This blog post will offer these learnings to CISOs and IT security teams to set their relationship with the cybersecurity committee of the board up for success.<\/p>\n\n\n
![\"a](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/10\/CLO24-Azure-Fintech-013-1024x788.jpg\")
\t\t\t\t<\/div>\n\t\t\t\n\t\t\tMicrosoft Purview Compliance Manager<\/h2>\n\n\t\t\t\t\t\n\t\t\t\t\t\tMeet multicloud compliance requirements across global, industrial, or regional regulations and standards.<\/p>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\n\t\t\t\t\t\t\t\tLearn more<\/span>\n\t\t\t\t\t\t\t\t<\/span>\n\t\t\t\t\t\t\t<\/a>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t<\/div>\n\n\t\t\t\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n\nThe cybersecurity committee of the board<\/h2>\n\n\n\n
The United States Securities and Exchange Commission (SEC) adopted rules in July 20231<\/sup> to expand the scope of its cybersecurity reporting requirements for publicly traded companies,2<\/sup> making the governance of IT security by the board of directors and the cybersecurity expertise of board members reportable to the marketplace.<\/p>\n\n\n\nCorporate governance benchmarks including the Institutional Shareholder Services (ISS) ESG Governance QualityScore, widely used by analysts and for some executive compensation are including IT security measurements in their scoring.3<\/sup> Cybersecurity is recognized as requiring governance from the board of directors. Boards are changing to make this possible.<\/p>\n\n\n\nThe IT security function was viewed as the province of technical specialists, to be given some increased investment for a more hostile security landscape and in response to high profile security incidents. Cybersecurity was not considered a focus area of the board like finance, audit, or executive compensation. This has changed. Boards are seating directors with IT security expertise and asking for more communication from the IT security team, usually through the CISO.<\/p>\n\n\n\n
Mandate of the cybersecurity committee<\/h2>\n\n\n\n
The mandate of the cybersecurity committee includes learning about the organization\u2019s IT security team. To optimize the relationship, the security team needs to understand how the board and the cybersecurity committee work as well.<\/p>\n\n\n\n
The cybersecurity committee will have a mandate, vetted and granted by the board members and likely the chief executive officer (CEO). This mandate will be set out in a corporate document that describes the responsibilities of the committee, the content, and frequency of their reports and the type of information they are to review. The CISO should understand the mandate and with it the scope of the committee to know how to best and most efficiently partner with them. A proactive CISO can contribute to the formulation of the mandate, avoiding conflict and inefficiency, and setting the relationship up for success.<\/p>\n\n\n\n
Beyond the mandate document, the board will likely have public-facing Rules of Procedure. This document sets out the mission, duties, and operations of the board. It will likely also have a section describing the various board committees, their operations, and responsibilities.<\/p>\n\n\n\n
The committee will be focused on discharging these responsibilities in an auditable way.<\/p>\n\n\n\n
Time on the agenda of board meetings is at a premium. A typical two-hour meeting agenda might include:<\/p>\n\n\n\n
\n- Approval of the last board meeting minutes.<\/li>\n\n\n\n
- Review of first half results.<\/li>\n\n\n\n
- Review of Environmental Social and Governance (ESG) report and ESG committee recommendations.<\/li>\n\n\n\n
- Approval of board members\u2019 expenses.<\/li>\n\n\n\n
- Financial and business outlook.<\/li>\n\n\n\n
- Business plan update.<\/li>\n\n\n\n
- Review of next meeting dates.<\/li>\n<\/ul>\n\n\n\n
Some of these are mandated by law, leaving little time for discretionary topics. There may be four or five such board meetings per year. The cybersecurity committee will have a slot on the agenda slot as will other business.<\/p>\n\n\n\n
A board may receive a briefing from the CISO on current state and plan once a year. The CISO may be called on to provide ad hoc input on risks, incidents, or other emerging topics.<\/p>\n\n\n\n
A cybersecurity committee is a subgroup of the board. It is led by one or two directors that have a relatively high level of cybersecurity expertise. They should:<\/p>\n\n\n\n
\n- Understand the IT security function, policies, standards, current state, and plan.<\/li>\n\n\n\n
- Offer their opinion as to how the current state and plan aligns with the company\u2019s risk management posture and business objectives.<\/li>\n\n\n\n
- Identify areas in current state and plan that need focus from the IT security function.<\/li>\n\n\n\n
- Communicate blockers and advocate for the security function with the board and executives.<\/li>\n<\/ul>\n\n\n\n
The committee is accountable for reporting to the board on these items.<\/p>\n\n\n\n
Working with the cybersecurity committee<\/h2>\n\n\n\n
The board and the CISO need to align on how they will work together. They need to agree on efficient ways to get the information and context the committee needs to achieve its mandate.<\/p>\n\n\n\n
This is an opportunity for the CISO to leverage their existing reporting and documents to the extent possible. A CISO who is proactive and suggests a framework will be a good partner to the committee. This will reduce the level of effort for the security team going forward.<\/p>\n\n\n\n
The role of the board and the committee is to act on behalf of the shareholders to manage risk\u2014not to manage the IT security team, the plan, or be accountable for cybersecurity. That\u2019s the CISO\u2019s job.<\/p>\n\n\n\n
Board members often serve on multiple boards and have high profile roles in other organizations. They need information that is on target, that they can consume quickly, and report with confidence to stakeholders. Effective communication includes:<\/p>\n\n\n\n
Context<\/h3>\n\n\n\n
What does it mean to the business?<\/p>\n\n\n\n
Cybersecurity risk and planning should be communicated in similar format to the financial and business risk that the board is used to managing.<\/p>\n\n\n\n
Progress to plan should be shown in context. A security roadmap for a minimum of three years should be shared with progress and changes tracked over time.<\/p>\n\n\n\n
The focus should be on a holistic IT security strategy and architecture spanning infrastructure, services, internal, vendors, on-premises, cloud, and culture.<\/p>\n\n\n\n
Objective data<\/h3>\n\n\n\n
Recommendations from the IT security team should be presented together with objective information that supports it.<\/p>\n\n\n\n
Key performance indicators (KPIs) should be agreed upon and visualized over time to expose trends. The committee should see that the right things are being monitored but not expect to drill down into every KPI.<\/p>\n\n\n
\n\t\n\t\t\n\t\t\t platform as a service\t\t<\/p>\n\t\t\n\t\t\tLearn more about PaaS<\/span> <\/span>\n\t\t<\/a>\n\t<\/div>\n<\/div>\n\n\n\n\t\n\t\t\n\t\t\tInfrastructure as a service\t\t<\/p>\n\t\t\n\t\t\tLearn more about IaaS<\/span> <\/span>\n\t\t<\/a>\n\t<\/div>\n<\/div>\n\n\n\nObjective outputs that can show trends and be mapped to investments in security include Secure Score in Microsoft Defender<\/a>. Secure Score monitors platform as a service (PaaS) and infrastructure as a service (IaaS) cloud, hybrid, and on-premises<\/a> environments in Microsoft Azure, Amazon Web Services, and Google Cloud Platform. <\/p>\n\n\n\n\t\n\t\t\n\t\t\tSoftware as a service\t\t<\/p>\n\t\t\n\t\t\tLearn more about SaaS<\/span> <\/span>\n\t\t<\/a>\n\t<\/div>\n<\/div>\n\n\n\nMicrosoft Secure Score is a similar service focused on the improvement of security posture of a company\u2019s Microsoft 365 software as a service (SaaS), including identity, devices, and applications.<\/p>\n\n\n\n
The score, which is expressed as a percentage from 0 to 100, is shown with a list of recommendations that can be undertaken to meet security controls. These security controls should be considered for the security roadmap. As the controls are implemented, the Secure Score increases.<\/p>\n\n\n\n
A company should not be focused on driving Secure Score to 100 percent but rather that the recommendations are considered in light of the company\u2019s risk appetite and security roadmap. If the score is not rising as expected then the reason should be understood.<\/p>\n\n\n\n
Similarly Microsoft Purview Compliance Manager<\/a> provides Compliance Score<\/a> for Microsoft 365. For Azure customers, Microsoft provides the regulatory compliance dashboard<\/a> in Microsoft Defender for Cloud<\/a>, which also provides visibility into the compliance posture of non-Microsoft clouds. These solutions are vehicles to help customers objectively assess and communicate the company\u2019s compliance posture with their most important regulatory standards.<\/p>\n\n\n\nThe updated security roadmap, with progress indicated, should be presented to the committee, and the KPIs should broadly track with this progress, allowing an increased confidence in the organization\u2019s security posture and trends.<\/p>\n\n\n\n
Align with the mandate of the committee<\/h3>\n\n\n\n
Working with the cybersecurity committee and the board will involve communicating to a diverse group whose first expertise may not be information technology. We need to teach.<\/p>\n\n\n\n
We also need to learn. The committee operates within its mandate. Servicing this mandate is the primary focus of the committee. It will come before other subjects we may want to discuss. Map these subjects to the committee\u2019s mandate.<\/p>\n\n\n\n
The board operates within its rules of procedure. We will be much more effective if we are familiar with these. If we map our asks and replies to the committee\u2019s mandate, our communication will be well received and we\u2019ll strengthen the partnership. If we understand the rules of procedure we can avoid ad hoc engagement and communicate our message effectively.<\/p>\n\n\n\n
The mandate may indicate that a report from the committee is due to the board in advance of the Annual General Meeting. If we\u2019ve agreed on the information needed to service the mandate, we can be proactive about providing this. We can anticipate questions and put challenges in context with what they mean to the business and what we\u2019re doing to address them.<\/p>\n\n\n\n
Confidentiality<\/h3>\n\n\n\n
Some of the materials provided to the cybersecurity committee will require confidentiality. They should be watermarked or encrypted per company policy. Board members are not employees, and they probably don\u2019t have a company email address or access to the company network. The tools and procedures will need to take this into account.<\/p>\n\n\n\n
The reporting of the cybersecurity committee to the board is also confidential. Beyond bad actors, the information may be taken out of context by analysts or those seeking to harm the company\u2019s reputation. Security controls should be agreed with the CISO to ensure that the documents provided to and produced by the cybersecurity committee will be limited in distribution to the committee, company leadership and the office of the CISO.<\/p>\n\n\n\n
Some board documents are shared with shareholders and made available to the public, such as minutes of the board meetings. Where input from the CISO or the cybersecurity committee for these documents is needed, it should be made sufficiently general so as not to expose the company to risk.<\/p>\n\n\n\n
Get started with committee collaboration<\/h2>\n\n\n\n
The formation of a cybersecurity committee as part of a company\u2019s board will mean more scrutiny of the IT security function. More time will be devoted to communicating and reporting.<\/p>\n\n\n\n
The CISO and their team will get visibility with the board and can use this to advocate for the resources and cultural changes they need to protect the company. Productive, efficient interaction with the committee can build a partnership with the board, which protects and adds value for the company.<\/p>\n\n\n\n
Learn more<\/h2>\n\n\n\n
Learn more about Microsoft Purview Compliance Manager<\/a>. <\/p>\n\n\n\nTo learn more about Microsoft Security solutions, visit our website.<\/a> Bookmark the Security blog<\/a> to keep up with our expert coverage on security matters. Also, follow us on X at @MSFTSecurity<\/a> for the latest news and updates on cybersecurity.<\/p>\n\n\n\n
\n\n\n\n1<\/sup>SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies<\/a>, SEC. July 26, 2023. <\/p>\n\n\n\n
Meet multicloud compliance requirements across global, industrial, or regional regulations and standards.<\/p>\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t\t\t\t\t\t\t
The cybersecurity committee of the board<\/h2>\n\n\n\n
The United States Securities and Exchange Commission (SEC) adopted rules in July 20231<\/sup> to expand the scope of its cybersecurity reporting requirements for publicly traded companies,2<\/sup> making the governance of IT security by the board of directors and the cybersecurity expertise of board members reportable to the marketplace.<\/p>\n\n\n\n Corporate governance benchmarks including the Institutional Shareholder Services (ISS) ESG Governance QualityScore, widely used by analysts and for some executive compensation are including IT security measurements in their scoring.3<\/sup> Cybersecurity is recognized as requiring governance from the board of directors. Boards are changing to make this possible.<\/p>\n\n\n\n The IT security function was viewed as the province of technical specialists, to be given some increased investment for a more hostile security landscape and in response to high profile security incidents. Cybersecurity was not considered a focus area of the board like finance, audit, or executive compensation. This has changed. Boards are seating directors with IT security expertise and asking for more communication from the IT security team, usually through the CISO.<\/p>\n\n\n\n The mandate of the cybersecurity committee includes learning about the organization\u2019s IT security team. To optimize the relationship, the security team needs to understand how the board and the cybersecurity committee work as well.<\/p>\n\n\n\n The cybersecurity committee will have a mandate, vetted and granted by the board members and likely the chief executive officer (CEO). This mandate will be set out in a corporate document that describes the responsibilities of the committee, the content, and frequency of their reports and the type of information they are to review. The CISO should understand the mandate and with it the scope of the committee to know how to best and most efficiently partner with them. A proactive CISO can contribute to the formulation of the mandate, avoiding conflict and inefficiency, and setting the relationship up for success.<\/p>\n\n\n\n Beyond the mandate document, the board will likely have public-facing Rules of Procedure. This document sets out the mission, duties, and operations of the board. It will likely also have a section describing the various board committees, their operations, and responsibilities.<\/p>\n\n\n\n The committee will be focused on discharging these responsibilities in an auditable way.<\/p>\n\n\n\n Time on the agenda of board meetings is at a premium. A typical two-hour meeting agenda might include:<\/p>\n\n\n\n Some of these are mandated by law, leaving little time for discretionary topics. There may be four or five such board meetings per year. The cybersecurity committee will have a slot on the agenda slot as will other business.<\/p>\n\n\n\n A board may receive a briefing from the CISO on current state and plan once a year. The CISO may be called on to provide ad hoc input on risks, incidents, or other emerging topics.<\/p>\n\n\n\n A cybersecurity committee is a subgroup of the board. It is led by one or two directors that have a relatively high level of cybersecurity expertise. They should:<\/p>\n\n\n\n The committee is accountable for reporting to the board on these items.<\/p>\n\n\n\n The board and the CISO need to align on how they will work together. They need to agree on efficient ways to get the information and context the committee needs to achieve its mandate.<\/p>\n\n\n\n This is an opportunity for the CISO to leverage their existing reporting and documents to the extent possible. A CISO who is proactive and suggests a framework will be a good partner to the committee. This will reduce the level of effort for the security team going forward.<\/p>\n\n\n\n The role of the board and the committee is to act on behalf of the shareholders to manage risk\u2014not to manage the IT security team, the plan, or be accountable for cybersecurity. That\u2019s the CISO\u2019s job.<\/p>\n\n\n\n Board members often serve on multiple boards and have high profile roles in other organizations. They need information that is on target, that they can consume quickly, and report with confidence to stakeholders. Effective communication includes:<\/p>\n\n\n\n What does it mean to the business?<\/p>\n\n\n\n Cybersecurity risk and planning should be communicated in similar format to the financial and business risk that the board is used to managing.<\/p>\n\n\n\n Progress to plan should be shown in context. A security roadmap for a minimum of three years should be shared with progress and changes tracked over time.<\/p>\n\n\n\n The focus should be on a holistic IT security strategy and architecture spanning infrastructure, services, internal, vendors, on-premises, cloud, and culture.<\/p>\n\n\n\n Recommendations from the IT security team should be presented together with objective information that supports it.<\/p>\n\n\n\n Key performance indicators (KPIs) should be agreed upon and visualized over time to expose trends. The committee should see that the right things are being monitored but not expect to drill down into every KPI.<\/p>\n\n\n \n\t\t\t platform as a service\t\t<\/p>\n\t\t \n\t\t\tInfrastructure as a service\t\t<\/p>\n\t\t Objective outputs that can show trends and be mapped to investments in security include Secure Score in Microsoft Defender<\/a>. Secure Score monitors platform as a service (PaaS) and infrastructure as a service (IaaS) cloud, hybrid, and on-premises<\/a> environments in Microsoft Azure, Amazon Web Services, and Google Cloud Platform. <\/p>\n\n\n \n\t\t\tSoftware as a service\t\t<\/p>\n\t\t Microsoft Secure Score is a similar service focused on the improvement of security posture of a company\u2019s Microsoft 365 software as a service (SaaS), including identity, devices, and applications.<\/p>\n\n\n\n The score, which is expressed as a percentage from 0 to 100, is shown with a list of recommendations that can be undertaken to meet security controls. These security controls should be considered for the security roadmap. As the controls are implemented, the Secure Score increases.<\/p>\n\n\n\n A company should not be focused on driving Secure Score to 100 percent but rather that the recommendations are considered in light of the company\u2019s risk appetite and security roadmap. If the score is not rising as expected then the reason should be understood.<\/p>\n\n\n\n Similarly Microsoft Purview Compliance Manager<\/a> provides Compliance Score<\/a> for Microsoft 365. For Azure customers, Microsoft provides the regulatory compliance dashboard<\/a> in Microsoft Defender for Cloud<\/a>, which also provides visibility into the compliance posture of non-Microsoft clouds. These solutions are vehicles to help customers objectively assess and communicate the company\u2019s compliance posture with their most important regulatory standards.<\/p>\n\n\n\n The updated security roadmap, with progress indicated, should be presented to the committee, and the KPIs should broadly track with this progress, allowing an increased confidence in the organization\u2019s security posture and trends.<\/p>\n\n\n\n Working with the cybersecurity committee and the board will involve communicating to a diverse group whose first expertise may not be information technology. We need to teach.<\/p>\n\n\n\n We also need to learn. The committee operates within its mandate. Servicing this mandate is the primary focus of the committee. It will come before other subjects we may want to discuss. Map these subjects to the committee\u2019s mandate.<\/p>\n\n\n\n The board operates within its rules of procedure. We will be much more effective if we are familiar with these. If we map our asks and replies to the committee\u2019s mandate, our communication will be well received and we\u2019ll strengthen the partnership. If we understand the rules of procedure we can avoid ad hoc engagement and communicate our message effectively.<\/p>\n\n\n\n The mandate may indicate that a report from the committee is due to the board in advance of the Annual General Meeting. If we\u2019ve agreed on the information needed to service the mandate, we can be proactive about providing this. We can anticipate questions and put challenges in context with what they mean to the business and what we\u2019re doing to address them.<\/p>\n\n\n\n Some of the materials provided to the cybersecurity committee will require confidentiality. They should be watermarked or encrypted per company policy. Board members are not employees, and they probably don\u2019t have a company email address or access to the company network. The tools and procedures will need to take this into account.<\/p>\n\n\n\n The reporting of the cybersecurity committee to the board is also confidential. Beyond bad actors, the information may be taken out of context by analysts or those seeking to harm the company\u2019s reputation. Security controls should be agreed with the CISO to ensure that the documents provided to and produced by the cybersecurity committee will be limited in distribution to the committee, company leadership and the office of the CISO.<\/p>\n\n\n\n Some board documents are shared with shareholders and made available to the public, such as minutes of the board meetings. Where input from the CISO or the cybersecurity committee for these documents is needed, it should be made sufficiently general so as not to expose the company to risk.<\/p>\n\n\n\n The formation of a cybersecurity committee as part of a company\u2019s board will mean more scrutiny of the IT security function. More time will be devoted to communicating and reporting.<\/p>\n\n\n\n The CISO and their team will get visibility with the board and can use this to advocate for the resources and cultural changes they need to protect the company. Productive, efficient interaction with the committee can build a partnership with the board, which protects and adds value for the company.<\/p>\n\n\n\n Learn more about Microsoft Purview Compliance Manager<\/a>. <\/p>\n\n\n\n To learn more about Microsoft Security solutions, visit our website.<\/a> Bookmark the Security blog<\/a> to keep up with our expert coverage on security matters. Also, follow us on X at @MSFTSecurity<\/a> for the latest news and updates on cybersecurity.<\/p>\n\n\n\n 1<\/sup>SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies<\/a>, SEC. July 26, 2023. <\/p>\n\n\n\nMandate of the cybersecurity committee<\/h2>\n\n\n\n
\n
\n
Working with the cybersecurity committee<\/h2>\n\n\n\n
Context<\/h3>\n\n\n\n
Objective data<\/h3>\n\n\n\n
Align with the mandate of the committee<\/h3>\n\n\n\n
Confidentiality<\/h3>\n\n\n\n
Get started with committee collaboration<\/h2>\n\n\n\n
Learn more<\/h2>\n\n\n\n
\n\n\n\n