Understanding Cybersecurity in the Boardroom
Making More Informed Security Decisions; Bringing Security Experts on the Board; A Cybersecurity Curriculum;
When a cyberattack brings down service for a number of highly trafficked sites these days, it still makes front-page news but is no longer considered a unique or rare occurrence. Case in point: the massive distributed denial of service (DDoS) attack on October 21, 2016, that halted people's everyday activities - from online shopping to accessing digital music, news and social media sites - across Europe and the U.S. for much of the day.
The numerous websites that were affected certainly are not alone. Businesses and organizations of all kinds - from banks and department stores to manufacturers and political parties - have fallen victim to attacks by hackers, compromising millions of accounts. And the costs of these attacks are staggering: The global economy spends an estimated $445 billion annually to detect and address cyberattacks, according to the World Economic Forum.
The frequency of attacks underscores three basic facts about the state of our digital world: The web is fragile, the forces determined to disrupt it are more powerful than we think, and companies of all types and sizes need to have a strong cybersecurity plan in place.
So how are companies responding to this growing, clear and present threat? What once seemed an IT department concern now envelops all levels of management - including the full C-suite and the board of directors. As part of their responsibility for company oversight, boards must take the same vigorous, skeptical and methodical approach to cybersecurity that the audit committee employs when it examines the company's financial statements.
"The first thing the board has to recognize is that cybersecurity is a whole-of-the-company problem," says Richard A. Clarke, the former national coordinator for U.S. Security, Infrastructure Protection and Counterterrorism. "It's not only a problem for the CIO or the CISO."
Making More Informed Security Decisions
Many boards of directors, however, feel that their lack of technical and security expertise keeps them from understanding the issues enough to make effective funding and business decisions related to cybersecurity.
What can they do to gain a better grasp of the issues? Like many experts, Clarke, who held national security positions under Presidents Ronald Reagan, George H.W. Bush, Bill Clinton and George W. Bush, says the place to start is the National Institute of Standards and Technology (NIST), which has created a program aimed at managing and reducing cybersecurity risk.
The program started in February 2014 in response to a presidential executive order that called for the development of ways to improve the country's cybersecurity infrastructure. Following a yearlong, collaborative exercise with members of industry, academia and government, NIST produced a set of cybersecurity standards and best practices, referred to as the NIST Framework. In addition to helping organizations manage and reduce risks, the NIST Framework is designed to define and communicate the issues in ways every employee can understand.
"The NIST Framework is a good way for directors to think about security vulnerability," says Scott Petry, co-founder and CEO of Authentic8. "Among other things, it provides board members who don't have a technical background a means to communicate with their technical people and structure solutions."
The framework, which covers ways to identify, protect, detect, respond and recover, emphasizes that it is not a one-size-fits-all approach. It contains a variety of voluntary guidelines, among them are ones that urge companies to start by taking a hard look at their current cybersecurity posture, describe the state they'd like to achieve, identify and prioritize opportunities for improvement, assess progress and regularly communicate among internal and external stakeholders.
"If you get the governance right at the board level, you get it right throughout the organization," Clarke said. "Board members should be vetted by the company's security risk committee with briefings not in IT jargon but in the kind of English they can understand. The briefings should center on a strategy that specifies the company's risk tolerance, what it's avoiding and what's most important. It should contain a two- to three-year technology road map to achieve the goals, plus appropriate warnings. There will be a breach. The bad guys will get in. You need to have a plan for when it happens, and, like a football game plan, it's only good if you exercise it."
Bringing Security Experts on the Board
Tom Pageler, chief risk officer and chief security officer at Neustar, adds that companies should try to recruit boards of directors with security backgrounds. Once part of the team, these recruits should regularly review and participate in the company's business continuity management and crisis response through tabletop exercises. "A chain is only as strong as its weakest link," Pageler said, "which means security must include every department. If the CIO and the head of risk and security are peers, the structure allows the security teams to focus on the biggest risks."
Pageler, whose background includes stints as a special agent in the U.S. Secret Service and head security positions at a number of top firms, taught a course last month at Carnegie Mellon University's CISO Certificate Program on Security Structure and Operations. "When you are communicating to management," he told the CISOs and security leaders, "it is essential to know where you are headed, how you will get there, what risks you will and will not cover, and the resources you need to make it all happen. It's also important to demonstrate risk and security thought leadership, understand the assets the company has and understand their value to attackers."
A Cybersecurity Curriculum
Carnegie Mellon's CERT Division of the Software Engineering Institute has joined forces with the National Association of Corporate Directors and Ridge Global to develop a 20-hour online curriculum specifically to help boards of directors make more informed decisions regarding cybersecurity. Known as the Cyber-Risk Oversight Program for Corporate Directors, the curriculum includes a four-hour tabletop exercise that walks participants through a simulated attack, looks at who should be involved and examines the steps that should be taken from the board's standpoint.
The goal of the program is not to train corporate directors to become cybersecurity experts, says Summer Fowler, technical director of cybersecurity risk and resilience at CMU's CERT division. "We provide directors with the questions they should be asking their cybersecurity team," she said. "We also provide information on the metrics board members should be requesting and an overall education on how communications should work between the cyber team and corporate directors."
Underscoring the need for boards to take "the enterprise view on security" is a key takeaway from the curriculum, says Chris Furlow, president of Ridge Global. "The IT security team may be looking at cyber risk from a technology perspective, but the board member has to look at it from the business impact perspective as it relates to operations, human resources, communications and legal matters. Our program recognizes that cybersecurity is about much more than IT."
Robert Rodriguez served 22 years as a special agent with the U.S. Secret Service and is the founder and chairman of SINET. He says that companies have moved from a position of trying to protect themselves and keeping the bad guys out to an assumption that they are already in and cyberattacks are imminent.
"The CEO's question of, 'How long are we down before we are back up and operating?' should also be a question all company directors are proactively thinking about. This mindset will drive the importance of resiliency to a higher level."
Companies should also assume that every device used by employees is at risk, Rodriguez said.
"The massive expansion of devices with digital footprints has given us much more to protect," he says, "and I don't know many people who are updating the software in their toasters."