Cybersecurity can no longer be the concern of just the Information Technology department. Within organizations, it needs to be everyone’s responsibility including - the board’s.
Today, more than ever, the demands posed by issues of cybersecurity clash with both the need for innovation and the clamor for productivity. Increasingly, cybersecurity risk includes not only the risk of a network data breach but also the risk of the many enterprises being undermined via business activities that rely on open digital connectivity and accessibility. As a result, learning how to deal with cybersecurity risks is of critical importance to an enterprise, and therefore be addressed strategically from the very top. Cybersecurity management can no longer be a concern delegated to the information technology (IT) department. It needs to be everyone’s business — including the board’s.
Cybersecurity plunge into the Boardroom
Breaches have become so routine that only the many spectacular events, such as the prominent breach at the credit reporting agency Equifax Inc. that affected some 143 million U.S. consumers, make headlines. Corporate boards of directors are expected to intend cybersecurity, despite the fact that most boards are unprepared for this role. A survey by the National Association of Corporate Directors (NACD) found that 58% of corporate board member respondents at public companies believe that cyber-related risk is the most challenging risk they are expected to oversee. The ability of companies to manage this risk has far-reaching implications for stock prices, company reputations, and the professional reputations of directors themselves.
The view that directors are not sufficiently prepared to deal with cybersecurity risks has raised alarm bells in boardrooms nationwide and globally. Even as companies increase their investments in security, we are seeing more — and more serious — cyberattacks. If corporate boards are not sufficiently prepared to deal with cybersecurity, how likely they be able to determine the effectiveness of current and proposed cybersecurity strategies? How can they know what operationally effective cybersecurity should look like and how it should evolve? And how can directors know what to ask so that they can make the right cybersecurity investment decisions?
The Foundation of Critical Thinking
In our work with dozens of companies and in surveys of executives, we have found that currently many directors cannot ask the right questions because they lack meaningful metrics to assess the cybersecurity of their business. First, directors need to have basic training in cybersecurity that addresses the strategic nature, scope, and implications of cybersecurity risk. Within companies, managers involved in operations, security specialists, and directors alike need to adopt a common language for talking about cybersecurity risk. Second, top management needs to provide meaningful data about not just the state of data security as defined narrowly by viruses quarantined or the number of risks or intrusions detected, but also about the resilience of the organization’s digital networks. This means having strategies to sustain business during a cybersecurity breach, to recover quickly in its aftermath, and to investigate needed improvements to the digital infrastructure. Networks constantly change, so tracking cyber risks and vulnerabilities over time and adapting accordingly is essential.
Exemplary Practices
Building on insights from the surveys cited above, we have developed a four-part approach to help organizations manage cybersecurity more effectively and formulate digital resilience strategies. It involves educating company leadership; developing a common language for management and corporate directors to discuss cybersecurity issues; understanding the difference between security and resilience; and making both security and resilience strategic corporate imperatives.
- Inculcate Company leadership.
Cybersecurity risk shouldn’t be treated strictly as an IT issue. In terms of risk management, both security and resilience need to be managed as issues of importance to the entire enterprise. Increasingly, directors and senior management are being held accountable for the security and resilience of networks and data.
Board members must therefore understand the issues at stake and accept their fiduciary responsibility for their organization’s cyberdefense posture. Company leadership must have an unambiguous understanding of the key elements of security and resilience. To be effective, directors need sufficient knowledge to understand and approach cybersecurity broadly as an enterprise-wide risk management issue. Directors need to understand the legal implications of cybersecurity risks as they relate to their company’s specific circumstances.
- Augment a Common Speaking Language.
Boards must have adequate access to cybersecurity expertise, and their discussions about cybersecurity risk management should be a regular part of each board meeting agenda, with sufficient time allotted. Moreover, board engagement regarding cybersecurity issues should not be restricted to yearly or semi-annual reports. Digital security specialists, like all subject-area experts, must be able to communicate effectively with board members and other leaders.
Meetings with CISOs and other security professionals mean nothing if technical experts and directors are unable to understand one another. Information security executives must be capable of presenting information at a level and in a format that is accessible to nontechnical corporate directors. Ideally, assessments of cybersecurity, digital resilience, and cybersecurity budgeting should be expressed using metrics that objectively and unambiguously score issues of risk, reward, cost, and benefit. That said, directors should make themselves conversant in basic principles relevant to digital networking and security.
- Demarcate between security and resilience.
Companies should create a clear distinction between digital security and digital resilience. Digital security focuses on essential security measures, including providing such traditional defenses as effective antivirus and antimalware software, adequate firewalls, and employee education in safe computing practices. Digital security is, therefore, a security issue. In contrast, digital resilience is a business issue, which relates to how the whole organization conducts business in a digital environment.
To the degree that an element of an organization’s security implementation impedes business (for example, by arbitrarily restricting access to data), it may provide adequate security. But it is a poor business practice, which makes the company more liable to fail and therefore less resilient. In assessing the organization’s strategic cybersecurity policy, the board must balance resilience against security, with priority given to resilience. Over time, your network will be penetrated. Therefore, resilience (the ability to respond to incidents and breaches) should be prioritized over the forlorn hope of security alone as a silver bullet. Security will not enable you to continue to conduct business during a breach. Resilience will. The board must provide necessary leadership in advocating for whole-enterprise resilience policies and practices.
- Model security and resilience strategic business issues.
Directors must set the expectation that management will establish an enterprise-wide cyber risk management framework with adequate staffing and budget. The board’s discussions with management concerning cybersecurity risk should include identifying which risks to avoid, which to accept, and which to mitigate or transfer through insurance — as well as specific plans associated with each approach. In concert with top management, the board should create a clear statement of its role in overseeing, evaluating, and challenging the company’s digital security and resilience strategies.
The statement should clearly define and assign responsibilities and must delineate the differing roles of the board and senior management. Within the board itself, cybersecurity and digital resilience must be the responsibility of all directors and not be relegated to a committee or subcommittee. Nevertheless, boards should consider assigning one cyber-savvy director to take the lead on issues of security and resilience, and, when recruiting new directors, companies should seek out people with appropriate cybersecurity expertise.
The board should continually reassess the overall budget for security and resilience and redirect investments, as necessary. Given the reality that the number and seriousness of breaches are growing, it is clear that most organizations need to evaluate their cybersecurity investments more clearly and effectively. Improving the ability to measure and quantify cyber related risks is vital to this step, because it allows cybersecurity and resilience to be evaluated for their impact on the entire business.
