R-CISC BLOG

Whose Line is it Anyway? One CISO’s Approach to Board Communications

Recently, the R-CISC team sat down with Scott Howitt, SVP & CISO at MGM Resorts International, to learn more about his approach to assessing, prioritizing, and communicating risk to the board of directors. To learn more about additional strategies, join Scott and other retail CISOs in an upcoming workshop discussion of risk tolerance taking place at the R-CISC’s Retail Collaboratory on May 9-10 at the Westin Stonebriar in Frisco, Tx. The Collaboratory’s inaugural agenda can be found at www.collaborate.r-cisc.org/agenda/. Interested in participating? Contact us at events@r-cisc.org.

Welcome to the big time – as a CISO, your time has arrived. Today’s CISO regularly commands the attention of the Board and Audit Committee, and for good reason. Over recent years, industry impacting events have pushed cyber security to the top of board meeting agendas, and CISOs serve as an expert advisor in informing the board on organizational risks. As times and board priorities change, so too must the CISO’s strategy for deftly translating cyber security ‘speak’ into meaningful, board-level communications.

 As CISO for MGM Resorts International, Scott Howitt is accountable for creating, implementing and overseeing a wide series of strategies and programs to limit information security risk across six separate business units. From retail to hotels, gaming, sports arenas, restaurants and entertainment venues, Scott’s purview encapsulates a wide range of risks which he must then assess, prioritize, and communicate to the board. Read on for a sampling of strategies Scott shared with our team, and for information on the opportunity to join him and more retail CISOs for an interactive, deep-dive discussion of these and other strategies.

 Educate yourself, then educate the board.

 Take advantage of the many online resources available on board guidance, including example questions that the board should ask of the CISO. If you’re not sure where to start, the New York Stock Exchange’s Corporate Board Member magazine can give you an idea of which questions board directors might bring to the table during your next meeting.

Recent litigation suits underscore the high price of the wrong answer to whether an organization has implemented ‘reasonable data security measures’. As the CISO, it’s your job to educate the board on your organization’s information security risk profile, which defensive measures are in place, and where resources are needed to enhance security posture. While it is up to each individual organization to implement security-driven defensive measures based on the unique nature of their risks, here are some useful resources to help the conversation:

  • This recently published document from the Federal Trade Commission (FTC) illustrates the top 10 lessons learned from recent law enforcement actions pursued by the FTC
  • The public private partnerships established between government and industries have made significant progress in improving the nation’s cybersecurity posture – your participation as a member of the R-CISC demonstrates your organization’s commitment to proactively strengthening your cybersecurity program’s capabilities
  • The NIST cybersecurity framework offers the model for a scalable approach to managing cybersecurity-related risks
  • The PCI data security standard applies to companies of any size that accept credit card payments

 Channel your inner CFO.

 Understand these terms and why they’re important, because odds are that every other individual in the board room will know them, too.

  • EBITDA
  • CAGR
  • CapEx/OpEx

Ie: Understand the net impact of status to [EBITDA, CAGR, operations] and provide solid reasoning to support your assertion.

Be proactive – hire an external auditor.

Because why wouldn’t you want to be the one driving this conversation? Bring in an external auditor to provide their opinion on the information you should be presenting to the board. Inevitably, the subject of an independent audit will be broached at some point. By initiating this process proactively, you’re well positioned to address questions and to communicate findings to leadership.

Remember, cybersecurity is an afterthought unless you can demonstrate the direct correlation between your program and business impact. Retailers can learn more about this approach along with additional strategies in Scott’s upcoming workshop discussion of risk tolerance taking place at the R-CISC’s Retail Collaboratory on May 9-10 at the Westin Stonebriar in Frisco, Tx. Interested in participating? Contact us at events@r-cisc.org.