Episode #60 The Secure Board with Anna Leibel and Claire Pales - hosted by Paul Rehder
“We don't expect board members to be IT experts. But they do have to have a level of knowledge around cyber to be able to perform the role of governing the organisation effectively”.
- Anna Leibel
Claire Pales has recently co-authored a new book 'The Secure Board' with Anna Leibel - founder of 110% Consulting, a board member at Ambulance Victoria and multi-The Security Collective podcast guest; and for this episode we are doing things a little different!
Behind the host mic is Paul Rehder, managing partner from Deloitte. Paul's extensive financial services experience running a broad range of strategy, business architecture and delivery programs and initiatives in Australia and abroad, as well as being a trusted advisor to both executive and non-executive directors, seems fitting as he hosts this episode of The Security Collective podcast discussing with Claire and Anna 'The Secure Board'.
Links:
Transcript
PR: Hello and welcome to The Security Collective podcast. I'm your host, Paul Rehder, a managing partner from Deloitte and today I'm bringing a slightly different format to the podcast. Your usual host Claire Pales is today's guest along with Anna Leibel, a multi episode guest of the podcast. Both Claire and Anna recently co-authored a book called “The Secure Board”, and I'm absolutely thrilled to be bringing you their story today. Anna is the founder of 110% Consulting, and a board member at Ambulance Victoria. Claire, the usual host of this podcast, is the founder of The Security Collective consultancy, and a member of the technology committee at the Breast Cancer Network of Australia. Both Anna and Claire's purpose is to give every director the confidence in their ability to govern cyber risk. And you can read their full bios in the show notes. But for now, Anna and Claire, welcome to the podcast.
AL & CP: Thanks Paul.
PR: Great to have you both here. And it must be a little bit strange for you Claire for me hosting today, so bear with me. But clearly, cyber security is a hot topic with cybercrime increasing 600% in 2020 alone, I mean, that's an astounding figure. But before we get into that, I just wanted to start with how did you meet each other? And what made you decide to partner together to write a book, let's start with you Anna.
AL: Terrific. So Claire and I met when we were both working at Telstra about 15 years ago at a speed networking event. And what that basically looked like was you need to talk to and connect with people that you didn't know, the highest number of people that you could within a certain period of time. Now I was fortunate enough to meet Claire. At the time I was working in internal IT at Telstra and Claire was working in a security role. We got along straightaway over our love of books and of dogs. So Claire loves labradors, and I'm a golden retriever owner. And then Claire invited me to join her book club. And I think that's really interesting now that today we're coming together to talk about the book that we've co-authored. So Claire, and I continued to pursue our careers, mine in more cross industry IT, and Claire dedicated to security roles and Claire actually moved to Asia to pursue that. So we've stayed in touch the whole time. And Claire came up with the idea for the book. So I'm going to hand over to Claire to take the credit for coming up with the idea for 'The Secure Board'.
CP: Thanks, Anna. So the idea came about because what I found when I was presenting to boards as a security leader was that often the board paper would be read, and I would come to the boardroom and present statistics and metrics and information to the board, and often I would not get any questions. And at first I thought maybe that's just because they understand. But as I delved deeper, I discovered that the reason they weren't asking questions was that they didn't know what questions to ask. And that in many ways, the topic of cyber security was quite daunting for them as an audience because it was an unknown. Most board directors come from a finance background, or an accounting or a legal background, and have a business lens on their directorship. But cyber and technology really seemed to be fields that we weren't seeing many directors coming from. And therefore the cybersecurity papers weren't necessarily hitting the mark with them. So for me, the idea of writing the book came because I thought, how can I reach board directors, and give them a sense of cybersecurity being something that they can manage if they just knew that it was like any other risk, and that they could ask questions, and that I could give them a set of questions through this book, to allow them to feel more confident in not only reading the board papers, but understanding their responses they were receiving from their chief information security officer or CIO or whoever was coming to the board with the security information.
PR: Really interesting. I should have mentioned up front one of the other roles I have at Deloitte is leading our non executive director relationship program. So I connect a lot with chairs and boards, this is clearly a very hot topic. And one thing I didn't mention is collectively you have in excess of 45 years of experience in Board Governance, IT and cyber. Look I'm specifically interested in you know why you believe cyber security should be elevated from an IT function to the board level? Anna, can we start with you on that one?
AL: I suppose you can't open a paper at the moment without actually reading about a breach, it's nearly a daily occurrence. And even just calling out the implications and the size and sophistication of the threats and they continue to mature and the volume of them continue to grow. Think about the research, they're estimating that by 2030 it's going to be a $433 billion weakness global. And to put that in perspective around Australian businesses in their financial year 2019/2020 our cybersecurity centre had a report every 10 minutes by a business that had actually had a security event. And so for me i think about the landscape and how much it's shifted over the last five to 10 years we've really seen cyber be a tech problem and even the questions from the board at that time and the chief executive was really around how much money do you need to keep us safe, and now it's actually really shifted to when will we have a breach? Now the implications of those breaches will have reputational, financial and regulatory implications, and others, depending on the business. And it's appropriate that both that the board has oversight of those given the breadth and the severity of the implications of a breach. The board also has accountability for the culture, hiring in the chief executive officer and the overall risk. And Claire and my perspective is that it is imperative that the board has oversight of cybersecurity, the risk appetite, and the management of those risks.
PR: Thanks Anna, I couldn't agree more and in fact in a lot of the conversations I've been having with boards recently this is a very hot topic and so then over to you Claire your perspective on why 'The Secure Board' is essential reading for not just businesses but board members and aspiring board members.
CP: So Anna and I wrote the book because we saw a gap in the market but we really wanted to make sure that we were writing the right book at the right time. So we conducted some research by going out to board directors and Chief Information Security Officers and to CIOs to ask them a number of questions about how they felt about cyber security at the board level, and how comfortable board directors felt about interacting with their Chief Information Security Officer about this topic. And what we found was that board directors were really using the strategy as the pivotal part of the conversation. They felt that if they could get a really strong understanding of where the security posture was today and where the CISO was taking the posture then that would give them a level of comfort around the true security position that the organisation was aiming to attain. In addition to our own research Anna and I then looked at global research on the topic of cyber security and what was helping other countries to really combat this issue at a board level around cyber security, and with that research, and our own research we're able to build the book around five elements. Those five elements are:
Cyber security being a business issue not just an IT risk.
The second one is around strategy.
The third is around taking a risk based approach.
The fourth is around metrics, and often this is an area for security leaders that they really grapple with. What metrics should they be taking to the board? And so the approach that Anna and I have taken is to help the board to understand those metrics and know what questions to ask.
The fifth element of the book is how to build a relationship with your Chief Information Security Officer and does your organisation need someone at that level or do they need someone who's more operational depending on the maturity in your organisation.
So for Anna and I the reason we think this book is essential reading is that we went out and we asked board directors what is it that you don't understand and then we built five elements in this book to help them to build confidence in this subject
PR: Thanks Claire, that's great and , you know, as someone that's not a cyber expert, the book is great reading. It's easy reading, even for someone like me. It was easy to interpret and understand the different perspectives in there and actually apply those in terms of the questions that you can ask to ensure that you truly understand what's happening within the organisation. You will see in the book as well, there is a fantastic foreword by David Thodey that really sort of emphasises the importance of cybersecurity the implications that Anna referred to around reputation, financial and regulatory implications and risks. You know i am interested though Anna, in your words, what do you think the key takeaways are from the book? I know Claire touched on one or two of them, but I’m interested in your view.
AL: Yeah thanks Paul. I think the first one for me is really acknowledging that we don't expect board members to be IT experts. They do have to have a level of knowledge around cyber and other emerging areas like climate change, to be able to perform the role of governing the organisation effectively. And so we've really written the book to help the non executive directors understand that the way that they manage other risks today in the business is actually very valuable around managing or overseeing cyber security. What's often daunting is the jargon around cyber. So the book has been written in business terms, we don't have any jargon, we have been very mindful not to have a glossary of all of these terms, because the minute we publish the book, they're going to be at a date anyway, given the emerging threats in the space. But the book has been written around providing guidance on what to look for in those different areas, the five elements that Claire mentioned before. But also the questions that you should be asking of management. And also, as the strategy is implemented, we should say, the shift around those metrics and the reporting that you're seeing for management. So we really wrote the book around the five elements, as Claire mentioned. You can pick the book up depending on what's on your next board agenda, or it can be read in its entirety.
The second point is really around, or the key takeaway from the book is that organisations do need a dedicated security leader. This isn't just a firefighting role, the role is critical. If you really put yourself in the shoes of a security leader, at times, if they do their job effectively, they're going to need to say no to the chief executive, or no to the marketing executive. And sometimes on occasions may be a no to the board or a recommendation not to make a certain decision. The role holds a lot of accountability, and a lot of personal reputation is also within that role. And so they work across the enterprise, really helping the enterprise and the board understand when cyber risk actually comes to play, how critical the strategy is, what's the right level of investment, and what's the type of culture you need to be truly cyber safe.
The third one is, and Claire and I are quite passionate about this, and that is the board actually needs to have a relationship with the security leader. We sort of flipped that and asked the question to board members, how would you feel if you met your security leader for the first time during an incident? That would not be ideal. It's really important to have a relationship with them. You're putting a lot of trust or delegating a lot of trust as a board into that individual. And it's imperative that you're actually hearing from them around the emerging threats, around the risk appetite statement, the risk profile, the investment that they have. It also gives you the opportunity as a board member to ask them questions about the level of support they're getting, and if they've got enough resources to actually implement that strategy. So they're the key takeouts for me Paul.
PR: Thanks, Anna, and actually a big one for me and I just wanted to emphasise the importance that you do not want to be meeting the cyber leader for the first time during an incident. I mean, that is, that is a brilliant point, you know. Establishing that trust upfront is really, really critical. I did want to finish up by just understanding, you know, it's a brilliant read, we all should be getting the book and reading it, there's a lot to be learned. But for both of you as a team, with the experience that you've got, and all of the all of the great work that you're doing, what's next?
CP: Paul, for us since we have written the book late last year and just published it in March of this year, our passion now is really about getting these five elements into the hands of board directors and aspiring directors, but also into the hands of security leaders. Because, you know, I mention in the book that, in a parallel universe somewhere, there's a book called 'The Board Ready CISO'. You know, that this idea that CISOs have all the knowledge as well, they need to understand what the board needs as well. So, you know, the audience for this book is much broader than just current board directors. And so Anna and I are very focused on getting our message out there, helping people to understand cybersecurity risk, and so that, you know, more and more, their confidence rises. And, you know, they should feel confident to be making these decisions because they can be critical and pivotal for the organisation. So, you know, we really want to get this book out into people's hands and through our boutique advisory firm that will be educating boards around the secure board and around the five elements. That's really going to be our focus for the next little while.
PR: Thanks Claire. And, frankly, there isn't a better time. I mean, you're both a brilliant partnership. All of the experience that you've got, both of you, that you can bring to the table. It has been an absolute privilege to host the podcast today. I hope I've done you proud, Claire. And thank you for sharing with the audience, both of you, the many learnings that you've packed into the book “The Secure Board”, and it's been a lot of fun, and I look forward to speaking with you both again very soon. Thank you.
CP: Thanks so much Paul.
AL: Thank you Paul, really appreciate it.