approach to security.

There’s another aspect as well, which is making sure there is the right level of understanding of security issues within the organization. There can be a natural tendency, particularly among those of us in the security community, to simply assume that everyone understands what we are talking about—especially when we use of a lot of technical jargon—and that there is a common understanding of the threats and risks. That’s not typically the case, and it’s up to the CSO to do the translation into business terms and really educate leaders across the organization.

Are there instances when the NIST framework, or something like it, becomes the basis for a conversation around budgetary planning?

When used as an assessment tool, the NIST framework helps provide an understanding of the organization’s baseline security posture. But that’s really just a first step to understanding where the organization’s strengths and weaknesses are.

The NIST framework provides a guide for understanding where your security controls are strong and where you need to shore them up. But in addition, you have to do the right risk rankings and prioritize your gaps, or weaknesses, and where you should be investing. Many organizations—especially large, global ones—have lots of silos of investment throughout their operations. They have competing interests for investment spending around the company and around the world, whether it is for this new technology or for that new product, or for this region, and so forth.

Oftentimes, organizations don’t have a clear view of what their overall security investment plan is, which actually creates more risk because they are not able to analyze the tradeoffs. It can be difficult to identify the most serious security gaps, and so they can’t prioritize their spending in a comprehensive way across the organization. In my experience, the NIST framework can help an organization get a fuller understanding of what their risk posture is and how to move forward with an integrated approach versus a siloed security program.

How do you make sure that cybersecurity and cyberrisk get their appropriate due in the board room?

It really depends on where the organization is in its prioritization of the issue and its overall risk governance, not just at a board level but also within the operations of the business. Is cybersecurity seen as part of the overall risk profile of the business, as opposed to just a technology risk? Is the overall governance around risk conducted from that perspective? If you have that understanding and that recognition within the business, then it’s much easier to have that conversation at the board level.

There is also an educational component with the board. When you look at different industries, some tend to have a better awareness of the complexities of cybersecurity than others. A challenge that many boards face today is making sure they have the necessary expertise sitting at the table. At Standard Chartered, we have an external cybersecurity advisor to the board. He attends the board sessions at which cybersecurity is being briefed and advises the board through an objective lens. This process also supports boards in building their own awareness and bench strength around cyber issues, which helps in their overall risk governance and oversight roles.

For CSOs, when we are speaking to the board about cyber as a business risk, there are two things that are very important. The first is providing context. It’s one thing for a CSO to present a metric to the board—for example, “There are X number of unpatched vulnerabilities.” That doesn’t tell them much. However, if this is communicated as, “There are Y number of unpatched systems supporting a critical business application, and these are the business impacts this risk exposure creates,” it is a much different conversation. The board can then ask the right questions of what the risk really means for the business and what is being done to address it.

The second important factor is the translation component. This is just my own perspective, and it goes back to what I was saying earlier—that for many of us in the security field, there’s an assumption that everyone understands our language. It’s key for the modern-day CSO to be a strong translator of technical and security issues. As the CSO, asking yourself some simple questions when preparing reports to the board can help ensure the right focus—such as, what does this metric or threat or risk mean, why is it important to the business, what are the potential risk implications and impacts, and what should we be doing about it from people, process, and technology perspectives? By preparing in this way, CSOs can be much more effective in their communications to the board, and in turn the board will have a much better understanding of the true risks to the business and can more effectively perform their risk governance function.

Part of all of this, of course, is making sure that, as CSO, you have the right metrics in place and these are being reported at the right level. This can be difficult to do and can take several iterations with the board to get the right focus and understanding of what is important to them and to your business.

Are there particular metrics that, in your experience, have been particularly useful in furthering board understanding?

Again, it is about asking the right questions. The traditional approach that many CIOs and CSOs take has been to provide only technical metrics to the board. While these are absolutely necessary to running IT and security operations, they also must have a contextual explanation and translation of what they mean to the business and the organization’s overall cybersecurity risk posture.

For example, some types of questions that provide the right insights are:

  • Has the board been briefed on the organization’s current threat profile, and what does it mean from a business risk and impact perspective?
  • Has the business identified its most critical assets and data-holding systems, and what are the security and business risks associated with them?
  • Have those applications and/or systems been prioritized as part of the security program, and how are they being protected, monitored, and measured to reduce risk to the business?

These are somewhat elementary qualitative questions, as opposed to quantitative metrics, but they are representative of the kinds of foundational questions and answers that boards should have.

Other types of questions a CSO should be able to answer as part of their overall cybersecurity engagement with the board are:

  • How often is the board receiving cybersecurity updates, and what is the right cadence for the organization?
  • Does the board understand what the current risk maturity or risk appetite is for the organization? Has the risk appetite been defined?
  • How well does the board believe that the risk appetite is reflected in day-to-day decision making?
  • Is there the right internal governance structure for risk and control for the day-to-day security operations of the business?
  • There are also important aspects of business continuity and response, such as do you have comprehensive response plans in place? How often do you exercise them, and at what levels of the business are they exercised?

Again, these are pretty high-level questions, but they are the questions that a CSO should be able to answer with their board, which will provide them the ability to delve deeper into the organization’s current security maturity and risk posture.

To close, I’ll refer back to the NIST framework again, as it provides clear guidelines for how an organization should be identifying, protecting, detecting, responding to, and recovering from cyberthreats. You can go as deep into those core pillars as your organization is prepared to do, but from a board standpoint, they provide a solid roadmap from which to ask the right kinds of security and business risk governance questions.