Navroop Mitter:

[00.00.02.23–00.00.29.17]

Hello, this is Navroop Mitter, founder of ArmorText. I’m delighted to welcome you to this episode of The Lock & Key Lounge, where we bring you the smartest minds from legal, government, tech, and critical infrastructure to talk about groundbreaking ideas that you can apply now to strengthen your cybersecurity program and collectively keep us all safer. You can find all of our podcasts on our site, ArmorText.com, and listen to them on your favorite streaming channels.

Navroop:

[00.00.29.19–00.00.50.19]

Be sure to give us feedback. Hello and welcome to The Lock & Key Lounge podcast. I’m your host, Navroop Mitter. I want to start with a quick note to our listeners. When we booked today’s guest, we had a different episode in mind. Originally, we were going to be talking about the shift in board-level cyber risk and governance priorities for 2026.

Navroop:

[00.00.50.21–00.01.09.21]

And then, of course, February 28th happened. The United States and Israel launched attacks against Iran. And the news cycle shifted underneath us in real time. So we decided to make a pivot, because that’s exactly what we think good governance looks like. And it’s what the show is here to do. In the days since the conflict began, business guidance has been pouring in.

Navroop:

[00.01.09.23–00.01.34.04]

Gartner has issued a function-specific action items for every major C-suite role. Fortune is telling CEOs what to prepare for. Government agencies in the US and Canada are urging critical infrastructure operators to be vigilant. But if you read across all of it, there’s an unmistakable pattern that’s emerging. Roughly 90% of the coverage is focused on cyberattack preparedness and/or supply chain disruption.

Navroop:

[00.01.34.06–00.01.57.10]

A very small slice addresses other operational concerns. But the board—well, that appears in less than 1% of what we found. And it’s usually just a passive recipient of escalations. Nobody’s asking what boards should actually do when that escalation arrives. And so, that’s the conversation we’re going to have today. I’m delighted to welcome Christopher Hetner to The Lock & Key Lounge.

Christopher Hetner:

[00.01.57.14–00.01.59.13]

Thank you for having me, Navroop.

Navroop:

[00.01.59.13–00.02.27.02]

Chris, I’m really looking forward to this conversation. For our guests, Christopher Hetner is one of the most consequential voices at the intersection of cybersecurity and corporate governance in the United States. He’s a Senior Risk Advisor to the National Association of Corporate Directors, where he advises more than 24,000 corporate directors on cyber risk. And he also chairs the Cybersecurity, AI, and Privacy Committee of the Nasdaq Center for Board Excellence Insights Council.

Navroop:

[00.02.27.02–00.02.58.01]

So, totally overqualified for the conversation I’m about to have with you as a neophyte. His government career spans the highest levels of financial sector oversight. He served as senior cybersecurity advisor to the chair of the SEC and, simultaneously, as head of the cyber—the head of cybersecurity for the Office of Compliance Inspections and Examinations. He represented the SEC Chair as a senior member of the US Department of Treasury Financial Banking Information Infrastructure Committee and served as a G-7 Cyber Expert.

Navroop:

[00.02.58.03–00.03.21.09]

That gives him a rare vantage point of having those regulatory authority, investor protection, and national security infrastructure coverage experience. Today, he advises across sectors, including as Senior Advisor to the Chertoff Group, and shares his expertise as a faculty contributor at Columbia University, NYU, and Fordham School of Law. He holds a CISSP, a CISM, and an M.S., cum laude, in Information Assurance from Norwich University.

Navroop:

[00.03.21.11–00.03.25.14]

And if I’m not mistaken, you’ve even got your own startup at this point.

Christopher:

[00.03.25.16–00.03.49.18]

Yeah. Yeah, I’ve been in the space for 30 years. Started in the mid-90s, building and operating data centers and security operations centers during the dot-com boom. Spent about 15 years on Wall Street—Citigroup. I was a global CISO at GE Capital, as well as in management consulting, running various types of cyber practices. Now, as an advisor to the NACD and Nasdaq.

Christopher:

[00.03.49.20–00.04.19.22]

I have a portfolio of companies where we work with boards directly. I sit on three boards. I have also connectivity with the—I’ll call it—the investor community that’s pouring money into AI and cyber. And essentially, my platform looks to achieve, number one, effective cyber and AI risk governance, but two, being really selective in terms of what companies are forming that will really solve these problems in an efficient way.

Christopher:

[00.04.19.23–00.04.22.15]

So, looking forward to this conversation.

Navroop:

[00.04.22.17–00.04.41.11]

Yeah. So, just a little bit of relevant experience. Okay. And with that, let’s just jump into a bit more of an overview of the topic for our guest, because some may or may not be familiar with what’s taking place. We’re recording this just days into the Iran conflict, right? It’s the Saturday before this episode is going to be published.

Navroop:

[00.04.41.12–00.05.11.12]

The guidance coming out of analyst firms, newsrooms, and government agencies is lopsided in a pretty specific way. There’s an overwhelming majority of it focused on two things—preparing for cyberattacks and managing supply chain disruption. A very small slice of it addresses other operational concerns. And, as I mentioned before, that board-level governance guidance is effectively absent. The closest thing we found to board-level direction was a Gartner report advising general counsel to determine whether to escalate materials’ impact—material impacts to the board.

Navroop:

[00.05.11.14–00.05.30.18]

And that’s where the board’s role begins and ends in the current guidance landscape. No one seems to be addressing what happens next—what a prepared board does when that escalation arrives, how it deliberates, or whether the infrastructure to do so is even in place. And so, that’s what Chris and I are going to walk through today, starting with the guidance gap itself.

Navroop:

[00.05.30.20–00.05.58.10]

Moving through what board preparedness actually looks like in a conflict scenario, and ending with the structural questions that this moment is forcing to the surface. So, let’s jump right in. Chris, since the conflict began, the guidance coming out has been lopsided, as we mentioned earlier. From your vantage point, advising 24,000 corporate directors through the NACD and through the Nasdaq, you probably see that gap as being very real.

Navroop:

[00.05.58.12–00.06.00.02]

Why do you think the board has been left out?

Christopher:

[00.06.00.04–00.06.30.01]

Well, it’s a great question. And just coming off the heels of our October 25 NACD National Summit, we had roughly 3,500 corporate directors in the facility, various types of sessions. I was fortunate to facilitate a handful of exclusive roundtables with CEOs and board members. And, over the last three weeks, the Nasdaq, as well as the NACD, ran a series of tabletop exercises to really gauge the preparedness.

Christopher:

[00.06.30.05–00.06.52.10]

But the gap is real, Navroop, to be frank with you. And it’s not new. I mean, I’ve been doing this for about 30 years, directing engagement with the board back in the, call it, 2010th timeframe when I was the CISO at GE Capital, and we were mandated to elevate our cybersecurity program to ensure board alignment and board approval.

Christopher:

[00.06.52.11–00.07.18.08]

But if we take a step back, most cybersecurity guidance is really written for operators, whether it be the CISO, the CIO, vendor risk management teams, incident response teams, and those people on the front line doing incredible work executing on the response. But when it comes to geopolitical conflicts, as they continue to escalate, the risk doesn’t necessarily remain operational.

Christopher:

[00.07.18.09–00.07.46.08]

It becomes strategic—financial, reputational, legal. And that’s really in the board’s territory. So, the challenge is that many of these frameworks operate and stop one layer below the boardroom. They explain how to respond to an attack. They understand the threat vectors and the mitigation tactics, but they don’t explain how directors should govern the enterprise through the consequences of that attack.

Christopher:

[00.07.46.08–00.08.12.23]

And so, through my advising directors, through the NACD and the Nasdaq, as well as eating my own dog food as a corporate director, I see boards asking three fundamental questions as it pertains to geopolitical escalation. Number one, what could materially disrupt our ability to operate a business, right? We saw it last September 2025.

Christopher:

[00.08.12.23–00.08.35.20]

Jaguar Land Rover had a business interruption attack as a result of ransomware and other types of tactics that completely shut down their operations for about five weeks. That’s projected to cost the company and its suppliers roughly $2 billion. So, these are not table stakes. Second would be, what could materially disrupt our trust with customers? What about our regulators?

Christopher:

[00.08.35.20–00.09.02.04]

What about our investors? And how do we message that we’re—we’ve got a handle on this? We have a process, and we’re governing it. And then third would be, do we have the governance structure that can function during a crisis? And if the structure’s not in place, then it tends to be a scramble and highly reactionary. So, operational guidance answers the first question in terms of, how will we continue our operations?

Christopher:

[00.09.02.04–00.09.13.07]

Do we have the right business continuity plans? Do we have redundancy? But the board really needs to answer the second and third question. And that’s where the governance gap remains.

Navroop:

[00.09.13.11–00.09.35.07]

And I understand the governance gap. I guess one of the things that I keep wondering about, having read so much over the past week in preparation for this recording, the question still keeps coming up—why is no one really writing about this from the board perspective, or why is there so little? There are people writing about—why is there so little being written about it from the board’s perspective, as compared to all of the other perspectives?

Navroop:

[00.09.35.08–00.09.53.00]

Right. For example, like the nerds in the basement, so to speak, right? The responders, the technologists, the CIOs, the CTOs teams—there’s so much coming out that’s been written from their perspective, so much being written about what they should be considering. Why is there such a gap in what’s been written for the boards?

Christopher:

[00.09.53.02–00.10.17.21]

Well, if you look at the—so I put—I’ll put my investor hat on. Right. So, I advise invest into early-stage companies and the cybersecurity market—according to some analysis, suggests that it’s roughly a $300 billion market if you factor in software, hardware, professional services. And it’s growing to potentially $1 to $2 trillion, according to McKinsey’s analysis, over the next ten years.

Christopher:

[00.10.17.21–00.10.44.22]

So, that suggests that we have an enormous amount of investment and vendor procurement activity within that space. The challenge is the board is not purchasing or procuring those services. And so, that’s why I see there’s a major disconnect, because we’re kind of operating within the echo chamber where we’re speaking at each other. But I think we have an opportunity to really elevate and engage the board.

Christopher:

[00.10.45.00–00.11.09.05]

And the NACD has really done a great job at this. We’ve published various types of guidance. We have periodic handbooks that are produced. We have benchmarking data through our analytics platform that we can share with the team, where we provide the board with cyber loss projections combined with peer benchmarking analysis in terms of where the peer groups are performing, as well as what to do about it.

Christopher:

[00.11.09.09–00.11.35.03]

If you have, let’s say, half $1 billion in unaddressed cyber exposure—and name the category—it could be a business interruption event or data loss or IP theft. What—are you deploying that capital effectively? And so, those are areas that I think we can improve upon. And just continue to advance this narrative where the boardroom really has to own the governance responsibility.

Christopher:

[00.11.35.05–00.11.46.02]

And I think we’re going to—we’re starting to see the turn, that the kind of the tide turn in terms of bringing more boards into this enormous investment opportunity, in terms of what we call the cybersecurity industry.

Navroop:

[00.11.46.05–00.12.09.14]

So, that’s a perfect segue into—I think—the next question I have. Right. And that’s that so much of the coverage this time around, and that’s focused on different sectors that need to pay attention, just like in previous global conflict escalations, has been around critical infrastructure and energy sector, financial services, a handful of others, water being among them.

Navroop:

[00.12.09.17–00.12.27.05]

And one could easily, if they’re in something retail or one of these other sectors, say yeah, well, we weren’t really put on the warning list. This is probably not a big deal for us. I’m assuming they’re not saying that, but they easily could. And so, I’m wondering if one of the more important board questions might be a bit more inter—indirect.

Navroop:

[00.12.27.07–00.12.45.22]

That needs to start to be discussed is how could this conflict affect our sector through dependencies on other sectors that are actually higher on the target list? Or are we, frankly, really on a target list? And—but because it’s not critical infrastructure, technically not being called out in the same way, right—how should boards be framing that analysis?

Christopher:

[00.12.46.00–00.13.12.20]

No, it’s a great question. And, at the end of the day, boards should be thinking in terms of dependency risk, not just the sector risk. And we all depend on the energy grid, telecommunications, and increasingly dependent on cloud providers and software platforms to deliver our services and capabilities. Cyber conflict doesn’t spread by geography.

Christopher:

[00.13.12.22–00.13.42.19]

It spreads through the digital and operational ecosystem and all its dependencies. So, a board should be asking management, number one, what’s our sectoral exposure? If so, if we’re in retail versus hospitality versus banking versus manufacturing, each one of those verticals are very distinct in terms of capabilities, how they go to market, where their operational risk exposures, and obviously the potential for a cyber exposure.

Christopher:

[00.13.42.19–00.14.15.06]

So, are we in a sector that adversaries are primarily targeting, and how are our peer groups performing? Boards love peer benchmarking analysis. This is actually one of the superpowers of what we deliver for our boardroom. Cyber and AI risk reporting capability, made available to our 24,000 members, is to help the board understand how your sector is performing in terms of—we’ll call it—ability to detect, ability to contain, where the potential losses are. Is it IP theft? Is it a business interruption?

Christopher:

[00.14.15.06–00.14.37.22]

Where is ransomware occurring? And then, secondly, what are those losses manifesting into? Are they in the millions and tens of millions? Hundreds of millions? And then the final is, where do we deploy that capital? And then that’s a major gap that we see between the technology cyber functions and the board. I would say, second is understanding your operational dependencies.

Christopher:

[00.14.37.22–00.15.15.04]

So, we talked about cloud providers. If you’re in the banking industry, you’re reliant on clearing systems. There are designated market utilities, as per Dodd-Frank, that are considered significantly important market utilities that transact and process and clear trillions of dollars a day. What’s our dependency on telecommunications? Logistic platforms? Energy utilities? So, you start to paint that map in terms of not only are we dependent on certain systems and processes and technology within the four walls of our company, but here’s the spread, right?

Christopher:

[00.15.15.04–00.15.44.05]

In terms of where our external exposure is from a dependency perspective. And then, third, what’s the systemic cascading risk? Right. Can we operate without some of these providers delivering services? So, if one of these sectors experiences a disruptive cyber event, how quickly does that affect our ability to operate? And the board-level exercise has to become less about, are we a target—easy questions—yeah.

Christopher:

[00.15.44.07–00.16.03.14]

And more about what happens to us if something or someone else is that target. And then the shift becomes focusing on directors needing to make decisions around, are we dependent? If this provider goes away, can we resort to a plan B and continue servicing our customers?

Navroop:

[00.16.03.14–00.16.23.16]

Yeah. And it sounds like, then, that Gartner focusing on those various parts of the business, like the chief human resource officer, the chief information officer, the chief financial officer, the chief information security officer, and the supply chain and comms leads, isn’t necessarily a bad thing. It sounds like those are the folks who are going to be providing inputs to the board.

Navroop:

[00.16.23.20–00.16.40.13]

Right? And so if the board does get some escalation brought up to them, either by the GC or one of these functional leaders in the organization, right. Because the GCs are being advised to determine whether to escalate material impacts on board. So if something is brought up, what are the board need to be prepared to do with it?

Christopher:

[00.16.40.17–00.17.06.07]

Yeah. Look, this was a cornerstone when I was advising. I advised two chairs of the Security Exchange Commission. I was actually the first cybersecurity advisor to the chair’s office—I actually created the office. And one of the centerpieces of our regulations around cyber risk management and disclosure was to help guide the board and the enterprise in terms of determining what is a material event.

Christopher:

[00.17.06.10–00.17.25.13]

Right. As soon as we plug our computers to the internet, as soon as we send an email, we’re totally exposed to any type of incident. And it could be both malicious and nonmalicious. But as we prepare boards, they should be moving quickly into focusing on the governance functions—and when it comes to material impacts.

Christopher:

[00.17.25.14–00.17.50.11]

And this is actually codified within the SEC regulation. The structure and the strategic oversight of the board needs to put focus on if this event, or if we actually—we used to say, “if this event occurs.” We now pivoted to, “when this event occurs.” Right. What’s its impact to our operational condition? How will it materially impact our business?

Christopher:

[00.17.50.16–00.18.16.14]

What are the potential implications to our supply chain dependency, counterparty dependency? How is it going to impact our financial performance? Do we have any regulatory exposure? Right. And then, how do we maintain integrity associated with our customers and maintaining that customer trust? And that should be the strategic oversight of the board and the enterprise risk management team.

Christopher:

[00.18.16.16–00.18.40.13]

In collaboration with the CISO, the general counsel, the chief risk officer, the CFO—to deliver how the board should be evaluating the enterprise impact and not the tactical details. And unfortunately, 75% of my boardroom community is still lost in terms of how these cyber threats can manifest to a business, operational, financial condition.

Christopher:

[00.18.40.13–00.19.06.10]

The technology teams get too mired into the details. Second would be crisis governance. I mean, assuming that this is going to happen and we’re going to have a handful of these incidents a year, the board should confirm, do we have secure communications? Are they functioning? Do we have out-of-band communications? Is there a crisis management structure that’s developed and been activated?

Christopher:

[00.19.06.12–00.19.27.16]

And are roles between management and the board clearly defined? And I would also include into that—and this was a conversation we had during our exercise last week, where we had close to 50 board members in the room, putting them into the hot seat. Some of the best practice suggests that, as part of these exercises, you bring in your high-risk suppliers. Right?

Christopher:

[00.19.27.16–00.20.14.00]

So if 80% of your operation is dependent on three suppliers, you should be engaging and mandating those suppliers to perform and participate in your exercises on a periodic basis. And then, third for the board is, okay—so we have an obligation to disclose to our investors. We have regulatory exposure. The proxy advisers will be Glass Lewis or ISS, or mandating boards demonstrate how they exercise cyber and AI oversight, and having that process and that machinery within the enterprise to make a determination on how incidents are to be realized from a materiality perspective.

Christopher:

[00.20.14.02–00.20.42.13]

And how does that trigger regulatory obligations? And it’s not only the SEC. It could be multiple jurisdictions. If you have lost data regarding personal information or personal health care information, and you operate in 20 states, you’re going to have 20 distinct reporting mandates. And so, the board’s job is not to run the response. The board’s job is to ensure the response protects and preserves, and, if, an enterprise value and stakeholder trust.

Navroop:

[00.20.42.13–00.21.00.15]

Yeah, I mean, you said a lot there, right. And one thing I want to go back to quickly is, I just want to make sure I understood this correctly. Are you effectively saying that, when it comes to being informed about a cyber risk versus being prepared to govern through it, 75% of the boards that you’ve seen are underprepared?

Christopher:

[00.21.00.18–00.21.30.08]

I’d say that’s being generous. Again, I’m fortunate and honored to serve a community of 24,000 board members. I serve on multiple boards on an annual basis. I’ll advise a dozen or so boards directly and observe. And I would tell you, when it comes to a cyber report out, on average, 70, 75% of our board members suggest that they don’t understand the reporting.

Christopher:

[00.21.30.10–00.21.59.13]

It’s too tactical. It’s not aligned to our business operational. And I would call it a regulatory and financial exposure analysis. And there’s a lot of fatigue, particularly within the audit committee that really holds the lens on the financials—a lot of fatigue as it relates to deploying capital, and unclear where that capital is being deployed against those risks and threats that can materially impact the business.

Christopher:

[00.21.59.15–00.22.28.01]

And so, I think we clearly have an opportunity to do better. We launched, about two and a half years ago, a cyber risk and AI reporting capability that helps to address that gap. So, the CISO doesn’t necessarily have to level up to understand the entirety of the enterprise but can rely on advanced analytics and frameworks that engage enterprise risk management participants to deliver that holistic view.

Christopher:

[00.22.28.04–00.22.30.17]

But that’s the state of where we are. Unfortunately.

Navroop:

[00.22.30.20–00.22.52.10]

You mentioned something else. Unprompted, of course, you mentioned out-of-band comms. And so, given what we do, I’m going to have to jump in on this topic now, right? Historically, we used to get a lot of pushback around whether or not out-of-band communications were really necessary. We have 14 other comms protocols. I’ve got Zoom, I’ve got email, I’ve got chat, I’ve got Teams.

Navroop:

[00.22.52.10–00.23.13.07]

I’ve got sort of other ways to communicate. Is it really that big of a deal? And just this January—right, so maybe weeks before this conflict began or end of the month—Gartner put out some ransomware guidance for the first time in years that explicitly calls out encrypted out-of-band communications as a non-negotiable incident response requirement.

Navroop:

[00.23.13.09–00.23.23.08]

And that guidance was written for CISOs. It sounds like what you’re saying is, boards also need to be asking about their own communications infrastructure and whether or not it meets the same standard.

Christopher:

[00.23.23.10–00.23.49.11]

Absolutely. I mean, if you’re running comms in a distributed way, as you articulate it, that’s not well structured, documented, recorded, logged—and let’s fast forward, let’s say you have an event and suddenly there’s a class action suit against the company. They’re clearly going to target the directors and officers, and that is a plaintiff’s dream, right.

Christopher:

[00.23.49.13–00.24.24.14]

They—and/or regulatory trend—where are your communications? There’s a record. Is it safeguarded? And so, we have to start pivoting towards an out-of-band communication channel that’s secure, that delivers multiple mediums—whether it be texting, email, or video—as well as the ability to maintain logs and maintain the ability to not only secure communications within the four walls of the company, but also have the ability to incorporate comms from outside parties such as your outside counsel, your incident response firms.

Christopher:

[00.24.24.15–00.24.30.18]

Perhaps your board members have a different email. So, we have a long way to go in terms of maintaining those communications.

Navroop:

[00.24.30.21–00.24.48.23]

Yeah. For the longest time, we used to hear CISA saying, well, I’m just going to go to my Signal or my WhatsApp. They seem to have gotten the memo now, finally, from the general counsel that those consumer applications are lacking user management policy enforcement. But, importantly to your point, lacking in those enterprise controls and governance around an audit trail.

Navroop:

[00.24.49.01–00.25.09.12]

And so, as a result, they seem to have gotten that message, which is why we often now say, if you can’t communicate, you can’t remediate. And turning to those, is it going to let you do it in a way that you’re allowed to? So, you need that security that imposes governance. It almost sounds like there’s a new board-level equivalent we should be saying, which is, if you can’t convene, you can’t intervene.

Christopher:

[00.25.10.08–00.25.38.16]

Yeah. I mean, the analogy I use is, let’s say you and I are on the board, or we’re two counterparties doing an acquisition of a company. There are deal rooms where folks can jump into a secure container with credentialing and multifactor authentication, and the documentation—the comms—do not leave the deal room. And so, I think we need to see a similar type of construct for crisis management, crisis communications.

Navroop:

[00.25.38.20–00.26.02.01]

I do think that’s a topic we should revisit, because we are very much familiar with some of the leaks and/or challenges related to some of those deal room communications. Ultimately, it’s encryption at rest and in transit that isn’t necessarily protected to that same degree. And now, we have seen multiple instances of forms of espionage helping user deals.

Navroop:

[00.26.02.03–00.26.21.02]

And so, I do think that’s a topic that should also be revisited. But let’s kind of jump back into the topic we’re on today. It sounds like there’s a scenario that most boards haven’t really rehearsed, and that’s that you need to convene urgently in the middle of an active incident. The communications infrastructure you normally use is compromised or gone, right?

Navroop:

[00.26.21.02–00.26.45.20]

Or perhaps the IDP or the SSO has been weaponized against you, so you can’t trust that your attackers are not jumping into the middle. It could be because of a cyberattack or an underlying physical infrastructure failure. Gartner actually chose to flag that latter category, right? They flagged this happening in real time—underwater cables being cut in the Red Sea, or AWS data centers losing power, or entire regions losing connectivity.

Navroop:

[00.26.45.23–00.27.07.12]

I actually want you to put your board director hat on. But for companies that are outside of the United States, that rely heavily on U.S.-based SaaS platforms for their critical comms—because in those physical infrastructure failures, they lose access to some of that, or if they potentially have to self-isolate, they lose access, right—so it’s a question for those boards.

Navroop:

[00.27.07.16–00.27.18.20]

What does resilient governance actually require? And how should they be thinking about this right now? Are we going to have to start thinking through sovereign deployments that are country-specific for certain critical capabilities?

Christopher:

[00.27.18.22–00.27.45.00]

Well, the board should be engaged with ongoing briefings, obviously, in terms of our threat and where we have potential exposures in terms of maintaining continuity, and continuity could be communications. It could be gauging or supporting our customers. But a prepared board has that muscle memory, and boards that are prepared have done things like crisis communication simulations.

Christopher:

[00.27.45.02–00.28.12.11]

Talking about the geopolitical landscape, what are the geopolitical implications? Let’s say one country is isolated. It can’t communicate with the other. What are the implications in terms of maintaining redundancy? And if you operate across different types of countries, I recall maintaining—gosh, when I was a CISO at GE Capital, I had 60 countries under our portfolio, and each country had their own unique requirements, particularly in Europe, around privacy.

Christopher:

[00.28.12.11–00.28.35.18]

Some data could leave the country, some data couldn’t leave the country. You have various types of encryption standards. So, having that well-organized and established, and mandating that management has that under control and defined, and ensuring that those requirements are continuously updated as the threat landscape shifts—as well as all the regulatory requirements shift—and then testing the communications, right, through the exercises.

Christopher:

[00.28.35.18–00.29.06.23]

And what if the test fails? What’s the redundancy plan? And then performing disclosure decision rehearsals. In other words, have they practiced this kind of crisis comms before the moment arrives? And I would say most boards today are informed but not prepared. And so, that’s a transition opportunity where we need to improve quickly, because boards are beginning to recognize that cyber incidents are not just IT incidents. They are enterprise events.

Navroop:

[00.29.06.23–00.29.26.03]

Yeah. I have a feeling we’re going to see more and more pushes to have certain redundant capabilities be re onshore—almost the equivalent of what we went through in COVID, where we said we want to have far more manufacturing bought—brought back to the States, because it was a supply chain disruption where I think we were relying on India or China to deliver the pharmaceuticals we need.

Navroop:

[00.29.26.06–00.29.48.15]

But that actually almost then dovetails into something else that we saw in preparing for this—in this segment. We saw an article by Diane Brady. I believe it was originally published in Fortune. I think it’s been republished in Yahoo since then. It’s just from this past week. That’s on the concept of the poly-national company, a deliberately distributed corporate architecture designed for, I think, this kind of geopolitical instability.

Navroop:

[00.29.48.15–00.30.05.10]

Right. If that’s the direction of corporate governance—or is heading, if you would—who at the board level is supposed to be asking whether the company is built for that, and whether that answer is yes, or who’s supposed to lead that pivot? I’m assuming that’s a board-level strategic discussion, not just C-suite leadership.

Christopher:

[00.30.05.12–00.30.30.05]

Yeah, the responsibility typically sits with three distinct board committees, and they all work together, by the way. They’re—but the committees kind of operate autonomously, then come together as a collective unit, if that makes sense. But number one would be the risk committee. And the risk committee typically—and should be—contained and focused on systemic risk, geopolitical risk.

Christopher:

[00.30.30.07–00.30.53.07]

When I talk about cyber and AI, that belongs in the risk committee, but it’s complementary to these other domains such as geopolitical supply chain, privacy, data governance. Second would be the audit committee, that really focuses on the operational resiliency. Do we have the right investments in place, and do we have the right and proper internal controls to manage the risk?

Christopher:

[00.30.53.09–00.31.18.17]

And then third would be the strategy committee. How do we think about long-term corporate architecture? So, if we have a line of sight into the risk landscape over the next 18 months, do we have the right architecture in place? What investments do we need to make, and how do we kind of follow that through to make sure that we’re keeping up with the evolving risk landscape, particularly from a geopolitical perspective?

Christopher:

[00.31.18.19–00.31.44.02]

The board’s role is not to roll up their sleeves and design the operating model. The board’s role is to engage, ask, and demonstrate that management is maintaining a corporate architecture that is resilient enough for the geopolitical environment we are entering. That’s a strategy question. And that’s not just a cybersecurity question.

Navroop:

[00.31.44.04–00.31.52.20]

Well, with that said, if you could put one question in front of every board chair in America this week—just one—what would it be?

Christopher:

[00.31.52.23–00.32.17.09]

Oh, wow. Well, I threw it out there last week during our board exercises. So, I would ask—I’ll frame this in such a way—where if a geopolitical technology, digital, cyber, AI event, right, disrupted our company tomorrow morning, could this board still communicate, right, amongst each other with management? Do we have the ability to make decisions?

Christopher:

[00.32.17.12–00.32.42.04]

And then ultimately, are we protecting our stakeholders? And do we have an understanding in terms of how widespread this is in terms of within the company, or we’re dependent on suppliers and have that—has some of those answers in place within the first 24 hours? Because if the answer is no, the problem isn’t cybersecurity. The problem is governance readiness.

Navroop:

[00.32.42.08–00.33.04.12]

Sounds like four or five compound questions to get to one. Okay. Chris, look, you’re on a podcast that’s called The Lock & Key Lounge. So, obviously, we tend to have a little bit of fun with that, mainly because it’s reminiscent of kind of the speakeasy or bar scene. And so, if you’ve got time for one more question, I’ve got a fun closing one we try to end on.

Navroop:

[00.33.04.12–00.33.21.10]

Chris, if you—you’ve just helped a board navigate its first real test of conflict-era governance, and the escalation came in, the secure channels held, and the company came through with its data and its reputation intact. What are you pouring to celebrate?

Christopher:

[00.33.21.13–00.33.47.20]

After a situation like that? Okay. Well, I would sit back and engage the board and the management team to say, this was well earned and we’ve achieved our stated objective. We’re not done, but probably a solid 18- or 24-year single malt scotch. Because when a company comes to a crisis with its operations intact, they’re not losing hundreds of millions of dollars.

Christopher:

[00.33.47.20–00.34.03.18]

Its customers are protected, its reputation is preserved. That outcome doesn’t happen by accident. It happens because the board and the management are prepared before the crisis ever arrives. So, that’s exactly what good governance is supposed to do.

Navroop:

[00.34.03.23–00.34.12.22]

I think that’d be a well-earned 18- to 24-year-old single malt scotch. I’ve got a few upstairs ready for just that kind of moment.

Christopher:

[00.34.12.22–00.34.13.13]

Okay. Looking forward to participating with you.

Navroop:

[00.34.13.13–00.34.28.13]

So, I’m looking forward to this. One of these days we’re going to get together in person, and we’re going to do just that. I’ve got a few that actually need to be opened up at this point. All right. Well, Chris, look, I really appreciate you coming on to The Lock & Key Lounge. This has just been a wonderful conversation.

Navroop:

[00.34.28.13–00.34.51.13]

I think it’s one a lot of board members needed to have. There probably aren’t as many having it as we would all hope, given some of the stats you shared. And so, to our listeners, the guidance flooding in right now is addressed to your CISOs, your CFOs, and your GC. But the board is really where governance lives, and governance does not pause for a conflict, and the escalation is coming.

Navroop:

[00.34.51.13–00.35.07.12]

So the channels need to be in place before it does. The playbook has to exist before the moment arrives. And so until next time, govern like the stakes are real because right now they very much are. This is The Lock & Key Lounge. Thank you for being here.

Christopher:

[00.35.08.05–00.35.09.20]

Thank you.

Matt Calligan:

[00.35.10.07–00.35.40.03]

We really hope you enjoyed this episode of The Lock & Key Lounge. If you’re a cybersecurity expert or you have a unique insight or point of view on the topic—and we know you do—we’d love to hear from you. Please email us at Lounge@ArmorText.com or our website, ArmorText.com/podcast. I’m Matt Calligan, Director of Revenue Operations here at ArmorText, inviting you back here next time, where you’ll get live, unenciphered, unfiltered, stirred—never shaken—insights into the latest cybersecurity concepts.