Being on the board of a financial institution is not easy. Board members are expected to not only be knowledgeable about the operational and financial workings of the institution but also to understand the cybersecurity risks and controls that are in place to mitigate those risks.
To perform their jobs, they often need cybersecurity training that is focused on their unique role in an institution. In many cases, IT or security staff are called upon to assist in designing and delivering this training. This week, we discuss some of the ways that we can ensure boards are adequately trained regarding cybersecurity.
We have found that there are five components to a successful board training program: threats, controls, monitoring, communication, and feedback. Let’s look at each of these:
Threats: Institutions are in the business of managing risk, so most boards understand the concept of a threat. As part of board training, we should be presenting what the most critical cybersecurity threats currently are, and we should update this list as the threat landscape changes. Because board members are often not IT professionals, the threats need to be described in a non-technical manner as much as is possible. When there are highly technical threats, try to find ways to relate them to concepts or events that they already understand. For a DNS attack, you might utilize a phone book analogy to describe how DNS works. For a supply chain attack, you might consider reviewing a recent attack that made news headlines.
Controls: Once the board is educated regarding the most common threats, make it real for them by immediately describing the controls that are in place to mitigate the threats. If one threat is ransomware, spend time walking the board through all the controls that the institution has in place to protect against ransomware. If there are missing or weak controls, this is when those should be discussed to make sure the board is aware of any gaps in controls.
Monitoring: The board is ultimately responsible for ensuring that controls are working, so it is extremely helpful while speaking of threats and controls to also discuss what the board can use to monitor those controls. Monitoring often consists of reports and dashboards that are sent to the board from the different cybersecurity functions and systems. For some recommendations on items to include in a dashboard, see our earlier blog titled “What Monitoring Should be Included in Management Reports?”
Communication: While the amount of time provided for board training is often limited, try to leave time for questions from board members. These questions often provide valuable information regarding the thoughts and concerns of the board, and this information can be used to tune future reporting and training sessions.
Feedback: As part of training, urge board members to work with auditors and examiners to gain outside feedback on any threats, controls, or monitoring that could be strengthened, and to communicate these areas of improvement back to IT and Security staff. This outside feedback can be crucial in identifying any cybersecurity blind spots in the organization.
The goals of a board cybersecurity training program should be to open up a two-way communication channel to help ensure the board is confident that threats are identified and mitigated while also providing the board a way to communicate concerns back to the IT organization.
If you feel that your board training program is not effectively doing these things, reach out to us to find out how our CySPOT™ program can help. Email us at support@bedelsecurity.com to get started!
Additional Resources:
The Virtual CISO Whitepaper
https://www.bedelsecurity.com/the-virtual-ciso-whitepaper
What Monitoring Reports Should Be Included in Management Reports?
https://www.bedelsecurity.com/blog/what-monitoring-should-be-included-in-management-reports
The CISO Assessment
https://www.bedelsecurity.com/services/the-ciso-assesment
The Powerful GLBA Board Report
https://www.bedelsecurity.com/blog/the-powerful-glba-board-report
The Perfect Meeting Agenda to Improve IT & Cyber Governance
https://www.bedelsecurity.com/blog/the-perfect-meeting-agenda-to-improve-it-cyber-governance
3 Keys to Cybersecurity Maturity
https://www.bedelsecurity.com/blog/article-review-3-keys-to-cybersecurity-maturity
Your Information Security Program Needs Focus
https://www.bedelsecurity.com/blog/your-information-security-program-needs-focus
5 Tips for Creating an Information Security Program That Works
https://www.bedelsecurity.com/blog/5-tips-for-creating-an-information-security-program-that-works