While the Board sets up broad policies and priorities for companies, there’s a whole cyber universe that Board members may not fully understand. Jerry Perullo draws on more than two decades of experience, including as CISO at Intercontinental Exchange/New York Stock Exchange (ICE/NYSE), and recently as interim CISO at Silicon Valley Bank, to explain his framework for presenting cybersecurity risks and solutions to the Board.
*Slides below are excerpted from Jerry’s standing room-only session at the FS-ISAC 2023 Americas Spring Summit.
Notes from Our Discussion with Jerry
(3:03) - CISOs as Board members
CISOs want a seat at the Board table and want to be part of the discussions. To do this, they need to be cross functional, with knowledge outside cybersecurity.
(6:05) - Board Training
Doing board training (such as with the NACD) as early in your career as possible will help you understand how board directors think about risk holistically – an important tool for CISOs briefing boards.
(7:53) - Addressing Cyber Risk Management and Regulations with the Board
Risk management isn’t new for Boards. It’s been critical for years and meant different things. Yet, cybersecurity isn’t on the list. On the other hand, regulators have requirements, which brings cybersecurity into Board discussions. Tactical intelligence sharing should be digestible and actionable by the Board.
(10:52) – TRIC – The Cybersecurity Framework for the Board
TRIC (Threats, Risks, Incidents, and Compliance) is a framework for presenting cybersecurity programs and progress to the Board.
(11:26) – Understanding Threats
Briefing on threats is about setting the mission. Threats can be identified by understanding the organization’s risk appetite for focusing the cybersecurity program.
(13:46) - Risks are Standalone Vulnerabilities
Risks are very specific vulnerabilities. An organization may face thousands of them and there should be a constant discovery and identification process. CISOs should also identify which of these risks to take to the Board.
(15:45) – “Incidents” Defines When to Approach the Board
The Incidents piece is about defining the severity levels and getting agreement with the Board. A lot of governance is focused on when the Board is alerted and when they should get involved. These should be included in the incident response plan.
(17:32) – Compliance Data
Presenting data in the form of a Gantt chart can make it easier for the Board to understand the progress in cybersecurity and compliance.
(19:13) –Adding a narrative executive summary and an appendix to the presentation.
(20:18) –Advice for CISOs who aspire to be on the Board and discusses the possibility of cybersecurity being deprioritized by the Board.
Fight cyber threats with the intelligence and knowledge of the whole industry at your fingertips – Join the FS-ISAC community.
FinCyber Today is a podcast from FS-ISAC that covers the latest developments in cybersecurity, contemporary risks, financial sector resilience and threat intelligence.
Our host Elizabeth Heathfield leads wide-ranging discussions with cybersecurity leaders and experts around the world who bring practical ideas on how to confront cyber challenges in the financial sector, improve incident response protocols, and build operational resilience.
Amid the clutter and noise, FS-ISAC Insights is your go-to destination for clarity and perspectives on the future of finance, data, and cybersecurity from C-level executives worldwide.
© 2023 FS-ISAC, Inc. All rights reserved.
A seasoned expert in cybersecurity at scale with a focus on corporate governance, Jerry Perullo retired as the Chief Information Security Officer of the NYSE and global parent company IntercontinentalExchange (NYSE:ICE) in...Read More
early 2022. During his 20 years leading the program, ICE grew from 40 employees to over 10,000, successfully integrated over $30b of M&A, and effectively diversified across asset classes, business segments, and geographic markets. NACD Directorship Certified®, Perullo also served on the Board of Directors of the Financial Services Information Sharing and Analysis Center (FS-ISAC) for 6 years, most recently as Chairman. Perullo teaches Enterprise Cybersecurity Management as a Professor of the Practice at the Georgia Institute of Technology and consults on Cybersecurity Program Strategy and Governance through his Adversarial Risk Management brand.
Elizabeth is a storyteller at the intersection of technology and money. Layer in geopolitics and the criminal underworld and you get today's issues in cybersecurity for the global financial system. Crypto. Web...Read More
3.0. Quantum. AI. Ransomware. Privacy. Regulation. Zero-days. Supply chain attacks. Developing new and diverse talent. How to protect the future of money. These are the topics Elizabeth asks top executives and experts in the field about on FinCyber Today.