Two ServiceNow leaders explore the approach of giving board members
the right level of information when reporting on risk
The regulatory and compliance landscape has been an ever-moving
target, and growing in complexity. Organizations are dealing with
cybersecurity, data privacy (General Data Protection Regulation (GDPR)
and California Consumer Privacy Act (CCPA), third-party risk, and
government contracts to name a few. The complexity of providing
governance over these critical areas has drastically expanded as
organizations extend the boundaries of their environment to areas
outside of their direct control.
This heightens overall corporate risk and exposure and has become a
persistent topic among executive staffs and board of directors. Take
cybersecurity. A cyberthreat can happen anywhere within or outside the
organization. As we’ve seen in recent news headlines, a single attack
or breach can wreak havoc, resulting in the loss of revenue and
goodwill, regulatory inquiries and fines, and stock price declines.
Board members are asking what measures the organization is taking to
prevent, detect, and respond to attacks and how they are abiding by
regulatory and compliance requirements.
Ben de Bont, Chief Information Security Officer (CISO), and Andrew
Wheatley, ServiceNow’s VP, Audit, Risk, and Compliance, talk about
their approaches to reporting to the board of directors recently as
they prepare for an upcoming Now on Now webinar, “Threading the needle -
Presenting risk to the board of directors,” on Thurs., Sept. 19,
9 am PT/noon ET.
Ben and Andrew share insights
Ben joined ServiceNow as
CISO in July; Andrew has been regularly reporting on audit and
compliance to the board during his five years working at ServiceNow.
Andrew: Ben, on your second day at ServiceNow, you attended the
board of directors meeting and saw our security, risk, and compliance
update to the board. What did you think? Anything you would do differently?
Ben: The presentation had key elements necessary for a successful
narrative: messaging was concise and relevant, structured to a common
framework, and supported by the right level of data. When you can
communicate risk consistently to a board, the narrative is more likely
to be meaningful and resonate with the audience. This was very much
the case in my first board meeting at ServiceNow.
Andrew: It’s easy to go deep into the weeds. We love data, so we
like to talk about how many vulnerabilities we identified and how fast
we resolved them or our compliance using controls. But the board
really wants to hear about outcomes and trends so they can see the
program maturing over time.
Ben: Andrew, I agree. When possible, the conversation should be kept
at a high-level to avoid us tumbling down a rabbit hole and dwelling
on a single issue that eats up precious time. It’s important to stick
to the key narrative, but have details ready in your hip pocket if
needed. Introducing new initiatives or data can be tricky, so always
ensure you have a consistent format, and understand your audience.
Andrew: I like that adage: know your audience. Our board members
bring a remarkable business acumen. They look at risk and compliance
from the business perspective. We need to show them how issues impact
the business as a whole and how we are protecting against risks. I
want them to understand and validate our compliance strategy, raise
their concerns, and, then buy into our vision of success. We all want
the same thing: for ServiceNow to be successful in managing risk.
Ben: I find that the most interesting comments often come from board
members that serve on other boards. They bring those
experiences that we can learn from. Security is an
evolving landscape. We have to be ready to learn and adjust. I learn
from board members as much as they learn from us.
Andrew: Dating back 5 years, reporting to the board was a heavy
lift. We had to engage multiple stakeholders, align on data, determine
what was relevant, and then prepare our presentation. It was a
quarterly marathon, and always had a few last-minute sprint efforts.
Ben, what has been your experience in preparing for the board in the past?
Ben: I learned the hard way that you need to find the right altitude
for the presentation, then stick with it. Since board members come
from other companies and bring broader experience, it's important to
set the board content in a context that is applicable to our company.
Andrew: We have been working extremely hard to make our
presentations clear, relevant, and timely. We also have the most
success when we use a common vocabulary, common control framework, and
common controls that address risk, security, and compliance. This is
important regardless of whether we are talking about security,
privacy, financial, or regulatory risk.
When we began using ServiceNow GRC and Security Operations, our
preparation process changed dramatically. They give us that common
platform for a consistent process and standardized reporting. We can
share data that we view every day in our dashboards. Over time, we’ve
seen the board’s confidence increase because the data is consistent
Ben: Having that common reporting platform makes preparing for the
next board meeting much easier for me as a newcomer to ServiceNow. I
want to be able to communicate the key narrative of our current state
and our desired state and how these align with the company's business
objectives. Reports that focus on outcomes are a much better way to
reflect our progress and our successes and keep us out of those rabbit
holes. Any other tips for the next meeting?
Andrew: Transparency is key. They don't want to hear that everything
is rosy. They want an honest assessment of the progress we are making
against critical priorities. They want to hear where we fell short as
much as where we did well. Our data holds us accountable to that.
To hear more from Ben and Andrew, register for “Threading the needle
- Presenting risk to the board of directors,” on Thurs., Sept. 19 at
10 am PT/1 pm ET. Register for this Now on Now webinar: Threading
the needle - Presenting Risk to the board of directors..