Episode Notes
While the Board sets up broad policies and priorities for companies, there’s a whole cyber universe that Board members may not fully understand. Jerry Perullo draws on more than two decades of experience, including as CISO at Intercontinental Exchange/New York Stock Exchange (ICE/NYSE), and recently as interim CISO at Silicon Valley Bank, to explain his framework for presenting cybersecurity risks and solutions to the Board.
*Slides below are excerpted from Jerry’s standing room-only session at the FS-ISAC 2023 Americas Spring Summit.
Notes from Our Discussion with Jerry
(3:03) - CISOs as Board members
CISOs want a seat at the Board table and want to be part of the discussions. To do this, they need to be cross functional, with knowledge outside cybersecurity.
(6:05) - Board Training
Doing board training (such as with the NACD) as early in your career as possible will help you understand how board directors think about risk holistically – an important tool for CISOs briefing boards.
(7:53) - Addressing Cyber Risk Management and Regulations with the Board
Risk management isn’t new for Boards. It’s been critical for years and meant different things. Yet, cybersecurity isn’t on the list. On the other hand, regulators have requirements, which brings cybersecurity into Board discussions. Tactical intelligence sharing should be digestible and actionable by the Board.
(10:52) – TRIC – The Cybersecurity Framework for the Board
TRIC (Threats, Risks, Incidents, and Compliance) is a framework for presenting cybersecurity programs and progress to the Board.
(11:26) – Understanding Threats
Briefing on threats is about setting the mission. Threats can be identified by understanding the organization’s risk appetite for focusing the cybersecurity program.
(13:46) - Risks are Standalone Vulnerabilities
Risks are very specific vulnerabilities. An organization may face thousands of them and there should be a constant discovery and identification process. CISOs should also identify which of these risks to take to the Board.
(15:45) – “Incidents” Defines When to Approach the Board
The Incidents piece is about defining the severity levels and getting agreement with the Board. A lot of governance is focused on when the Board is alerted and when they should get involved. These should be included in the incident response plan.
(17:32) – Compliance Data
Presenting data in the form of a Gantt chart can make it easier for the Board to understand the progress in cybersecurity and compliance.
(19:13) –Adding a narrative executive summary and an appendix to the presentation.
(20:18) –Advice for CISOs who aspire to be on the Board and discusses the possibility of cybersecurity being deprioritized by the Board.
Fight cyber threats with the intelligence and knowledge of the whole industry at your fingertips – Join the FS-ISAC community.
© 2024 FS-ISAC, Inc. All rights reserved.
A seasoned expert in cybersecurity at scale with a focus on corporate governance, Jerry Perullo retired as the Chief Information Security Officer of the NYSE and global parent company IntercontinentalExchange (NYSE:ICE) in...
Read MoreElizabeth is a storyteller at the intersection of technology and money. Layer in geopolitics and the criminal underworld and you get today's issues in cybersecurity for the global financial system. Crypto. Web...
Read More
Follow Us
