CISOs Talk Incident Response: Educating Your Board


Written by Chenxi Wang

This is Part 2 in a series, to read Part 1, see: CISO’s Talk Incident Response: 3 Steps to Breach Readiness.

Attendees at the event agreed that the industry must shift from the prevention mindset to detect-and-response. But you can’t do that without your board’s breach board

One CISO said: “It’s important to ask your board the question: ‘What do you want to get out of your information security program?’, and press them to be as specific as they can in their answers.”

Establish a baseline with your board: Regardless of the level of security investment, it is important to make your board understand that it is virtually impossible to guarantee “no-breach”. This is the most critical baseline understanding your board must have, many participants said.

  •  Cyber security is a company-wide responsibility, not a one-group or one-man’s job: It’s especially important that your board understands Cyber Security and incident response is not IT security’s sole responsibility. The broader company ecosystem, including legal, risk, LOB, and PR, must all become auxiliary functions in a breach response scenario. These stakeholders must understand their respective role and can executive their functions immediately and proficiently.
  •  Cyber Security program ensures the long-term survival of the brand, is not a stop-the-hacker tactical function. One CISO said that his board told him his program is in place because the long-term survival of the company, not because they wanted him to deflect specific attack-du-jour. This perspective got a fair amount of attention during the discussions. Indeed, strategic, long-term views like that from the board is rare today, but this is a critical mindset you must instill in your board.

Open discussions

The evening also saw a fair amount of open-ended discussions and debates. A few of them are interesting to note:

  •  When you spot an ongoing attack, do you block or do you let it go and observe? There were clearly two opposing schools of thought on this topic and each felt strongly about their positions. True, it’s counter-intuitive to think that once you see something alarming, you wouldn’t shut it down immediately.

One CISO said: “I want to observe and learn from the attack. Does the attack bear any specific signature of actions that can be traced back to a particular criminal group? Can this signature aid me in future defense? The worst thing I could do is shut them off before they show their hands, and then I’m in the dark again”

Others feel quite differently. “How do you decide how long to let an attack campaign proceed? This seems irrational and could be irresponsible.” one attendee remarked.

  •  New incident response roles. One of the firms at the event said they were hiring a “Cyber risk response officer”. This person will own the end-to-end incident response processes and will work with other stakeholders in the company to institutionalize incident response programs.

Another firm has carved out a “BISO” role, Business information security officer. This is the liaison role between IT security and the rest of the firm. This person is responsible for engaging the right business stakeholders to build a cross-functional cyber security and incident response program.


The CISO role is no longer a back-office, technology-centric function; for many of the firms represented at the event, “CISO” has clearly evolved into a business leadership role. These CISOs are charismatic, strategic-minded leaders who will lead their organizations through the myriad waters of security incidents and responses.