It should come as no surprise to Boards of Directors that hacking and data breaches are increasing at an exponential rate. Nor should it be any more surprising that these hacks are not limited to just big banks (although they remain a prime target) but incorporate a wide range of industries ranging from entertainment, healthcare, and technology to the broader finance community and others.
Coupled with the rapidly evolving threat landscape (what and how) and the rapid fire nature of those attacks, boards are challenged with understanding what is their company’s cybersecurity readiness and what are the risks faced by the organization. To further complicate issues, many of our board directors are ill-equipped to interpret the information being provided by their executive team, primarily because they lack the deep domain expertise to take on a deep dive of the technical information provided.
Nonetheless, during the SEC Commissioner Luis Aguilar’s 2014 speech (KPMG, 2016), he urged boards to sharpen their focus on cyber risks: “…boards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.”
To overcome these issues, rather than simple technology issue I recommend the following five steps, largely based on the guidance provided by the National Association of Corporate Directors (NACD) (2016), and Spencer Stuart (2016):
1. directors need to understand cybersecurity in the context of enterprise-wide risk, rather than simply a technology or IT issue.
2. directors must understand the legal implications of cyber risks to their organization.
3. boards must have adequate access to cybersecurity expertise, and discussions of the board level must be held regularly and be provided adequate time.
4. directors ensure management accepts responsibility for cyber security, and will establish an enterprise-wide cyber risk management framework with adequate staffing and budget.
5. discussions between management and the board should include identification of those risks to avoid, accept, mitigate, or transfer through insurance, as well as specific tactical plans associated with each approach.
Understanding cybersecurity in the context of risk
This is not a conversation about what technical means an attacker used to gain access to information or systems. It is not designed to be a conversation that discusses various technologies that can be implemented to attack a particular vulnerability.
However, it is designed to be a conversation at the strategic level (and I don’t mean some ivory tower conversation that bears little resemblance to the business or the issues at hand) that identifies an organization’s “crown jewels”, where those information assets are stored, and what is the risk associated with the entire security infrastructure associated with that asset. Put more simply, follow the chain between external access and the asset, and determine which links in the chain are the weakest.
Moreover, this is not a technical conversation but rather includes the aspects that would be associated with the Business Impact Analysis, which by its nature focuses on people, process, and systems. Once we understand what the critical business processes of an organization are and the means by which it generates profit, we can start to understand what is the enterprise risk of an asset associated with that process should it become unavailable or somehow compromised.
With this information, the board can start to have an informed conversation around what are the appropriate risks and associated mitigations, if any, that need to be deployed.
Directors have a fiduciary duty to ensure that they have taken sufficient steps to ensure that the organization has an adequate security program to protect against breaches of its customer data and intellectual property, and to protect the organization from the consequences of such a breach. Particular consideration in this area includes maintaining records of boardroom discussions related to cyber risks and determine what to disclose in the event of a incident.
Directly from the NACD report: “Between 2011 and 2013, the SEC contacted some 50 companies to press for further disclosure and information regarding corporate cybersecurity and cyber incidents. Additionally, the SEC stated that for 2014 its examination priorities would include, among other things, “information reported by registrants in required filings with the SEC,” including on cybersecurity.”
Given this increasing focus by the SEC on cybersecurity reporting, directors should seek advice from their external counsel on potential disclosure considerations as a proactive risk factor and as part of the company’s broader strategy to responding to an incident.
Adequate access to expertise
Given the rapidly evolving nature of cybersecurity and the new ways technology are being deployed to execute attacks against organizations, it can be difficult for directors to understand the technical gobbledygook that sometimes highly competent technical professionals can proffer to boards. To the ears of a non-technical director, it may appear as though they have just entered a brand-new world which makes very little sense to them.
For this reason alone, it is vital that boards of directors have access to competent and experienced cybersecurity professionals who not only have a deep understanding of their domain, but can also put that domain experience in the context of the business, its processes, and its people. Even more importantly, it is vital that such professionals know and understand the language of business and of governance and focus on communicating the issues that the organization faces in the context of risk.
This can be achieved in a number of ways, but one of the most effective is to ensure that at least one if not more of your directors has this deep domain expertise not only in the cybersecurity space, but also has a broader technology background and can overlay the language of governance and risk. Given the pervasive nature of the work that needs to be done, this expert individual should be on the audit committee, so that they can do deep dives into ensuring that they understand the enterprise risks.
Equally important, your organization needs to have a competent cybersecurity professional (Collett, 2016) on staff who can prepare a strategic security plan and work collaboratively with the CEO, chief risk officer, CFO, the audit staff, your application development team, CIO and the audit committee of the board. it is through this collaborative arrangement can have the requisite level of assurance that the strategic security program is in place and adequately addresses the enterprise risks of the organization consistent with the organization’s risk appetite.
Lastly, your management team needs to provide adequate and regular reporting that is consistent from report to report, thereby allowing directors to validate the program’s performance from reporting period to reporting period. These reports should focus on the overall security program while providing risk status of each of the major program elements. The reporting should also indicate whether risk is increasing, staying stable, or decreasing. Similarly it should also cover major incidents that have occurred during the reporting period and what actions management has taken including mitigations and what reporting has been provided.
Ownership for cyber risk should be cross-departmental, rather than burying responsibility for cyber risk within the IT department. Since cyber risk impacts the entire organization, its processes, and its people, relying on a junior manager within the organization who does not necessarily see the entire breadth of operations will provide the board with a myopic view. This is clearly not the intent of managing cyber risk. Strong candidates for this role are the CFO, chief risk officer, or chief operating officer. Not the CIO. (NACD, 2016)
The board should require that the organization set up a cross functional cyber risk management team that includes the above officer responsible for the cyber risk program, as well as the business leaders, legal, internal audit and compliance, finance, human resources, IT, procurement and risk management.
This cross functional organization should meet regularly (in my opinion not less than once a month) so that this team can manage and develop tactical responses to risk issues as they manifest. This team should also be held accountable for providing meaningful and actionable advice based on metrics.
Enterprise-wide cybersecurity program
Not surprisingly, this leads us to the requirement for establishing an enterprise wide cybersecurity program consistent with the risks faced by the organization. The board must set the expectation with management that such a program is implemented and adequately functioning.
Validation of the adequacy of the program should be established through independent third-party audits conducted at least annually.
These audits should benchmark the organization against industry-standard information security programs (such as ISO 27001/2, NIST, etc.) and ensure that, at the very least, the organization’s information security program is consistent with and matches what the competition has implemented. In my opinion, this is the minimum benchmark rather than necessarily the aspired level to which the organization should strive.
Lastly, the board must ensure that the organization set an appropriate budget and staffing levels consistent with the risk of the organization faces. this budget and these resources must be able to address the issues associated with people, process, and technology. Tactics were addressing this can include ensuring that you have an appropriate policy framework (which is a relatively low-cost exercise) to ensuring that appropriate technical and programmatic controls are in place around the concepts of prevent, detect, and respond.
Combined with all of the above, boards of directors should engage with their executive management teams to discuss each of the various risks that the organization faces and the strategies that the organization will engage in managing those risks.
This needs to be done consistent with the risk methodology and appetite of the organization.
Establishing risk tolerance is much about having a conversation as to how much and what types of data is the organization willing to have compromised. (In this context, “compromised” can mean that you lose the data entirely (think data corruption or ransomware that encrypts your entire data set), or is inappropriately disclosed, or is no longer available to the business either temporarily or permanently.) This conversation will quickly determine the level of risk that the organization is willing to take as it relates to its intellectual property and “crown jewels”.
The challenges faced by boards created by the complexity of the information security domain and associated cyber warfare being conducted by criminals throughout the world remains daunting, but not insurmountable. Vigilance is key.
Adopting a strategic approach to managing the cyber risk and the information security program provides boards of directors with both the overview that they need to provide appropriate governance, and with the tactical insights to ensure that they understand and can provide oversight to risk management.
Breaches are inevitable, despite the best laid plans, but according to Spencer Stuart: “boards can mitigate risking damages by staying informed and ensuring that, in the event of a breach, their company is prepared to respond.”
Collett, Stacy (2016, March 22). Should your board of directors include a cybersecurity expert? [Web log post]. Retrieved October 3, 2016, from http://www.csoonline.com/article/3046520/it-careers/should-your-board-of-directors-include-a-cybersecurity-expert.html.
Connecting the dots: A proactive approach to cybersecurity in the boardroom. (2015). KPMG, p. 1. Retrieved from https://www.kpmg.com/BM/en/IssuesAndInsights/ArticlesPublications/Documents/Advisory/2015Documents/Cyber-Security-and-Board-Oversight.pdf.
Dickstein, Michael (2016). Spencer Stuart. Retrieved October 3, 2016, from https://www.spencerstuart.com/research-and-insight/cybersecurity.
National Association of Corporate Directors. (2016). Retrieved October 3, 2016, from http://www.nacdonline.org.
Rai, Sajay (2016). Isaca. Retrieved October 3, 2016, from http://www.isaca.org/Knowledge-Center/Research/Documents/Cybersecurity-What-the-Board-of-Directors-Needs-to-Ask_res_Eng_0814.pdf.
About Mark Silver
Mark Silver is a Fortune 20 CXO, Board of Directors member, and Board Chairman. He brings extensive experience and passion in technology industry leadership, enterprise governance, security expertise and executive management experience.
As an executive leader, Silver helps clients understand their strategic risk profile and mitigate risk through people, process and technology, leveraging their existing talent pool, processes and technologies, or introducing cost-effective solutions to manage risk consistent with their risk appetite and budget.
His professional experience includes being a Chief Compliance Officer, Chief Risk Officer, CIO, Chief Security Officer, and Chief Information Security Officer managing governance and compliance initiatives, audits, global projects, and international M&A.