The Next Big Question

Liz Ramey (00:12) Welcome to the Next Big Question, a podcast with senior business leaders sharing their vision for tomorrow, brought to you by Evanta, a Gartner Company. Each episode features a question with C-suite executives about the future of their roles, organizations and industries. Thanks for listening. I'm your host, Liz Ramey. Now let's hear what today's next big question is. In this episode of The Next Big Question, Angela Williams, chief information security officer at UL Solutions, joins me to discuss how boards need to shift their level of expertise in order to meet the inevitable regulations of the SEC. These regulations will require board oversight and reporting of risk and attack details. Angela offers her thoughts on how to prepare what questions the board should ask their CISO and what they should be listening for in their response. Angela Williams, Welcome to the Next Big Question. 

Angela Williams (01:16) Thank you for having me. 

Liz Ramey (01:17) Well, I am thrilled to have you as a guest and I want to dive. Dive right in. Today, we're going to be talking about kind of deepening the board's understanding of cybersecurity and risk. We’re talking about how enterprises have to pivot in order to meet a new SEC regulation that's going to require board oversight of cyber risks at private companies. Can you talk a little bit about this regulation, what it means for you as a CISO? And what does it mean for the board?

Angela Williams (01:49) Absolutely. The SEC requirements are pretty interesting. I think for every CISO out there we've got to become very familiar with the final ruling and how to apply those expectations to our organization. And so, what was proposed last year versus what's being finalized now? There's a lot of variations to it that were not there before. The new ruling requiring companies to provide the SEC the relevant details around a cybersecurity incident, its nature, its scope and the timing of it is a little bit more deeper than just reporting and saying we had something happen and occur. I think we have to also develop a plan and processes ahead of time so that we can comply within the time frame that the SEC is requiring information to be shared. The disclosure of an incident is… What you want to share, What you don't want to share can be a gray area because you don't want to give up too much information, but enough to give the SEC a confidence level that you've got it under control, you understood what occurred and when. But at the same time, a lot of it is proprietary information. Did you want to keep a little more closer to the chest?

Liz Ramey (03:05) So we're at this kind of a point now where there's almost a paradigm shift, and I'll explain my thinking. CISOs, there's always been kind of this expectation of the CISO to really understand the end to end business, but also have kind of a level of business acumen in order to talk to all the leaders, in order to talk to the board without scaring them away with tech talk. And but it's, it's not always been reciprocated. The board or the CHRO or CMO or whatnot, they don't always have that same expectation to understand tech talk or even have a level of acumen for tech talk. So this SEC regulation is going to kind of flip that paradigm for seeing senior leaders to really get up to speed, to understand risk at a greater level and come to this kind of common understanding and language to be able to make strategic decisions and actions around cybersecurity. So with all of that kind of complexity built in with that shift, what should the first step be for boards?

Angela Williams (04:15) The first step a board member should know about is first, what are we protecting holistically? Meaning the board, of course, is aware of incidents that occur via ransomware. But the education of the board is all about what are we protecting and what are the type of, I'll call them business processes that we have in place in order to protect that data. My conversations with the board is less about the tech talk. In fact, if you're talking technical terms to your board, you're in the wrong room. You need to get out of that room. The board wants to understand high-level, what's at risk, why is it at risk and what are we doing to mitigate or remediate the risk? What timelines are we aligning ourselves to, to address these risks? And do you have the appropriate investment to get your maturity from potentially foundational to something in an optimized space? 

So the education on the board is all about the board. First of all, understanding what is a risk to begin with and how it's actually defined for that organization. And then how do we articulate to the board the likelihood, the impact to the business as a whole financial impact? It could be operational impact. These are terms that the board can interpret and understand a lot better than the technical talk. Now as it relates to our peers who are not in the security space, but more a part of our business. I think this journey will also help to improve their cyber acumen around, when we talk about risk, we're talking about the same things. We're not talking to different languages. I'm not talking about what technical controls are not there or are in place, but more along the lines of what business processes could be impacted in having my business counterpart understand the risks of their business in the event of a cyber incident. But making sure they have a clarity as to the scope of services that potentially will be impacted because of that incident.

Liz Ramey (06:25) That's a great way of putting it. It's a great way of thinking about it as well. So what sort of benefits will the organization reap from this approach?

Angela Williams (06:35) I think holistically we'll all be singing out of the same hymn book. The CISO shows up to the table and everyone looks at the CISO to explain it all, to talk about risk management, to potentially talk about, you know, controls and services that need to be enabled or supported. And I think as we go through this journey of really focusing on risk management and the CISO being more accountable to explaining a risk and the business being more engaged, understanding and being able to articulate risk in for themselves, eventually this will be a partnership. And what I mean by that is right now the Security Department is primarily out there looking for the risks, identifying it, reporting on it. I would love to get to a place where our business partners are very comfortable to identify a risk and report on it versus just assuming that security team is monitoring everything and has the visibility across the entire board. There's a lot of operational or business risk that may not pop up on someone's monitor, but it's really how we function as organizations. So educating the business of how to better assess and determine where risk (lies?) and then partner with the security team to help that out, make sure that we're aligned. So over time, I really see this becoming more of a partnership between the Security department in the line of business.

Liz Ramey (07:57) So at the very beginning of our conversation, you were talking about how it's important for CISOs to really educate themselves on some of the details of the regulations right now, because they've changed from the proposed ones last year. And so I'm just curious, you know, thinking about that, that the details that you're going to have to provide, the plan you're going to have to provide. How will the SEC be able to manage and regulate these new expectations?

Angela Williams (08:30) That is a great question. When regulatory requirements come out, especially when they're new, there's not a lot of clarity as to how that will be governed and managed. Right now, I will assume that it's all self-reporting, right? They're going to depend on companies to share when a particular incident has occurred, especially, it has to be a material incident. Defining what that really looks like. Being able to articulate the exposure level and the impact. But when it comes to how will they make sure that each organization is very transparent about that? I'm not necessarily clear quite yet as to how they plan to do that. I would assume somewhere down the line there will be fines and penalties if you're not reporting. But I just I'm not clear yet on how they would govern that outside of, you know, of course, sharing that you've had an incident, which you should, because that's just what we're supposed to do.

Liz Ramey (09:31) Right. Even defining material incident. Right. Because, you know, money, you know, that seems material. But we're at an age where data is really…

Angela Williams (09:44) A commodity. 

Liz Ramey (09:44) A commodity, its currency. Are they seeing that as a material incident? It should be.

Angela Williams (00:09:50) You know, again, that material, quote on quote, is going to take a little time for everybody to settle in and figure out what that means for them. Because you're right, there's so many complexities to what you can consider material. But then also they added a layer of complexity regarding the incident, had to be a series, could be a series of different events that all were either the same attack or approaching you as an organization or multiple attackers identifying the same vulnerability within your organization. And so putting all this Rubik's Cube together as to what pans out to be material, we have a lot of work to do in this space. We need to think about what that may look like for us as an organization and then create a process so that we can defend that approach that we decide to take.

Liz Ramey (10:40) So what will organizations have to lose if they can't pivot or don't pivot and they can't meet these expectations?

Angela Williams (10:50) This is where I think the SEC will double click in in those organizations who cannot comply with this requirement. It will impact organization's ability to do business possibly. I don't know what type of fines or regulatory fees may be impacted, but I think about it from when HIPA came out and the government decided that if you will report a reportable data breach in the in the healthcare space, that you were penalized, you penalized for not reporting in a timely fashion, you were penalized for how many records were exposed. And then, of course, the brand is impacted. And so I think organizations who can't pivot to this new regulatory requirement from the SEC may end up having some similar type of experiences as other requirements or regulatory crimes have kind of panned out throughout the years.

Liz Ramey (11:46) What does the future board look like? Will these new kind of regulations influence or shape that?

Angela Williams (11:52) Yes. So the board, I think, will continue to increase their understanding of what are the cyber risks that they should be aware of and how they need to improve the governance of a cybersecurity program over the next few years. I believe the board's confidence in the organization's ability to effectively respond to material significant cyber breaches will increase. And then I think there will be a small percentage of recruiting of cybersecurity savvy directors to help provide some diversity within that board makeup.

Liz Ramey (12:27) From a perspective of a CISO what sort of questions should the board be asking in order to build a meaningful understanding of risk and security? What should they be asking you?

Angela Williams (12:41) Great question. When I present in front of the board, I ask myself what should my board be asking? I try to provide the answers before they ask it, even if they didn't know to ask it. First and foremost, if you're on a board, I would ask, Do you even have a CISO? Sometimes the CISO does not report into the board from a presentation perspective. Sometimes it's the CIO. I fortunately get to report in front of this board so they definitely know they have a CISO so that would be one of the first questions to have or understand who's accountable for the cybersecurity program as a whole. The other thing I would think the board should be asking is what is the organization's current risk profile or threats to the business? Lay out the landscape. You know, we talk about the threat landscape is evolving and that sounds super big. Narrow it down for the board to know what is impactful or could be impactful to this particular organization based upon the industry that you sit in that would be helpful for the board to get that information. 

Other questions the board can understand. Because to build a good governance model, you got to understand what playbook are we hold ourselves accountable to, which is what Cybersecurity Framework is that organization aligned to? And that helps set the tone as to how we are measuring progress and what we're going to measure ourselves against from a people, process and technology perspective. Other questions I think the board should be aware of is the balance of funds and investment within the security program. I am not a fan of throwing a lot of money at one time into security because the company may not be able to make the changes as fast as you may have dollars available to you. So there's a balancing act of how much change can you actually invoke within a period of time. But there is a balance of investment necessary to actually evolve the program and make sure that we have the appropriate governance controls in place. 

And then I think the board should make sure that they are reviewing and receiving meaningful metrics, meaningful updates on an ongoing basis. To give a little more insight of the risks that are imposed, the greatest risk to the organization as a whole, if they're not getting meaningful metrics or reporting at a very high level, it's hard to govern what you just don't know. And that's where the CISOs job is to deliver that picture. Here is where we are from a threat landscape. This is what's on our radar or on the headwinds. Here are the things we're doing to mitigate these risks. And here's where we feel our risk profile sits today.

Liz Ramey (15:18) So I'm the inverse here, right? So here's these questions they should be asking and then you as a CISO you provide answers. What sort of answers should they be looking for? And could you also, if you can dig into it, should there, are there anything, any answers that would be given to them that should maybe cause an alarm?

Angela Williams (15:43) That's a good question. So the answers they should be listening for should be directed back to the question that was asked. So I just listed a couple of questions that the board should be asking. Those answers to those questions should be pretty direct. It shouldn't be covered with a lot of fanfare, but be thoroughly point in direct to what the board needs to hear and understand. Risk management is all about setting the tone that cyber resiliency is where you are striving to be. We will not be cyber perfect, but you should be cyber resilient as best as possible. And so answers that the board should listen for are what are the things that this organization is doing to identify risk within the environment or identify threats within the environment. Those could be processes that they're following. It could be solutions that they've implemented, but it should give the board a level of insight, not to the technical level, but a level of insight that there are processes in place or guardrails in place to at least identify risks and threats all the way through, “How well are we able to recover.” 

I walk my board through more of a missed maturity framework, keeping it really, really simple for them and the answers I try to provide them lead back to one of those categories. Is it… what is our ability to identify here, what we're doing? What are we doing to protect? What are we doing to detect? What are we doing to respond? How good are we at recovery? And by anchoring them around some key terms that resonate with them and they can understand, when you start to respond to these questions, they can start to draw the dots back to one of those categories to having a higher level of confidence that the program is holistic and comprehensive.

Liz Ramey (17:34) I love I love a good framework. It's very helpful. This was so insightful. And now we're going to get to kind of the end of  the podcast. And I get to ask you a question that was posed by my last guest. His name was Kevin Bates, and he's the chief data officer at Fannie Mae. And he asks this question. It's a little off topic from what you and I were talking about, but so he said, instead of thinking only about generative AI, how are you as a C-level leader preparing your organization for game changing technologies and tools? And he's asking this not from a technical or even a risk standpoint, but how are you preparing for these kind of massive disruptive changes in terms of communication, opportunity, identification and change strategies?

Angela Williams (18:30) My first go to is always to understand what's our business strategy, because that is our North Star for how we as a organization exist, why we exist, who we serve. And so when it comes to game changers and technology or tools that are coming out that are just going to change the world, I first try to keep our eye on what is our overarching strategy from a business perspective. And my goal is to align all the things that I can potentially do to support that business. And if I can leverage massive game changer technologies to do it or tools as that can do it, then I can have a case as to why I want to go in that direction, but I make sure that I'm not leading with technology. I'm more leading with a business plan or strategy that I understand for how we profit, how we serve our customers, how we continue to be a leader in the safety, science and security field for UL Solutions. And so AI comes out, everybody wants to use AI, I get it. Think about when cloud came out, everybody wanted to use cloud. I mean there's so many different things that came out and we shift automatically because it's the nice shiny Prada bag, but it doesn't necessarily mean that it’s the right thing to do at the right time. So I try to keep the focus of what are we trying to deliver? What problems am I trying to solve? How does this support the business? And then if it makes sense from an economics perspective, let's try and test the waters to dive into that massive change or that new solution that possibly will be a game changer for us.

Liz Ramey (20:07) We're going to wrap things up with your next big question. And I'm not going to tell you my guest. You do know that there will be a C-level officer, but I would love to know, like, what's the next big question that you would like to ask and that you think enterprises should really be focusing on and looking at in the future.

Angela Williams (20:27) AI is a huge deal right now. When ChatGPT came out, everyone started racing towards how do I use it? There were not a lot of guardrails put around it, but there is a lot of concern as to what type of data is going in. It's confidentiality, etc., etc.. So I would ask the question from a security perspective, in what ways should CISOs consider using AI as a part of their cybersecurity strategy in the future? It's definitely a great technology, but it needs to be managed and used in a way that is meaningful at the same time reducing misleading information and misleading results. But just thinking through how can we use this in a very thoughtful way to actually accelerate or help improve our cybersecurity strategy in the future.

Liz Ramey (21:20) I'm excited to ask my next guest that question. Angela, thank you so much for being my guest today. This was really great.

Angela Williams (21:28) Thank you. I appreciate it. 

Liz Ramey (21:31) Thank you again for listening to The Next Big Question. If you enjoyed this episode, please subscribe to the show on Apple Podcasts, Spotify, Stitcher, or wherever you listen. Rate and review the show so that we can continue to grow and improve. You can also visit evanta.com to explore more content and learn about how your peers are tackling questions and challenges every day. Connect, Learn and Grow with Evanta, a Gartner Company.