The escalating frequency and severity of cyber attacks have thrust cybersecurity into the spotlight, demanding unprecedented levels of vigilance and expertise. In this landscape, the role of boards of directors has never been more critical.
However, as the threat landscape continues to evolve, the relationships between CISOs, security leaders, and boards become increasingly complex.
Techopedia sat with Jim Alkove, CEO of Oleria, for a one-on-one interview to reveal the inside story and provide insight for security leaders to navigate their relationships with boards more efficiently,
About Jim Alkove
Jim Alkove is the co-founder and Chief Executive Officer of Oleria, where he drives company strategy, vision, and growth.
Alkove is a tech industry luminary, with nearly 30 years of experience leading security for some of the world’s largest companies.
Most recently, Alkove served as Salesforce’s Chief Trust Officer and spent over 16 years at Microsoft, serving as Xbox’s Chief Security Officer and Corporate Vice President for Enterprise and Security in Microsoft’s Windows and Devices Group.
Alokove also held security, privacy, and product engineering leadership roles at Google Nest.
An experienced force in the security space, Alkove currently serves as a strategic advisor to numerous startups, including Aembit, SafeBase, and Snyk, and holds 50 U.S. patents.
Key Takeaways
- Many boards lack a deep understanding of complex cybersecurity threats, hindering effective decision-making.
- Increasing the number of technically proficient board members is crucial for improved cybersecurity governance.
- Effective communication and relationship-building are essential for security leaders to bridge the gap with boards.
- Both security leaders and boards share responsibility for cybersecurity preparedness, requiring clear accountability mechanisms.
Boards: Gaps and Shortcomings
Q: What are the biggest shortcomings you’ve observed in how boards approach cybersecurity discussions? Is there a lack of understanding of the evolving threat landscape, or is it something else entirely?
A: The need for effective security dialog in the boardroom has never been more critical. The cybersecurity threat landscape has never been more challenging with data breaches and security incidents at an all-time high.
As companies and their technology estates grow, they also accumulate technology debt, which often contains long-unremediated security vulnerabilities. Meanwhile, regulators everywhere are stepping up cybersecurity scrutiny.
One of the biggest challenges that exists in the boardroom today is the different altitudes of conversations going on.
CISOs often approach cybersecurity discussions from a more technical or practitioner perspective, while board members approach them from a more generalist perspective. The challenge is bridging those two approaches to create a shared language around how to talk about cybersecurity risks.
Cybersecurity is not something you can just talk about at the 30,000-thousand-foot level. You have to get into the specific details and context to be able to make good decisions.
This means CISOs need to translate technical cybersecurity details into the language of risk and financial impact, which board members are more familiar with.
Organizations need practitioners who can communicate effectively at the board level and on the board. They also need to educate existing board members to develop a foundational understanding of cybersecurity.
While board members don’t all need to become experts, they should acquire enough knowledge to meaningfully support and oversee security initiatives and ensure they align with the company’s broader risk management strategy.
Legal and Reputational Consequences
Q: Do you see a gap in board members’ understanding of the potential legal and reputational ramifications of cyberattacks?
A: Yes, this is a significant challenge. Some boards still view cybersecurity as a purely technical issue rather than recognizing it as a broader risk that can affect customer trust, sales, and more.
Unlike other areas, cybersecurity represents a major reputational risk, and at the end of the day, reputation management is really an area that organizations need to own themselves. It’s difficult to transfer or delegate to others and not something you can practically insure against.
Just as in most organizations, the CEO directly manages strategy risk; boards and CEOs need to manage cyber risk closely in lockstep with CISOs and the broader corporation leadership team.
There is also a growing concern among CISOs and security leaders about personal liability. Practitioners face growing expectations to protect sensitive data and when regulations take effect, they do so without sufficient advance notice to address compliance gaps ahead of time.
In short, CISOs are navigating a world where expectations are constantly increasing, and boards must evolve along with them. Boards need to understand that robust cybersecurity practices and board-level engagement are essential to the organization’s overall risk management strategy.
Biases and Agendas in the Board Room
Q: Beyond technical illiteracy, have you encountered any instances where board members’ personal biases or short-term financial priorities impeded the implementation of necessary cybersecurity measures? Can you elaborate on an example?
A: In some organizations, short-term financial results or cost-cutting measures lead to inadequate cybersecurity investments. Leadership teams and boards often face tough trade-offs due to budget constraints, directly impacting the resources available to CISOs and security teams.
An example is companies implementing Multi-Factor Authentication (MFA). Despite the critical role that MFA plays in preventing cyber incidents, many organizations today still fail to fully enforce strong MFA for all of their accounts.
Recent security incidents including Midnight Blizzard where single-factor authentication was involved, underscore its importance.
As Salesforce’s Chief Trust Officer, I made MFA mandatory for all customers, a stance I still firmly believe in. Every software company should adopt this practice to protect against cybersecurity threats.
Mandating MFA is a no-brainer — like locking your doors at home.
Q: How can security leaders navigate board gaps effectively to get buy-in?
A: To bridge the gap, security leaders need to continually improve their communication and relationship-building skills. It’s also incredibly important to take the time to build a plan, map out all of the stakeholders that are important to your program and personal success as a CISO, and get to know them. Understand what’s important to board members and how to communicate with each of them effectively.
Another key for CISOs is taking a risk-based approach where they clearly map security outcomes to business outcomes in terms of dollars and cents to help board members clearly understand the impact.
Ultimately, you need to present a compelling narrative that combines data storytelling with financial risk quantification, making the risks more tangible and your recommendations more actionable.
Proactive Approach to Accountability
Q: How can security leaders, who are today held accountable, protect themselves against incidents that are the result of boards failing? How can security leaders hold boards accountable for their role in cybersecurity preparedness?
A: CISOs need to diligently document their risk management processes and efforts to communicate potential risks and resource needs to the board.
This documentation should be detailed and quantitative, clearly outlining the risks and the steps taken to mitigate them or not, as is the case when organizations accept risk rather than mitigate it.
In today’s regulatory environment, it’s also crucial for CISOs to have documentation to demonstrate that they have fulfilled their responsibilities and help protect themselves and their organizations from potential liability.
CISOs and security leaders should regularly engage with board members, ensuring they have the information needed to understand current and emerging cybersecurity risks.
This ongoing dialogue, as well as open and transparent communication by leadership about the importance of security, is critical to fostering a culture where cybersecurity is recognized as a priority across organizations.
The Future of Boards in Escalating Threat Environments
Q: What is the future of Boards in the escalating global cybersecurity threat landscape?
A: As cyber threats become more sophisticated, boards must evolve to provide stronger oversight and guidance on cybersecurity matters. This includes recruiting members with cybersecurity expertise as well as investing in ongoing education for existing members. Increasing technical representation and educating non-technical directors on cybersecurity basics and governance are also crucial steps.
Boards need to understand that cybersecurity is not just a technical issue but a critical aspect of business risk management. With the proliferation of artificial intelligence and SaaS apps, cyber threats are not only becoming more difficult to manage but the estate — encompassing all the systems and data a company must protect — is also becoming larger and more complex. This creates a compounding effect, where the increasing complexity of both threats and technology amplifies the challenges faced by organizations.
I co-founded Oleria to help with these challenges by reimaging identity security, which I believe is the biggest unsolved problem the industry faces today. At Oleria, we’re building an adaptive and autonomous approach to identity security that helps organizations accelerate at the pace of change, trusting that their data is protected.
In contrast to legacy Identity and Access Management (IAM) systems, which rely on manual, costly, and time-intensive workflows, Oleria empowers CISOs and security teams by providing one place in the cloud to manage all of their access adaptively and autonomously in the future.