At the RIMS Live 2021 virtual conference, AIG's chief information security guard (CISO) will tell the tale of two corporate boards: One well-informed about cyber-related risks and the other that isn't, along with steps executive risk managers can take to gain board members' trust and produce them up to speed.
Everything Attendees Can get to Learn
In this on-demand session titled “Circumspect on Cyber: Uniting the Risk Professional, Chief Information Security Officer and the Board,” Rich Baich, SVP and CISO at the insurance giant, will discuss the relationship between corporate executives charged with managing cyber risk as well as their companies' board members. The conference will run from April 19-30.
\”We're trying to remove a bit of the mystique on the subject,\” Baich said, adding the session is geared toward board members, chief risk officers and CISOs.
\”But it's really focusing on the concept of cyber risk and the way to appropriately ensure the right degree of cyber risk is being reported and understood by board members.\”
He added that the session will first separate cyber-informed and uninformed boards, then the way the traits and attributes of the previous translate into effective risk management, and some of the best practices CISOs and boards should maintain.
Informed Versus Uninformed
Key indications of a cyber-informed board, Baich said, are whether the topic of cyber security is really on the board's agenda and presented by the CISO and whether board members receive regular training on the subject.
When a board is well-informed about cyber issues, Baich said, board members digesting the near-constant flow of cyber events impacting organizations may have perspective on whether those threats may impact their very own companies.
They will recall their CISOs describing how events are prioritized and rated from a business standpoint and according to the threat level for that specific organization.
\”So as curious because the board member may be to understand the specific risk, he or she knows the business has a plan and a protocol and also the issue will be escalated to the board level if it falls outside that protocol,\” Baich said.
Prior to joining AIG, Baich was Wells Fargo's CISO and before that led Deloitte's cyber threat and vulnerability management practice. Prior to those positions he served as naval information warfare officer for the National Security Agency; senior director for professional services at Network Associates, now McAfee; and, after 9/11 as special assistant to the deputy director for the National Infrastructure Protection Center at the Federal Bureau of Investigation.
In terms of how a board that is well-informed about cyber risk translates into effective risk management more generally, Baich said, reliable information security practices will translate traditional information security disciplines into risk disciplines that ensure the correct information is identified, translated and presented to the right risk leaders.
\”That enables appropriate and prioritized actions to become taken to mitigate the risk in question,\” he said.
Best practices include board member training around the information security program and how they can protect themselves from cyber attacks, given board members may be targets of cyber attacks.
Trust built on the \”very high do-what-you-say ratio\” is key to the relationship between board members and executives in charge of risk, Baich said, and that is demonstrated partly by having the courage to create up even difficult issues that need to be resolved.
\”The most successful executives build that trust by demonstrating strong risk practices -identifying risks, methods to mitigate them within given timeframes, and following up to say when that's been completed,\” Baich said, adding that understanding how the board operates likewise helps foster trust.
\”Every board is different, so it's important to understand board members' personalities and backgrounds, so when executives are presenting they are doing so in a fashion that addresses those perspectives.\”