Cybersecurity challenges board relevance

It should come as no surprise to Boards of Directors that hacking and data breaches are increasing at an exponential rate. Nor should it be any more surprising that these hacks are not limited to just big banks (although they remain a prime target) but incorporate a wide range of industries ranging from entertainment, healthcare, and technology to the broader finance community and others.

Coupled with the rapidly evolving threat landscape (what and how) and the rapid fire nature of those attacks, boards are challenged with understanding what is their company’s cybersecurity readiness and what are the risks faced by the organization. To further complicate issues, many of our board directors are ill-equipped to interpret the information being provided by their executive team, primarily because they lack the deep domain expertise to take on a deep dive of the technical information provided.

Nonetheless, during the SEC Commissioner Luis Aguilar’s 2014 speech (KPMG, 2016), he urged boards to sharpen their focus on cyber risks: “…boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”

To overcome these issues, rather than simple technology issue I recommend the following five steps, largely based on the guidance provided by the National Association of Corporate Directors (NACD) (2016), and Spencer Stuart (2016):
1. directors need to understand cybersecurity in the context of enterprise-wide risk, rather than simply a technology or IT issue.
2. directors must understand the legal implications of cyber risks to their organization.
3. boards must have adequate access to cybersecurity expertise, and discussions of the board level must be held regularly and be provided adequate time.
4. directors ensure management accepts responsibility for cyber security, and will establish an enterprise-wide cyber risk management framework with adequate staffing and budget.
5. discussions between management and the board should include identification of those risks to avoid, accept, mitigate, or transfer through insurance, as well as specific tactical plans associated with each approach.

Understanding cybersecurity in the context of risk

This is not a conversation about what technical means an attacker used to gain access to information or systems. It is not designed to be a conversation that discusses various technologies that can be implemented to attack a particular vulnerability.

However, it is designed to be a conversation at the strategic level (and I don’t mean some ivory tower conversation that bears little resemblance to the business or the issues at hand) that identifies an organization’s “crown jewels”, where those information assets are stored, and what is the risk associated with the entire security infrastructure associated with that asset. Put more simply, follow the chain between external access and the asset, and determine which links in the chain are the weakest.

Moreover, this is not a technical conversation but rather includes the aspects that would be associated with the Business Impact Analysis, which by its nature focuses on people, process, and systems. Once we understand what the critical business processes of an organization are and the means by which it generates profit, we can start to understand what is the enterprise risk of an asset associated with that process should it become unavailable or somehow compromised.

With this information, the board can start to have an informed conversation around what are the appropriate risks and associated mitigations, if any, that need to be deployed.

Legal implications

Directors have a fiduciary duty to ensure that they have taken sufficient steps to ensure that the organization has an adequate security program to protect against breaches of its customer data and intellectual property, and to protect the organization from the consequences of such a breach. Particular consideration in this area includes maintaining records of boardroom discussions related to cyber risks and determine what to disclose in the event of a incident.

Directly from the NACD report: “Between 2011 and 2013, the SEC contacted some 50 companies to press for further disclosure and information regarding corporate cybersecurity and cyber incidents. Additionally, the SEC stated that for 2014 its examination priorities would include, among other things, “information reported by registrants in required filings with the SEC,” including on cybersecurity.”

Given this increasing focus by the SEC on cybersecurity reporting, directors should seek advice from their external counsel on potential disclosure considerations as a proactive risk factor and as part of the company’s broader strategy to responding to an incident.

Adequate access to expertise

Given the rapidly evolving nature of cybersecurity and the new ways technology are being deployed to execute attacks against organizations, it can be difficult for directors to understand the technical gobbledygook that sometimes highly competent technical professionals can proffer to boards. To the ears of a non-technical director, it may appear as though they have just entered a brand-new world which makes very little sense to them.

For this reason alone, it is vital that boards of directors have access to competent and experienced cybersecurity professionals who not only have a deep understanding of their domain, but can also put that domain experience in the context of the business, its processes, and its people. Even more importantly, it is vital that such professionals know and understand the language of business and of governance and focus on communicating the issues that the organization faces in the context of risk.

This can be achieved in a number of ways, but one of the most effective is to ensure that at least one if not more of your directors has this deep domain expertise not only in the cybersecurity space, but also has a broader technology background and can overlay the language of governance and risk. Given the pervasive nature of the work that needs to be done, this expert individual should be on the audit committee, so that they can do deep dives into ensuring that they understand the enterprise risks.

Equally important, your organization needs to have a competent cybersecurity professional (Collett, 2016) on staff who can prepare a strategic security plan and work collaboratively with the CEO, chief risk officer, CFO, the audit staff, your application development team, CIO and the audit committee of the board. it is through this collaborative arrangement can have the requisite level of assurance that the strategic security program is in place and adequately addresses the enterprise risks of the organization consistent with the organization’s risk appetite.

Lastly, your management team needs to provide adequate and regular reporting that is consistent from report to report, thereby allowing directors to validate the program’s performance from reporting period to reporting period. These reports should focus on the overall security program while providing risk status of each of the major program elements. The reporting should also indicate whether risk is increasing, staying stable, or decreasing. Similarly it should also cover major incidents that have occurred during the reporting period and what actions management has taken including mitigations and what reporting has been provided.

Ownership for cyber risk should be cross-departmental, rather than burying responsibility for cyber risk within the IT department. Since cyber risk impacts the entire organization, its processes, and its people, relying on a junior manager within the organization who does not necessarily see the entire breadth of operations will provide the board with a myopic view. This is clearly not the intent of managing cyber risk. Strong candidates for this role are the CFO, chief risk officer, or chief operating officer. Not the CIO. (NACD, 2016)

The board should require that the organization set up a cross functional cyber risk management team that includes the above officer responsible for the cyber risk program, as well as the business leaders, legal, internal audit and compliance, finance, human resources, IT, procurement and risk management.

This cross functional organization should meet regularly (in my opinion not less than once a month) so that this team can manage and develop tactical responses to risk issues as they manifest. This team should also be held accountable for providing meaningful and actionable advice based on metrics.

Enterprise-wide cybersecurity program

Not surprisingly, this leads us to the requirement for establishing an enterprise wide cybersecurity program consistent with the risks faced by the organization. The board must set the expectation with management that such a program is implemented and adequately functioning.

Validation of the adequacy of the program should be established through independent third-party audits conducted at least annually.

These audits should benchmark the organization against industry-standard information security programs (such as ISO 27001/2, NIST, etc.) and ensure that, at the very least, the organization’s information security program is consistent with and matches what the competition has implemented. In my opinion, this is the minimum benchmark rather than necessarily the aspired level to which the organization should strive.

Lastly, the board must ensure that the organization set an appropriate budget and staffing levels consistent with the risk of the organization faces. this budget and these resources must be able to address the issues associated with people, process, and technology. Tactics were addressing this can include ensuring that you have an appropriate policy framework (which is a relatively low-cost exercise) to ensuring that appropriate technical and programmatic controls are in place around the concepts of prevent, detect, and respond.

Risk management

Combined with all of the above, boards of directors should engage with their executive management teams to discuss each of the various risks that the organization faces and the strategies that the organization will engage in managing those risks.

This needs to be done consistent with the risk methodology and appetite of the organization.

Establishing risk tolerance is much about having a conversation as to how much and what types of data is the organization willing to have compromised. (In this context, “compromised” can mean that you lose the data entirely (think data corruption or ransomware that encrypts your entire data set), or is inappropriately disclosed, or is no longer available to the business either temporarily or permanently.) This conversation will quickly determine the level of risk that the organization is willing to take as it relates to its intellectual property and “crown jewels”.


The challenges faced by boards created by the complexity of the information security domain and associated cyber warfare being conducted by criminals throughout the world remains daunting, but not insurmountable. Vigilance is key.

Adopting a strategic approach to managing the cyber risk and the information security program provides boards of directors with both the overview that they need to provide appropriate governance, and with the tactical insights to ensure that they understand and can provide oversight to risk management.

Breaches are inevitable, despite the best laid plans, but according to Spencer Stuart: “boards can mitigate risking damages by staying informed and ensuring that, in the event of a breach, their company is prepared to respond.”


Collett, Stacy (2016, March 22). Should your board of directors include a cybersecurity expert? [Web log post]. Retrieved October 3, 2016, from

Connecting the dots: A proactive approach to cybersecurity in the boardroom. (2015). KPMG, p. 1. Retrieved from

Dickstein, Michael (2016). Spencer Stuart. Retrieved October 3, 2016, from

National Association of Corporate Directors. (2016). Retrieved October 3, 2016, from

Rai, Sajay (2016). Isaca. Retrieved October 3, 2016, from

About Mark Silver

Mark Silver is a Fortune 20 CXO, Board of Directors member, and Board Chairman. He brings extensive experience and passion in technology industry leadership, enterprise governance, security expertise and executive management experience.

As an executive leader, Silver helps clients understand their strategic risk profile and mitigate risk through people, process and technology, leveraging their existing talent pool, processes and technologies, or introducing cost-effective solutions to manage risk consistent with their risk appetite and budget.

His professional experience includes being a Chief Compliance Officer, Chief Risk Officer, CIO, Chief Security Officer, and Chief Information Security Officer managing governance and compliance initiatives, audits, global projects, and international M&A.

Interview with a CSO

I was recently interviewed by the CISO Executive Network and my friend Bill Seiglein.

Perhaps others will find it interesting.

MEMBER INTERVIEW: Mark Silver – CSO at First Advantage

Q–What was your first job where infosec was part of the role?
A–I came to infosec in the late ‘80s as a journalist writing about technology and consumer applications. Security wasn’t a major focus then. In the ‘90s, I got involved in traditional infosec by joining a new government department in Queensland, Australia, focused on technology and its use in the enterprise. My team and I focused on R&D in the security space. We were one of the first organizations to conduct assessments and implementations of a Public Key Infrastructure (PKI), iris scanning, finger/whole-hand biometrics, retina scanning, and general network security. I saw a huge increase in security awareness after 9/11, and it was certainly one of the undivided centers of attention when I joined Siemens in 2003 as CISO for the Americas.

Q–Do you feel your role at Siemens, a large company, made an impact and reduced risk? 

A–I was fortunate to head a program I know was instrumental in changing how Siemens did business. The most fundamental change and the one I’m proudest of was introducing risk-based management to infosec using the principle of business enablement. When I got to Siemens, infosec was largely regarded as “those people who constantly say no to the business.” I adopted the mantra “information security is a process-proven business enabler.” It took about a year for us to live and breathe this, but all along I got good feedback from the business about changing attitudes.
And two technology examples: 1) introducing smart cards and PKI, which were instrumental in applying physical access controls consistently across business units to give executives who traveled a consistent way to enter multiple business areas; and 2) developing a comprehensive program to detect and remove malware. Remember, viruses and malware were among the biggest threats many businesses faced then. We also introduced critical application management and security zones to networks: the more critical the application and the more sensitive the data contained, the more rigorous the controls placed in the secure network zones.

Q–In your new role at First Advantage, both corporate and information security report to you. Can you share some pros and cons to centralizing both under one “roof”? 

A–I see only upsides. If both truly are symbiotic, then having both report to one place lets us implement strategic and systemic controls with the most potential for protecting information. As the business consolidates, rightsizes, and goes through exercises, having both functions collaborate with the facilities function lets the business minimize risks and maximize opportunities to use its workforce effectively—no more turf wars or confusion about roles and responsibilities. In short: the buck stops with me.

Q–As you assess the infosec landscape, what top 3 things should every CISO be thinking about? 
A–I’m a fervent believer in 3 priorities: 1. Every CISO should focus on ensuring that infosec enables the business while helping it understand, manage, and mitigate risk. 2. Every CISO should be a business leader first and a security strategist second. This means the CISO understands the business and its core processes–how it generates revenue, cash, and profit; the human capability and skill sets required to run it–and supporting technologies. 3. Finally, every CISO should leverage knowledge of the business and its processes to comprehensively understand and document risk and proposed mitigations, and to help the business execute those mitigations. If every CISO did these 3 things and was surrounded with talented security professionals, the business’s respect for our profession would skyrocket.

Arguments and intellectual dishonesty

There seems to be a trend among devotees of whatever dogma they pursue: “this is what I believe in/advocate for/is self-evident to me, but if you can’t see it, you must be stupid/lazy/moronic”.

Firstly, I have to admit this approach is entertaining, but also somewhat disheartening, mainly because it is *so* intellectually dishonest. And if you are reading this and getting angry because you think I am talking about your approach, well maybe I am. I don’t care if you are a right-wing fringe dweller, or a left-wing remote spectrum dweller, or a Christian, Buddhist, Hindu, Spiritualist, Jew, or some other religion. The obligation is on You to prove the validity/certainty or “truth” of your belief, proposition or theory. It is not on me/others to disprove it. (This is similar to the concept of proving beyond a reasonable doubt in criminal proceedings of the*guilt* of the accused. It is not incumbent on them to prove their innocence.)

So, for example, if I were to say (please note the use of subjunctive case) that “I know for certain that the world is flat, and if you don’t believe that, you must be brain-washed by the left/right wing media and incapable of vaguely coherent thought”, I should have to prove to a high degree of veracity that the world, is in fact, flat. (And to be equally clear, I am using this as a hypothetical example rather than actually advocating this as a position.)

In my opinion, too many people hide behind political correctness, or intellectual dishonesty and pretend to adopt the moral high ground rather than adopt a more reasoned approach.

Anatomy of a Cyber Attack

During the past few weeks, I have been researching how to attackers, whether they be lone-wolf hackers, crime syndicate based, or State sponsored attackers, I discovered that there are similarities between all the attacks.

Certainly, the less experienced usually short cut some of the steps: but the serious attackers? Well, they know what they are doing, what they want, and how to get it undetected (mostly).

But this always has been a game of catchup: security professionals design and implement a new technology, and the bad guys look for either holes in the armor, or weak spots, or ways to avoid it entirely.

Regardless, this presentation (in PDF format) is available for you to review and consider. Feel free to share it with your organization, your board, or your executives. Also feel free to contact me if you would like an executive briefing.

How ready is your organization to deal with a cyber attack? Or have they already compromised your organization and you don’t know it yet?

How companies screw up customer service

We all know the customer service is absolutely critical to establishing a reputation and a relationship with those people that we would like to call our customers.


But so many companies do it badly. Let’s have a look at some examples:

“Your call is really important to us”. This would have to be one of the biggest annoyances to customers around the world. In fact, what your company is saying is “we’ve chosen the cheapest option in terms of an automated voicemail system, because we can’t possibly afford to pay a real person to pick up the phone to listen to you. However, our marketing department told us that we can’t possibly tell you that, so instead we’re going to launch this diatribe at you and hope that you believe it.”

Customers soon understand the meaning behind this recorded statement  if you haven’t picked up the phone in the first 5 minutes! At this point, most customers are fairly convinced that you don’t  really want to talk to them.

“Somebody will be with you shortly”. Now this would only be mildly annoying if it were in fact true. However, if you expect your customer to stay on the phone for more than 10 minutes, but tell them every 30 seconds that “somebody with will be with you shortly” you’re likely to get them seriously annoyed before a real person actually talks to them.

And what about my favorite: “please enter your 63 digit account number using the touchtone keypad followed by the hash symbol”. So, assuming that your eyesight is still capable of one finding your 63 digit account number, and that you can read off the account number with one finger, hold the phone in the other hand and use your nose to punch in the numbers, you should be just fine. My challenge of course is that one of two things happens to me: either I lose my place and get to the 53rd number and cannot remember whether I am on the 52nd, 53rd, or 54th number and now need to start at the very beginning. Or my nose is simply too large to press any one number at a time and I inadvertently press two or three. Of course the challenge will be that I won’t actually realize this until I get to the 63rd digit of my account number diligently press the hash key, and the system will repeat to me that it can’t find my account.

Now in the unlikely event that I have actually successfully entered my extremely long account number, and the system actually recognizes me, I invariably have the joy of having to speak to a customer service agent whose first words out of their mouth are “thank you for telephoning the Acme company. Would you please tell me your 63 digit account number?”

Naturally, I am starting to pull out hair that I have left.

So you’re often much snoring and gnashing of teeth, my adventure with telephone customer support will be at an end.

After all of this time, I am not so excited about talking to a company that doesn’t value my call, makes me wait, can’t synch between the automated system and the human with the entered details, and then engages someone who can neither speak English particularly well, nor understand it. 

Unexpected convergence of software and hardware

Photography has long been the domain of technology untethered to cyberspace.

However the release of the Nikon COOLPIX S800c and the $500 Samsung Galaxy point and click cameras herald a new direction: convergence of hardware and software interfaces for products that traditionally have not been in this space.

While it is a relatively new phenomena, it should not be unexpected. Smart phones are a great example of an early adopter for the early integration of an operating system (the term fast becoming an anachronism), or more popularly called things like “Jelly Bean” or “iOS”.

There are also conversations about computers becoming increasingly embedded into cars, but not as hidden systems (such as those that control fuel injection systems) but as human interactive systems that control things like self-driving and entertainment.

I think few would argue that this is not a trend. It’s as inevitable as the Termainator saying “I’ll be back”!

If this is right, then the question for today’s business is how will this trend impact your products and services? Are you correctly positioned to leverage technology as a value add for your customers?

Equally, will you adequately address the myriad security, safety and privacy issues that such technology brings?

Sony Pictures’ Ultraviolet Columbiana doesn’t support iTunes

A scene from Sony Pictures "Columbiana" movie

So we just bought Sony Pictures Columbiana (great movie) and it includes an Ultraviolet copy.

Do you think I can get it into iTunes? Apparently not. So when I reach out to tech support for help, their basic response is “iTunes doesn’t support Ultraviolet content”. See below.


Dear Customer,

Thank you for your inquiry!

UltraViolet works on iPhones and iPads and many more devices (Windows PCs, Macs, etc.), but currently, the iTunes library does not support the listing of UltraViolet content. 

Sony Pictures currently supports streaming to iPhone/iPad/iPodTouch and download/streaming to PC and Macs. Check the website where you activated your disc for details and support of the necessary software. iPhone 4S and iPad2 can stream to Apple TV using the AirPlay mirroring feature (see for details). For Friends with Benefits, Smurfs, and other Sony Pictures movies you’ll need to contact Sony –

Flixster currently supports streaming and download to iPhone/iPad, PC, and Mac (and streaming to Android). For iPhone/iPad or Android you need to download the Flixster Movies app. Check the website where you activated your disc for details and support of the necessary apps. iPhone 4S and iPad2 can stream to Apple TV using the AirPlay mirroring feature (see for details). For Horrible Bosses, Green Lantern, Harry Potter and the Deathly Hallows Part 2, and other WB movies you’ll need to contact Flixster –

Please let us know if we can be of further assistance.

Thank You,
UltraViolet Customer Care


I and millions of other iTunes users have invested hundreds of hours and many $$$ into our movie collections. To find out that a movie I just bought doesn’t fit in with iTunes just irritates me. Not because I can’t get the movie to iTunes, but because it shows Sony is more interested in carving out it’s own little island in the digital universe and hoping consumers will play on their terms, rather than caring about consumers and what they need.

It’s an example of fracturing the marketplace and the technology platforms, not because it’s good for consumers, but because Sony (and I am sure that others will be in the same bandwagon) thinks it is good for their business.

So you can make up your own mind about whether it makes sense to use Ultraviolet copies of movies. For me, it’s a waste of time, and I certainly won’t spend my money on Ultraviolet copies. I’ll legally get my copies elsewhere.

Thanks Sony for your consideration.

P.S. Just got a response from Ultraviolet and here it is:

Dear Customer,

Thank you for your inquiry!

You will need to contact Sony Pictures for support regarding the necessary apps and requirements to download or play your movie on your mobile device or PC/Mac. 


Please let us know if we can be of further assistance.

Thank You,
UltraViolet Customer Care