CISO’s Prospect Role in the Board Room
In the Digital Operational Resilience Act (DORA), the Chief Information Security Officer (CISO) acts as a central role due to the regulation’s focus on IT and Communication Technology (ICT) and the management of information security risks. DORA stipulates the Board of Directors (Board) active participation in and overseeing of the overall management of ICT risks. As such, it is logical for the CISO to report directly to the Board.
This article presents some of the challenges from a CISO’s perspective with reporting and recommends topic areas to be included when reporting to the Board.
The Board’s responsibility post DORA
DORA states that “the ultimate responsibility of the management body in managing a financial entity’s ICT risk should be an overarching principle of that comprehensive approach, further translated into the continuous engagement of the management body in the control of the monitoring of the ICT risk management”.
In the Nordics, the management body has been interpreted as the Board. From an information security perspective, the Board is responsible to:
- Define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework (including information security)
- Hold the ultimate responsibility for managing the financial entity’s ICT risk.
- Establish policies that aim to ensure the maintenance of high standards of availability, authenticity, integrity, and confidentiality of data
- Set clear roles and responsibilities for all ICT-related functions and establish appropriate governance arrangements to ensure effective and timely communication, cooperation, and coordination among those functions
- Hold the overall responsibility for setting and approving the digital operational resilience strategy
- Approve, oversee, and periodically review the implementation of the financial entity’s ICT business continuity policy and ICT response and recovery plans
- Approve and periodically review the financial entity’s ICT internal audit plans, including changes
- Allocate and periodically review the appropriate budget to fulfil the financial entity’s digital operational resilience needs in respect of all types of resources
- Approve and periodically review the financial entity’s policy on arrangements regarding the use of ICT services provided by ICT third-party service providers
- Establish, at corporate level, reporting channels enabling it to be duly informed of third-party arrangement
Reporting challenges
Evidently, the Board would benefit from receiving direct reporting from the CISO. However, there are certain challenges to consider.
Firstly, in smaller financial institutions and in some tech-driven fintech companies, the CISO tends to be cyber security oriented. This is great but could result in a tech-oriented reporting which may cause miscommunication and confusion among the Board. Secondly, the knowledge gap between a CISO and the Board can be significant, and one could argue that a core skill, in a post-DORA world, is the CISO’s ability to communicate governance risks (such as status of information classification), or technically advanced risks (such as results of security testing) to a none-technical board. Thirdly, the line-of-defense placement of the CISO also affects the assurance of the reporting. When CISO is placed in the first line of defense the CISO can be biased, and when placed in the second line the independence is clearer. CISO’s usually traverse between the first and second line of defense (CISO tends to become operational in crises situations) which could make the assurance of reporting somewhat doubtful.
Considerations
Under the DORA regulation, a key skill among CISOs is indeed Board reporting and the ability to report clearly and stringently on complicated matters such as information security. The Board should make the line-of-defense placement clear to the CISO and ensure it is enforced. More hands-on and cyber security or operational security personnel, such as a Chief Technology Security Officer (CTSO) or Chief Cyber Security Officer (CCSO) should be placed in the first line of defense while at the same time, more governance oriented personal can be placed in the second line of defense. The Board can then receive reporting from both parties and receive full coverage from both lines of defense. A more governance oriented second line of defense CISO also results in better bridging the knowledge gaps between the second line of defense reporting and the Board as the second line of defense CISO should be more experienced in communication in non-technical terms.
Recommendations for the second line of defense reporting
DORA and other related ICT regulations define the reporting that should be done. A proposed agenda include:
- Status of the ICT information security strategy
- Status of ICT limits (or risk appetite) including Key Security Risk Indicators (KSRI)
- Status of the process / or agile maturity of security routines
- Status and results of monitoring activities
- Status of the financial institutions’ operational resilience (specifically business continuity management)
- Security intelligence from outside the institution, including trends
- Status and results of changes to the institution from a security perspective,
- Status of regulatory gap-assessments, maturity assessments, awareness, and training results, etc. as they related to information security
- Training session towards the Board (arguable not formal reporting)
The frequency of reporting should be defined by the Board, but quarterly reporting is emerging as a standard in the Nordics.
Conclusion
The DORA regulation stipulates the reporting of the institution’s operational resilience, and it is therefore reasonable that the CISO is the best candidate to describe information security from a risk management-, information classification-, cyber security- and business continuity perspective. This requires that the reporting is done on the Board’s terms.
FCG Group recommends a CISO in the second line of defense who provide independent reporting, but this does not hinder any reporting from the first line of defense as well, if preferred by the Board.
For more information on DORA and the topic of reporting please contact: