At the RIMS Live 2021 virtual conference, AIG’s chief information security officer (CISO) will tell the tale of two corporate boards: One well-informed about cyber-related risks and another that isn’t, along with steps executive risk managers can take to gain board members’ trust and bring them up to speed.

Informed Versus Uninformed

Key indications of a cyber-informed board, Baich said, are whether the topic of cyber security is actually on the board’s agenda and presented by the CISO and whether board members receive regular training on the topic.

When a board is well-informed about cyber issues, Baich said, board members digesting the near-constant flow of cyber events impacting organizations will have perspective on whether those threats may impact their own companies.

They will recall their CISOs describing how events are prioritized and rated from an industry standpoint and according to the threat level for the specific organization.

“So as curious as the board member may be to understand the specific risk, he or she knows the organization has a plan and a protocol and the issue will be escalated to the board level if it falls outside that protocol,” Baich said.

Prior to joining AIG, Baich was Wells Fargo’s CISO and before that led Deloitte’s cyber threat and vulnerability management practice. Prior to those positions he served as naval information warfare officer for the National Security Agency; senior director for professional services at Network Associates, now McAfee; and, after 9/11 as special assistant to the deputy director for the National Infrastructure Protection Center at the Federal Bureau of Investigation.

In terms of how a board that is well-informed about cyber risk translates into effective risk management more generally, Baich said, good information security practices will translate traditional information security disciplines into risk disciplines that ensure the correct information is identified, translated and presented to the right risk leaders.

“That enables appropriate and prioritized actions to be taken to mitigate the risk in question,” he said.

Best practices include board member training on the information security program and how they can protect themselves from cyber attacks, given board members may be targets of cyber attacks.

Trust built on a “very high do-what-you-say ratio” is key to the relationship between board members and executives in charge of risk, Baich said, and that is demonstrated in part by having the courage to bring up even difficult issues that need to be resolved.

“The most successful executives build that trust by demonstrating strong risk practices –identifying risks, solutions to mitigate them within given timeframes, and following up to say when that’s been completed,” Baich said, adding that understanding how the board operates also helps foster trust.

“Every board is different, so it’s important to understand board members’ personalities and backgrounds, so when executives are presenting they do so in a fashion that addresses those perspectives.”

Source: Risk & Insurance