[BreachExchange] Cybersecurity: What does the board want?

Audrey McNeil audrey at riskbasedsecurity.com
Tue Feb 21 19:35:39 EST 2017


http://www.csoonline.com/article/3171700/leadership-
management/cybersecurity-what-does-the-board-want.html

Boards of Director are taking an increasingly active role in cybersecurity
governance.  The question is: what are they looking for and how should you
manage your security program to meet their needs?

This topic has been addressed in the “Cyber-Risk Oversight” handbook,
published last month by the National Association of Corporate Directors.
This is an update to the first NACD handbook, published in 2014. The
handbook is just that, a set of recommended practices for directors. You
can expect that your directors will be asking you these questions, now or
in the near future.

Five key principles are outlined and I will highlight the recommendations
in those principles that seem to be novel or not commonly in practice. For
more information, you can download the free content from the NACD website.

Principle 1: Approach cybersecurity as an enterprise-wide risk management
issue, not just an IT issue

If cyber-risks permeate all business processes, why shouldn’t this approach
be a no-brainer? The biggest reason is that information security has been
the domain of the CIO for many years. CISOs, often reporting to the CIO,
have been charged with information security risk management. But today,
this reporting structure may not facilitate risk management across
third-party collaboration, or IoT-based services, to name just two
expanding risk areas. One good suggestion in the NACD handbook is to
organize a cross functional cyber-risk team, led by an officer with
well-established cross-functional responsibility. Examples are CFO, CRO or
COO, but not CISO.  This will amplify the CISO’s expertise.

Principle 2:  Understand the legal implications of cyber risks

Every security breach will result in legal action. This is pretty much a
given today. In some cases, security breaches will affect the organization
as a whole. A perfect example is the Yahoo-Verizon deal, where the newly
reported breaches may cost Yahoo shareholders $250-$350 million. I suspect
a significant chunk of this money is in reserve to cover lawsuits in
progress. Was the Yahoo board kept up to date with the state of the Yahoo
security program? That’s not known. An interesting recommendation in the
NACD handbook is to get board members involved with table top exercises
around incident response. That way, they will be part of the breach
reporting conversation.

Principle 3: Boards should have adequate access to cybersecurity expertise;
cyber-risk management should be given adequate time on board agendas

Many boards of director are reviewing cyber-risks on a regular basis.
Cisco reports that boards and the CEO are taking the lead role in
cyber-risk management at 39% of the organizations they surveyed. However,
the NACD reports that only 15% of boards are very satisfied with the
information they are getting from management. So you need to carefully
understand the strategic information they are looking for and refrain from
operational statistics like percent systems patched, etc.

Principle 4: Directors should set expectations that management will
establish an enterprise cyber-risk management framework

The handbook highlights the NIST Cybersecurity Framework (CSF) as a useful
approach to risk management. Many people are already using this risk-based
framework. Principle 4 also recommends doing a “forward-looking” risk
assessment. I don’t know how many people are attempting to do that. Most
are satisfied with a current state risk assessment to satisfy compliance
requirements. You really need to understand potential threats one to two
years out, given that it will take you that long to implement new controls.

Principle 5:  Boards need to discuss details of cyber risk management and
risk treatment

These details include: risk mitigation, risk transfer, risk avoidance and
risk acceptance. Today, no one can mitigate all risks across the
enterprise. Boards and management need to understand where the crown jewels
are, what attacks are most likely and then defend against those. Security
risk management has always been about prioritization and still is. Also
important is to understand your organization’s risk appetite. You need to
know what the maximum risk your organization is willing to accept in
pursuit of strategic objectives and what risks will be outside the bounds
of corporate values? These risks must be mitigated whatever their priority
values.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170221/4bf25bfe/attachment.html>


More information about the BreachExchange mailing list