DECEMBER 12, 2023
On The Next Big Question podcast, we sit down with business leaders from our C-level communities to tackle the most pressing questions facing their roles, organizations and industries today. Recently, we had the pleasure of speaking with Angela Williams, SVP, Chief Information Security Officer at UL Solutions, and she answered the question, “How Can the Board Deepen Their Expertise of Cybersecurity and Risk?”
Our host Liz Ramey kicked off the conversation by discussing the complexity of the new SEC regulation requiring board oversight of cyber risks at private companies and how this “flips the paradigm for senior leaders to really get up to speed, to understand risk at a greater level and have a common understanding and language to be able to make strategic decisions and actions around cybersecurity.” She asks Angela to outline the steps boards should take in order to comply with these new regulations.
Risk management is all about setting the tone that cyber resiliency is where you are striving to be. We will not be cyber perfect, but you should be cyber resilient as best as possible.”
Angela stated that before the board can get involved, security leaders must first become familiar with the final ruling of the regulation and how to apply it to the organization. Only then can they determine the proper disclosures and processes for compliance. She emphasized that disclosure can be tricky, and she said, “What you want to share and what you don't want to share can be a gray area, because you don't want to give up too much information, but enough to give the SEC a confidence level that you've got it under control, you understood what occurred and when. But at the same time, a lot of it is proprietary information.”
Afterwards, she said it is all about educating the board. She explains:
“The first step a board member should know about is what we are protecting and the types of business processes we have in place to protect that data. My conversations with the board are less about the tech talk. In fact, if you're talking technical terms to your board, you're in the wrong room.”
“How do we articulate to the board the financial impact or operational impact? These are terms that the board can interpret and understand a lot better than the technical talk.”
“The board wants to understand at a high-level, what's at risk, why is it at risk and what are we doing to mitigate or remediate the risk? What timelines are we aligning ourselves to, to address these risks? And do you have the appropriate investment to get your maturity from potentially foundational to something in an optimized space?”
Throughout the podcast, Angela also describes how the board can improve their cyber acumen, the questions the board should be asking to build a meaningful understanding of risk and security and the implications for organizations who cannot meet the expectations set by these new regulations.
Angela Williams is the SVP, Chief Information Security Officer at UL Solutions and Co-Chair of the Chicago CISO Community. In previous roles, she led transformational cybersecurity programs for Hillroom, Blue Cross Blue Shield of Michigan and Wayne County, Michigan.
You can listen to the full episode, How Can the Board Deepen Their Expertise of Cybersecurity and Risk? here, or on your favorite podcast platform.
by CHROs, for CHROs
Find your local community and explore the benefits of becoming a member.