[BreachExchange] How Boards Can Prioritize Cybersecurity in Corporate Governance

[Audrey McNeil]

https://dzone.com/articles/how-boards-can-prioritize-
cybersecurity-in-corpora

Boards are responsible for the health of the company and its ability to
fulfill its mission on behalf of its owners. This is why most boards put a
lot of effort into effective risk management with robust processes in place
for compliance, financial risks, and M&A activities. What they very often
fail to do, is to incorporate robust controls for the cybersecurity of
their company’s operations. In fact, a study surveying a large number of
board directors show that risk and security are the areas they feel are the
most challenging to cope with, yet are also the areas where they feel the
strategic threat is lower than many other threats such as financial or
compliance risks. This, in spite of the spikes in cyber attacks hitting
businesses globally in 2016, and that the average cost of a data breach has
been estimated to about 4 million USD (by IBM). The key to understanding
both the underestimation of the risk posed by cyber threats and the lack of
good processes to follow up cybersecurity risks as a corporate governance
activity are both linked to the cybersecurity skills gap – that reaches all
the way to the senior leadership and board levels.

Getting the Cybersecurity Processes in Place

It is not easy to close the skills gap at any level but one should also not
underestimate what can be achieved through the use of good practices,
educating the staff, and integrating the approach to risk management into
the operations of the company.

Where to Find Best Practices?

Cybersecurity has come a long way, and several standards and practice
documents exist, ranging from detailed technical requirements to management
processes. Building an information security management system is no easy
undertaking, but using a risk-based approach and following the same
principles that are used for other governance structures help. Making ISO
27001 (an international standard) your basis for information security
mangement will put you off to a good start. To get a practical how-to on
building up such a system, see this post: How to build up your information
security management system in accordance with ISO 27001

Metrics and Context: the Link Between Operations and Strategy

The board can not head into every aspect of security operations, nor does
it (typically) have the expertise to dive into all the details. That’s why
it is important to develop a robust set of security metrics that can be
reported to the board, making sense of both the threat landscape, the
context, and the maturity of the company to deter, detect, and deny cyber
attacks, as well as to recover from those that inevitably will outsmart
your defenses. Developing metrics should be done such that it fits with the
greater strategic picture, recognizing that cybersecurity also ties into
all of the firm’s operations. Viewing the metric game should thus include
the financial perspective (most companies focus a lot on this), the
customer perspective (tends to be forgotten in security), the learning and
innovation perspective (often done only on the tactical level, not linked
to strategy) and the internal process perspective (sometimes dominating,
sometimes not existing at all).

In addition to developing metrics, boards should also be kept up to date on
the risk context: what are our most valuable data assets and IT
infrastructures? How is our standing with respect to hacker interests
(scripters? hacktivists? nation states?). Do we have good people management
in place, and how does our internal corporate life affect the insider
threat? It is the responsibility of the CISO to educate the board enough to
make them capable of both asking these questions and understanding why they
are as important as understanding the strategic fit in an M&A transaction.

The Compliance Link

Compliance is already on the table, and cybersecurity regulation is taking
shape in different jurisdictions. Mapping out regulatory compliance
requirements to cybersecurity, as well as data privacy, is key to ensuring
compliance in today’s operating environments. In the EU and EEC area, a new
regulation is coming into force in 2018 with strict requirements for most
businesses dealing with customer data – yet few companies are ready to deal
with this. Bringing the cybersecurity domain into the compliance picture is
a necessary cornerstone of corporate governance, and for strengthening
board focus. For an overview of new requirements to businesses from the
General Data Protection Regulation (GDPR), see here: What does the GDPR
(General Data Protection Regulation) mean for your company’s privacy
protection and cybersecurity?

The People Factor

Boards are no better than the people sitting on them; this is why getting
technical competence on boards should be a major priority for stockholders.
We are living in the age of digitalization, of machine learning, and of
cyber threats: believing that we can deal with these without technical
competence also on the top of governance is simply superstition.

Also, for the processes to work, it is important that everyone has a feel
for what secure behaviors are, and what constitutes risky behaviors
(without rewards). Driving security awareness in the corporate culture is
also a key factor for directors, and overseeing this as part of risk
governance should be a board priority. Almost every breach starts with a
social engineering campaign – getting your people on the right side of the
knowledge gap is probably the best investment you can make after turning on
your firewalls, autopatching your computers, and removing an end-user’s
admin rights.

To drive awareness in an effective manner, make sure it is suitable for its
audience, and that it is not a one-off e-learning module to click through.
Building a security aware culture is a process of change, not a simple
training event: When does cybersecurity awareness training actually work?

Take-Away Points

These are your talking points from this article – bring them to your next
board meeting or coffee break at work:

Boards lack competence in cybersecurity, causing inefficient governance,
and underestimation of risk exposure.
To build better processes, start with an information security management
system. You do not have to reinvent the wheel, ISO 27001 is your starting
point for best practice.
Choose your security metrics wisely, and build them into the overall
strategy map covering financials, customers, organization and learning, and
internal processes – or whatever perspectives your operations are built up
around.
Make sure you understand your compliance requirements when it comes to
cybersecurity. For the EU the GDPR is an essential starting point.
The make governance processes work you need all your people on the right
side of the competence gap: make sure everybody knows and understands how
to deal with cyber threats in their current roles in the company.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170407/537ba0aa/attachment.html>