Cloud Security Today

Tackling cyber & AI in the boardroom

Matthew Chiodi Season 4 Episode 12

Send us a text

Summary
In this conversation, Chris Hetner discusses the evolving role of boards of directors in cybersecurity, emphasizing the need for improved communication and understanding of cyber risks. He highlights the challenges boards face in adapting to new SEC rules and the importance of leveraging AI responsibly. Hetner also shares insights on tools for quantifying cyber risk and prioritizing investments while advocating for continuous learning and proactive engagement with board members.

Takeaways

  • Boards are becoming more aware of cybersecurity risks.
  • Cybersecurity discussions often receive limited airtime in board meetings.
  • The SEC's new disclosure rules can drive more frequent discussions on cyber risk.
  • AI governance is crucial as AI technologies become more prevalent.
  • Collaboration with general counsel and risk officers is essential.

Chapters

00:00 Introduction and Background on Cybersecurity and Boards
03:05 Current Challenges Facing Boards in Cybersecurity
06:11 Understanding Cyber Risk and Communication with Boards
08:58 Improving Board Engagement with Cybersecurity
11:56 Leveraging SEC Guidelines for Cyber Risk Discussions
15:02 The Role of AI in Cybersecurity Governance
18:05 Tools for Quantifying Cyber Risk
21:12 Prioritizing Cybersecurity Investments
24:02 The Importance of AI Governance
26:57 Staying Informed in Cybersecurity
30:13 Final Thoughts and Continuous Learning

The future of cloud security.
Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.

Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Matt (00:00.856)
Chris, thanks for coming on the show.

Chris Hetner (00:03.088)
Hey Matt, it's been a while. Good to see you.

Matt (00:06.026)
a while. I was looking over the last couple years of these podcasts and with this interview, you become my most interviewed guest. This is your third appearance.

Chris Hetner (00:16.082)
Well, it's an honor and a privilege to be wanted by Mr. Chiodi.

Matt (00:21.07)
I love it. I honestly, I was the reason I think I've had you on three times is because you have expertise in an area that few in cyber have experience. And so today I really want to dive into talking to boards of directors. And this I think is right, right up your alley because you've been on the board of the National Association of Corporate Directors or NACD since 2019.

And the last time I checked, NACD had over 24 ,000 board members. Let's start by diving into where are boards excelling and struggling in their response to the SEC rules that came out. I think it was later last year.

Chris Hetner (01:07.378)
Yeah, no, it's a great question. And we're right around 24 ,000 members through our community. I am serving as the cyber risk advisor to our community, but I also recently joined the Connecticut chapter board. So I've kind of dual headed there. And our portfolio members are really interested in driving business resilience, understanding context behind digital threat. And I would expand it beyond cyber.

Matt (01:22.776)
Congratulations.

Chris Hetner (01:37.636)
I think about artificial intelligence, dependency on our supply chain, particularly where we have concentration risk. Obviously cybersecurity becomes an increasingly important issue. And I would also factor in data privacy as well as geopolitical. And they're all kind of intertwined. And so when we think about our boardroom community with regards to their mandate, they are kind of nose in, fingers out.

as it relates to oversight, allow management to operate in an effective way. But with the increased reliance on digital and the underlying exposures that the digital landscape introduces, the directors and officers are now, I would say, you know, becoming increasingly up to speed with regards to these types of exposures and the nuances of the technology. They are also asking for

outside expertise and competency because if they don't feel like they have the capability and knowledge to, number one, ask the right questions, I think more importantly, understand what the answers are. So if you're having a conversation with a CIO or a CISO, you can unload 10 or 20 questions, but if you don't understand how those questions are being responded to and how they're de -risking the business, that becomes a critical challenge. So we're still seeing

Matt (02:48.813)
Hmm.

Chris Hetner (03:05.202)
you know, cybersecurity, artificial intelligence, digital, know, top three priority, going forward within the next couple of quarters. But, we also see the challenge with the board, you know, roughly 70, 72 % of the boards that we survey still struggle with how that digital landscape, including the underlying exposures, whether it be deployment of AI or cybersecurity threat, how those threats introduce.

material, business operational, financial harm, as well as now with the new SEC rule, what's the regulatory impact in terms of disclosure? And so there's definitely more work to do to kind of build that muscle between, I would call it your digital estate, and I would include your CTO, your CIO, your CISO, and what that means to the board in terms of

applying business and operational context to those matters. And then more importantly, what do do about it? Right. So if I know if I have a cyber exposure that's not addressed, if we have AI deployed without the proper guardrails, how is that going to materially take down my business to its knees? And then how do you deploy investments in capital in order to reduce that exposure?

Matt (04:26.478)
So you said, think it was 72 % of those surveyed said they struggle with kind of understanding that. you think it's, cause you said at the beginning that they're generally more aware, they know more about technology in general than they did probably five years ago. Is it that they're struggling to quantify risk? that the piece of it? there more to it?

Chris Hetner (04:48.004)
I think it's nuanced in terms of the type of exposure that may be introduced to the particular company that they sit on. So we have multiple boards, members that sit on multiple boards. So we have a very close board member that's tied to how we think about cyber risk oversight influences a lot of our content. This individual sits on three different boards. It's a healthcare company.

Matt (04:56.824)
Hmm.

Chris Hetner (05:16.238)
a utility company and a financial services company. And so the feedback that we receive is if you sit on these three different boards, when you look at, for instance, the balance sheet, or you're sitting in the audit committee, you look at profit and loss, top line revenue, where are the potential cost implications, what's access to capital mean, what are the new interest rates mean in terms of our leasing estate or access to capital in general.

those types of conversations are fairly consistent across those three boards. When it comes to cyber and digital, it's a juxtaposition. It's kind of like, for one company, you may have a MITRE ATT framework construct. The second company, you might have CIS controls. The third company, might have the FFIEC aligned to the financial services regulatory.

Matt (06:11.992)
Yeah.

Chris Hetner (06:12.54)
And then once you get beyond those frameworks, it becomes a very, you know, control based technical conversation. So the opportunity for us as a CISO, I'll call it technology community in general, because I just, I don't want to isolate the CISO. I want to think about the digital landscape more broadly is to express how those threats are going to introduce operational business, potentially legal and regulatory harm.

To your point, express it through a quantitative measure that thinks about the potential consequences. I always state that, it's impossible to get 100 % accuracy on this in terms of what the total amount is going to be. But don't let the perfection be the enemy of good. Let's talk about a directional statement if you had a ransomware event that caused a two -week outage where 80 % of your systems are down.

you're going to have to think about these consequences, whether it's you're not meeting certain client obligations, not being able to produce product. What if you're a trading platform and you're missing certain opportunities to access the capital markets? Those have downstream consequences. And the way we advise our board community, as well as our technology community, including our CISOs, is in order to seek that answer,

It cannot be done in isolation within technology. It has to be a team sport to be more inclusive of enterprise risk management, your general counsel, your chief financial officer, your chief risk officer. And in some cases, some boards will pull in outside expertise to augment some of that through outside counsel.

Matt (07:59.662)
I think you make a good point there about, you know, I've read some things that you've put out there before too, just about cybersecurity leaders in general tend to at least historically come from very technical backgrounds. so when you're approaching the board, you're approaching them as, and you're being seen oftentimes as a technical expert, especially if you're the CISO or CTO, right?

I think this really fits well into where I wanted to go next with you. It's like, if you are a cyber security leader or even a CTO from that perspective, and maybe you're new to board interactions or maybe you're just not very good at it. That's the other piece of it. What should they know? What should a CTO, a CISO know about how boards view cyber risk?

And how can they communicate more effectively with board members? So I guess another way to think of this question, Chris, is what have you heard from board members when they're talking about the CISO, the CTO, and maybe even the CIO?

Chris Hetner (08:58.404)
It's a great question and it's hearing from board members, but it's also through our board advisory platform within the NACD. I'll get pulled in with some of our team members, our analysts actually observe independently and also provide that translation layer. So, you know, we do dozens of these things a year. And so number one, my counsel to the cybersecurity folks, including the technology folks,

Matt (09:14.615)
Hmm.

Chris Hetner (09:28.014)
realize that the board composition is fairly sophisticated. These are former CEOs, perhaps general counsels, former accountants, and they are extremely sophisticated executives. They've ran P &Ls, they've ran businesses, they've been through various types of challenges in terms of growing a business, contracting a business.

Matt (09:45.25)
Hmm.

Chris Hetner (09:56.926)
also realize that they are not necessarily technology experts. And so one of the patterns that I've seen is number one, the cybersecurity or digital conversation in the boardroom gets fairly limited airtime. And I'm using this through the lens of the recent disclosures. Let's say over the last six months, we've had thousands of disclosures through the 10K.

Matt (10:01.07)
Hmm.

Chris Hetner (10:26.29)
and roughly 70 % expressed that the audit committee received cybersecurity updates. And it could happen once a year, twice a year, quarterly, but based on our observation, we're seeing that it doesn't get sufficient air time. And when the technology team or the cybersecurity team comes in to deliver the report out, it becomes less conversational and more one -directional.

Meaning that we're telling the board about our state of cybersecurity. We're teaching the board what the right metrics are. And from our observation and our feedback and our community, that's just not working because it needs to be a dialogue. And so what I would say is continue to think about those frameworks and those technical nuances, but bring it up a notch in terms of how

you're performing relative to your peer group. So peer analysis and benchmarking is super important, particularly within the boardroom community. Think through the threat landscape, but very specific to your industry. Again, healthcare will look different than financial services, will look different than manufacturing, will look different than chemical type of industry type. So think about that contextualization of those threats to your specific business.

And then, you know, pulling some data points around, here's how we're performing. You know, if we have, let's say a control deficiency, I'll pick a low hanging fruit, multifactor authentication, right? It's only 50 % deployed. If we deploy that upward to 80 % and we spend more money and we deploy more resources, we can show the relationship between those exposures that we just mentioned before, and actually de -risking the business.

Matt (12:07.331)
Hmm.

Chris Hetner (12:25.97)
And therefore, you know, we may need some more capital, right? We may ask for another 10, 15, $20 million. The other pitfall we see within the cybersecurity community is that, and it's not necessarily their fault, it's just an overwhelmingly amount of vendors and tools. And it's highly fragmented. are thousands of software companies and security companies, you know, we're seeing the likes of

CrowdStrike and Microsoft and Palo Alto networks really drive the conversation around consolidation into single platform to reduce that complexity. So when you have a portfolio of two dozen cybersecurity tools at your disposal with a multi -tenant cloud environment, it becomes highly fragmented and distributed. And therefore there becomes a challenge to express that to the boardroom when having that conversation in terms of where those exposures are.

And then I would say the other piece of advice would be identify a champion outside of your organization aligned to enterprise risk management. I always tended to align to the general counsel, the chief risk officer, the chief compliance officer. When I was a global CISO for GE Capital, again, this is 15, 16 years ago when I lost all my hair.

Yeah, $500 billion in assets across 60 countries, 100 ,000 employees. Yeah, that'll do it. Bring in those folks and those allies because that can serve as a conduit to how your program, your budget, and what you're trying to express to the board can relate to actual business decisioning. And so you're not having the conversation in isolation. You're sitting aside the general counsel.

Matt (13:57.016)
That'll do it to you. That'll do it.

Chris Hetner (14:23.414)
And if you're not having that interpretive discussion in terms of business impact, perhaps that ally of yours will help deliver that perspective to the board.

Matt (14:33.398)
Yeah. I think I've seen that happen. Oftentimes it happens by force of nature because there's been an incident or there's been some kind of event that is not the way you want to do it. Right. You're talking about being proactive, building these alliances. So I hear that. that. I want go back to one thing you said before. You said about, you're seeing from speaking to your members that cybersecurity is getting limited air time. What?

How do you go about changing that? Is there a way that cybersecurity leaders can be proactive? So instead of them saying, I only, and this isn't always the case, is a generalization, but there are some CISUs who I've spoke to have said, hey, I only get to go before the board during or after an incident. Is there a way that, whether again, it's through alliances, internally, how do they get more airtime?

with the board. How do they get cybersecurity to be something that is more of a regular discussion with board members? And I realize, know, board meetings are usually only four times a year, right? So there is only limited time.

Chris Hetner (15:38.908)
Right. It's a great question. And I do agree when the incident occurs that tends to force the board to become more involved. And if you're a CISO, leverage that incident to highlight where you have deficiencies. Don't let it go, you know, unwaisted and drive the fact that, hey, because we had these deficiencies, because we had this exposure across the supplier, it caused this type of incident. And therefore, we should remediate and

and drive more touch point between the board. As mentioned before, identifying an ally, particularly your general counsel, your chief risk officer, and in some cases, your outside counsel to encourage that there's more of a frequency and a structure between the CISO and the board. And more importantly, it's the substance behind the conversation. So to your point, we work with, again,

tens of thousands of board members. We also work very closely with outside council that have pulled in to identify where there are opportunities to improve your cyber risk governance capabilities, particularly with the new SEC disclosure rules. And I will say just observing, and all this is underprivileged, absolutely the CSO sits in audit committee, gets 20 minutes and they have four slides with four bullets on operational uptime.

Fissing simulation, patch metrics and supply chain risk management. And then invariably I ask, okay, so show me the meeting minutes that supports this conversation from the audit committee. And there tends to be no evidence. And so it's not a very constructive environment. So I would leverage the new, if you're a publicly traded company, leverage the new SEC disclosure rules as a force mechanism.

to apply more frequency, more structure, and more substance into the boardroom and leverage your general counsel and your outside counsel to bring that forward because this is now becoming real. We're going through, again, a cycle of, we're hitting October 1st. So we're potentially nine months to 10 months to go.

Chris Hetner (18:05.348)
and look through the disclosure so far, I would suspect somebody within the corporate finance division of the SEC, and corporate finance is the division that is the recipient of all these disclosures. Corporate finance also issued the rule. The director is going to go to a staffer or an assistant director, hey, let's do a sample size across these various industry segments.

Matt (18:18.542)
.

Chris Hetner (18:33.826)
and let's inquire about what they're stating is actually what they're doing in terms of disclosures, in terms of their engagement with enterprise risk management, what committees are they rolling into, what's the frequency, what's the substance. So I would leverage again, outside council, inside council, and these new SEC rules to force a further engaged discussion. Now, one of the best practices that we...

at the NECD Encourage is to form a digital risk management committee that's a subcommittee of the board. And it can be a combination of internal staff management, perhaps a few board members and leverage some outside expertise as well. And then you have the opportunity to look through a cross -section of complementary risk domains, including cyber. You have to include AI, right? Because, know, it's...

It's here. It's Supply chain is critical. And in fact, our data set that we use for helping the board understand cybersecurity through that business context, we leverage analytics that is based on how the insurance markets project losses. And last year, 2023, 70 % of cyber events. When I say cyber events, could be both malicious and non -malicious.

Matt (19:32.664)
Yeah.

Chris Hetner (19:59.706)
originated from the supplier. So you have supply chain, data management is becoming an issue, particularly with privacy matters. And so what I'm stating here is encourage the board to contemplate the creation of this risk committee. The risk committee can meet quarterly, twice a year, and then you have an annual roll up to the board. So you're getting more ad time, but you're able to dive deeper into these domains kind of offline.

to really provide some constructive roll -up to the board.

Matt (20:31.79)
So those SEC guidelines that came out in 23, they were aimed at publicly traded companies. Have you seen, are you seeing any impact on privately held companies with these as well?

Chris Hetner (20:44.218)
I would say more through the lens of if you're a supplier and you're privately held and you're highly utilized by a publicly traded company, by extension, you're going to be required to increased due diligence, increased risk management practices. You're going to have heightened incident response capabilities. So by extension, you'll have

through the regulated SEC entity, the supplier will have heightened requirements. In fact, some of the more critical suppliers that are privately held, they're being asked by the publicly traded company to engage in tabletop exercises, to actually come to the table, let's run a scenario and ensure that our playbooks are updated, that we have the right points of contact in place.

Matt (21:29.303)
Hmm.

Chris Hetner (21:40.59)
it absolutely is going to have a downstream impact to the private sector or what I would call the privately held companies that are publicly traded.

Matt (21:49.314)
Yeah, I mean, I think that's, I've already seen that personally. I've seen that. So I think that is definitely happening. You know, going back to, I think the point we made around keeping cyber risk on the agenda. One of the challenges of course, is quantifying those risks in a way that boards can easily understand and act on.

I know X analytics has been doing some interesting work around providing data -driven insights into cyber risk and market reactions. You mentioned how the insurance markets are pricing that risk. always really interested in that. Maybe talk a little bit about how tools are helping boards and cyber teams, graphs, the financial impact of cyber threats and maybe better, hopefully better prioritize their risk mitigation efforts.

Chris Hetner (22:35.984)
Yeah, so we looked at, and I'll date myself back about six years ago. So when I was in the commission within the chair's office, we looked at various approaches to express how financial impact may be introduced as a result of cyber. So we looked at the credit markets, we looked at various types of vendors outside and vendors inside out. We looked at industry benchmarks. We also looked at the insurance markets and we realized

that the risk transfer markets have historically established structure and process and actuarial approaches using historical data, but also leveraging data in real time. And there's no shortage of data with regards to cyber. I we're seeing billions and billions of events happening on an annual basis. And so we brought that thinking when I was selected as the cyber risk advisor to the NACD.

And again, we were struggling with board reporting, know, 70 % ish of our portfolio of board members still did not understand. So when we surveyed our members, we looked through the various types of approaches. We went through a rigorous process and we selected X analytics, which is a platform that was kind of born out of the insurance markets.

that expresses through an annual loss expectancy approach where those threats are most likely going to occur, but it's very specific to your industry vertical. And those industry verticals, there's 23 of them, the NAICS codes, which are the industry codes that the insurance market use, and the express where those losses are most likely going to occur based on firmographic data. So that's super critical.

Matt (24:21.741)
Mm.

Chris Hetner (24:32.388)
Okay, so let's talk about your healthcare company. What type of healthcare company? Your hospital system, you fall in pharma in some capacity, what are you delivering? What are the types of records you possess? What types of systems? Are you OT reliant? Do you have healthcare devices? Some of these healthcare systems have point of sale systems. So you're looking at the volume of data and records and capability that runs that organization. And that's more through a business lens. We're not even talking about

Matt (25:01.326)
Sure.

Chris Hetner (25:02.226)
know, CIS profiles or NIST capabilities. We're just talking about pure business metrics. And then what we do for our board members, we pair that with the level of maturity that you may sit on the spectrum of the various frameworks that are available. So you might be an ISO shop, you might be a NIST shop, you might be a MITRE framework shop. Pick the framework. We pull that through. And then usually it takes within 90 minutes to...

express where those threats are most likely going to occur. And what was attractive to our community and our leadership at the NACD about the X analytics platform was the fact that number one, it's premised and based on how the risk transfer markets price and express cyber. So this is not a made up platform that's originated from

some type of technology bottom -up approach. This is actual regulated, industry -focused actuarial approaches. And then two, it factors in data about your specific company. So it's not making assumptions that from an outside perspective that you may or may not have 20 or 50 ,000 employees or X amount of records. We actually have to pull that data through.

Matt (26:26.275)
Hmm.

Chris Hetner (26:27.45)
It also reviews the macro economic conditions of the environment, including macro cyber economics. So we see fluctuations in different types of loss categories that are aligned to the insurance markets. Areas such as fraud, wire transfer is increasing. We saw the recent events with the concentration risk with CrowdStrike and Microsoft. Business interruption suddenly increased as part of the analytics. And so

Matt (26:51.234)
Yeah.

Chris Hetner (26:57.17)
we see those macro trends that are factored in. And then number four, and more importantly, this doesn't require what I would call brain damage to derive at these conclusions. It's actually done within, I would say 90 minutes, if not an hour. And it's updated real time. And then more importantly, it's at a cost price where you're not going through a six month,

simulation program and trying to build these tables and capabilities. What they've done is, in layman terms, they've built the TurboTax for cyber risk management. They've got 120 predefined risk scenarios. If you operate in, let's say, six different regions across the world, it has factored in all those different regional regulatory compliance nuances as it relates to AI or what we'll call privacy implications. So it's got all that

that muscle mass already built in, you just got to build that profile and then off you go. And our board members are, you know, they are beyond pleased, I would say, with these types of metrics and these types of reporting. They can quickly identify, you know, we had a major, major event, ransomware event hit a publicly traded company, you know, billions of dollars in terms of top line revenue and

The CEO received the report out. Here's our total cost. Here's where our insurance limits were. And it was a fraction of their top line revenue. So when they expressed to the board and they expressed to the investor community, CISO was able to assert these metrics with authority and confidence versus, hey, we're trying to play whack -a -mole and put out the fires. And the CEO expressed to the market and they had a record

Matt (28:52.045)
Right.

Chris Hetner (28:55.332)
earnings this past quarter. And the CISO actually got a promotion. So this is one area that here's a little tidbit for the CISO community listening. Leverage this type of capability, this type of muscle to build yourself beyond just cyber and think about this more about digital risk management. And I will guarantee you that these types of roles around chief digital risk officers or chief business

digital resiliency officers are going to be created as a direct report to the board of directors and perhaps even the CEO. And for the CISO community that are interested in migrating and elevating their capability, this could be an interesting path for them going forward.

Matt (29:44.312)
So a tool like this sounds like it would be a great arsenal for really any organization to have. And we talked about it, obviously in the scenario of, if somebody has an incident, how might somebody or how could a company use a tool like this to help prioritize their cybersecurity efforts in terms of risk and risk scenarios that are most likely to impact them? How does, and how do you, how does this fit with like frameworks like NIST and CIS? You mentioned these before.

How do they use a tool like this to really, I guess, be proactive in terms of where they're making investments?

Chris Hetner (30:19.974)
Yeah, it's a great point. so, you know, it's actually a good timing because I just rolled off a few board meetings this past August. was fairly busy for us. And, you know, what we do is for the board, we run these risk scenarios. And so again, we look at the type of company, the profile, where the most likely threats going to occur. And then we run a scenario analysis through an exercise with the CEO and the board to say, hey, if we have an event,

We lost X amount of records or the ransomware resulted in X number of days in terms of business interruption. We run a chart that identifies what's the total all -in cost. How much of this can you insure you way out of it? And by the way, that's a very interesting conversation because I will tell you in engaging with enterprise risk management, in many cases, they don't have the right insurance limit.

Matt (31:15.853)
Hmm.

Chris Hetner (31:16.53)
or the right insurance policy. Like we had a manufacturer I was working with their board about a year and a half ago and they realized a two week outage as a result of like 80 % of their systems were down for two weeks. Not able to produce widgets, whatever it may be. They looked to their risk manager and their broker and the insurance policy did not have a provision for business interruption. It was more designed for

Matt (31:34.242)
bad.

Yeah.

Chris Hetner (31:47.122)
personal identifiable information. So I said, so where's the abundance of PII? Well, we have 10 ,000 employees. So I was kind of scratching my head thinking about who performed this policy. thinking through those scenarios on a proactive basis before the incident happens. And then more importantly, to your point, going back to the portfolio of the, I call it the CISO portfolio, including the technology.

portfolio, do we have the right investments and capital to deploy to de -risk that to prioritize our investments? And that's really kind of one of the super charges or superpower of these types of engagements in this platform. It's able to identify where to prioritize those investments. So if you're over leverage here and crisis management and response, but you have weak

access management, security training awareness and asset management capability. The platform will actually help you prioritize where to deploy that capital. And so when you're having the conversation with the board and you've got a $50 million budget dedicated to cyber, you're able to help identify what levers you need to pull in order to pull that capital through. And that changes by the way, because you may go from...

you again, I'll make up the number, know, 20 % deployed on MFA to 80%. And, you know, if you go from 80 to 100, which is nearly impossible, but I'm just making it up. You may not really squeeze that much out of the orange. So instead of focusing on getting to like 99 .9 % there, you can identify where you reposition capital and maybe it's around redundancy or anti ransomware capabilities.

Matt (33:22.147)
Right.

Matt (33:26.125)
Hmm.

Chris Hetner (33:40.454)
where you're building in resiliency into your business.

Matt (33:44.335)
would have been so helpful for me in some of my previous roles, having that kind of data. I did not have that. Trying to build business justification was, it felt very arbitrary, right? Like you just didn't have that data. I'm glad to hear that that data is now available for, you know, folks that need to be able to do that. So that would have made my job a lot easier.

Chris Hetner (33:48.462)
Absolutely.

Chris Hetner (34:05.54)
Absolutely. And you know, the fact that this is a an approach and a capability that's been selected by the boardroom community, it helps to provide the CISO with some level of coverage. If an incident were to occur, or if you're trying to identify risks in the business that haven't been exploited yet, it's an opportunity to surface this and say, hey, this is a

This is a capability that's been selected by 24 ,000 board members. To me, this is a, I joke about it. I call it a CISO CYA, but it really is a layup in terms of building this capability as part of your, I would call it enterprise cyber risk management capability, but then all the way upstream to senior management and boardroom reporting. The other piece here is where you have an incident.

and you have to disclose to the SEC, you can run this analysis to say, based on the volume of records that have been stolen so far, based on the type of intellectual property that we lost, you're already conducting those valuations before. And so you have to just pull the trigger and say, hey, know, and many boards like to see what's the relationship between our underdressed cyber risk or potential incident relative to top line revenue.

Matt (35:30.487)
Hmm.

Chris Hetner (35:31.12)
and you can establish thresholds, high, low. Typically anything, three, three and a half percent of top line revenue becomes more of a high degree. And then you start having conversations with your inside council, outside council around materiality. Is this truly material to our business? And then that triggers the flow to report.

Matt (35:53.518)
So AI, we mentioned this briefly at the beginning. I want to make sure we come back to this here. It's obviously on everybody's mind. Anybody I talk to, whether they're in technology or not, it almost always comes up in conversation. I know you've been deeply involved with AI risk governance as part of your work with the NACD. For cybersecurity leaders working with AI and their organizations, which is going to be almost every company at this point,

How can they help boards strike that right balance between leveraging AI for innovation and then managing the risks? What does that look like?

Chris Hetner (36:32.006)
Yeah. So you've got to identify where the pockets of AI are going to be deployed across the enterprise. And unfortunately, there's this evil thing called shadow IT that exists in many organizations, particularly in these large complex global organizations where you've got a couple hundred thousand employees. So think about AI as another piece of technology that has extreme power, extreme capabilities, but also

Matt (36:46.605)
Yeah.

Chris Hetner (37:00.582)
you know, introduces risk, not only within the company from a deployment standpoint, but also from an adversarial standpoint, you know, it's, it's augmenting their capabilities to become more effective in terms of infiltrating enterprises. think about partnering again, whether it's the CTO, CIO forming some type of AI governance committee where, you know, you're establishing that oversight.

And you're thinking through where the pockets of AI are going to be deployed or being tested across the enterprise. And then drill down into what are the business outcomes? Why are we deploying this capability? it, know, if we're trying to eliminate 50 % of our call center staff, are we going to leverage AI? If we're utilizing AI to, you know, gather more data in terms of, know, on a broad basis.

whether it be external, internal and rationalize that data to a point where we're eliminating a lot of manual efforts, that's potential another business case, but really draw down into what's the business outcome that we're trying to drive towards. Gain that approval across your governance committee that's really overseeing this. And then from a cybersecurity standpoint, start to drill down into what I would call the basics of cyber. Understanding your digital landscape.

In other words, where is that AI being deployed? What type of data is being funneled through that AI platform? Is it PII? Is it intellectual property that's sensitive? The type of integrity measures that you should think through. What level of authentication and what level of access controls should be contemplated and are you continuously testing? you know, what I'm saying here, Matt, is treat AI...

no different than how you would treat any other technology tool using those same basic governance principles as relates to cybersecurity oversight. But realizing that, obviously it has extreme power, extreme acceleration in terms of its advancements. But if you don't have the right governance construct and you're not overseeing the AI from an algorithmic perspective, that it's not drifting and the humans aren't involved in terms of

Chris Hetner (39:25.436)
you're governing and tightening down those controls no different than any other technology, then you're going to introduce a significant amount of risk exposure to the company.

Matt (39:36.32)
Are boards, at least in your experience, what you're seeing from an ACD membership, are they to the point where they're proactively asking about AI governance or is that still, is it still early?

Chris Hetner (39:48.946)
It's been an active conversation, particularly over the last 18 months. We have a blue ribbon commission that we're initiating some guidance and some recommendations around the use of AI, as well as just general digital risk management that should be available through NACD Summit coming up over the next few weeks, as well as within our analytics platform.

that we mentioned before, X Analytics for cyber, we also have an AI risk governance platform as well. So we look at the potential ways that AI can introduce material harm to the company, but then more importantly, how do we govern the AI and what are the right level of measures and controls that we should think through?

Matt (40:41.759)
You've got a lot going on. do a lot of different things. How do you stay sharp? Like, how do you keep your finger on the pulse of tech, of business? What's happening with boards? What's your process look like?

Chris Hetner (40:53.786)
It's having conversations like this we're having today, Matt. It's also, you know, no shortage of research in terms of new technology, new capabilities. It's speaking with the investor community. So I do a lot of work now with the venture community, particularly around understanding, you know, investments in terms of AI, cybersecurity, data security.

pasta management capabilities. So working with these leading edge companies that are trying to tackle these problems. And so that tends to be, a fairly efficient way to get up to speed in terms of the learning curve. we also talk, with research analysts such as Gardner and Forrester. I work with, you know, obviously the boardroom community. We work with CEOs of companies as well as speaking with CISO. So it's just a continuous sponge.

of absorbing information and more importantly, putting that to a fine point where if we have data, if we have advanced technologies that we're adopting across our enterprise, where are the material risks going to be most likely realized and what are the right level of guardrails? So that's a continuous cycle and there's no shortage of content.

As it relates to cybersecurity and AI and digital, mean, we're just continuously advancing. just saw recently Microsoft is going to acquire a dedicated nuclear power facility to dedicate power for their AI platform. And as you know, AI and computing power, I I started building data centers back in the nineties. That was my kind of...

Matt (42:29.964)
I that.

Chris Hetner (42:45.052)
know, segue into cyber, it consumes a significant amount power. The chips are advanced, they're becoming more power consuming. So that's going to be interesting to see how, you know, companies like Nvidia and others, big, you know, large scale, you know, multi -tenant cloud environments are going to leverage AI and where are they going to source that computing power in an efficient way.

because we also have to think about the environmental implications associated with how we source that power.

Matt (43:15.97)
Well, this has been an awesome interview. there anything else I should have asked you?

Chris Hetner (43:21.434)
I think we've got it covered. would say, be curious, continuously learn, think about the what if scenarios and be creative in your thinking as it relates to how your enterprise can be undermined and compromised. again, it doesn't necessarily have to be a malicious actor. Many of these events are caused by human error.

and other facets and bring these beta points forward to senior management and the board and continue to iterate over time.

Matt (43:59.712)
I love that. Thanks for sharing your wisdom and thanks for coming on the show.

Chris Hetner (44:03.26)
Thank you, Matt. It's great to see you.

Matt (44:06.862)
Alright, stopping.