[BreachExchange] Corporate Board Responsibility - The Cyber Security Buck Stops Here

[Audrey McNeil]

https://www.infosecurity-magazine.com/opinions/corporate-board-
responsibility/

The Board of Directors (BoD) is ultimately responsible for the futures of
their companies. Shareholders expect, if not demand, that the companies
they have invested in mitigate risk in every form. If there are financial
irregularities that result in fines or worse, investors hold the Chief
Financial Officer (CFO) and BoD accountable. The same holds true these days
for security breaches.

After a very public breach in late 2013, Institutional Shareholder Services
(ISS) recommended that seven of Target Corporation’s 10 board members be
voted off the board. That did not happen, immediately anyway.

So, how do directors prepare for this increasing accountability? Last year,
the Federal Financial Institution Examination Council (FFIEC) released a
new ‘maturity model’ based information security guidance program. To
achieve higher levels of maturity, there are requirements for specific
board or board appointed committee visibility into information security
posture.

The Evolution of Information Security

No company can say they have zero risk of a security breach. Some, however,
are at lower risk than others. The BoD needs to focus on answering the
following questions:

What is our risk profile?
How do we know?
How do we protect our company from breaches and their aftermath?

In the past year we’ve seen the Securities and Exchange Commission (SEC)
levy fines against companies for cybersecurity lapses. Although the SEC is
still apparently trying to find a balance in these penalties between
symbolic and punitive, they have ‘broken the ice’ so we can expect more to
come.

The Need for Board Oversight

The term ‘Risk Appetite’ is being used more frequently these days.
Information security professionals have been familiar with this concept for
years, and one of the things that is changing now is that this is reaching
board level visibility. To that end, there should be a Risk Appetite
statement, approved by the BoD, which serves as the foundation for
information security programs and reporting.

Boards or BoD committees review the annual risk self-assessment and
evaluates management’s decisions to prioritize and allocate resources to
address the results of the assessment.

The underlying principle here is that the Board or BoD committee has direct
visibility into cyber security posture and the efforts to relate that
posture to improvement goals. An example of these recommendations can be
found within the supporting documentation for Boards and CEO’s for the
FFIEC’s Cyber Security Assessment Tool, released in mid-2015.

Risk Management Review

Risk management is just that – managing the intersection of threats and
exposure to them. This is not ‘risk elimination’, as that simply is an
unattainable goal. Managing risk begins with understanding the threat
environment and knowing how your company is exposed to it.

Companies should be completing a risk self-assessment on an annual basis.
This assessment must include third party risk as these have become very
prominent in the last few years. The BoD should constantly be asking for
demonstration by those responsible that the information security program
addresses the risk profile of the company, including incident response
plans, adequately addressing various types of breaches, should controls
fail.

Reporting, Reporting . . . Reporting

Getting the right information is critical to managing anything. BoDs have
the most important management positions in any board directed company but
as far as cybersecurity is concerned, most directors know they can no
longer rely on status reports such as: “We haven’t had any breaches this
year, so everything is OK”.

Boards need to know what is going on within their information security
programs and their effectiveness. They don’t need data, they need
information. A case in point: if a CISO reports that all internet traffic
is being logged, that doesn’t mean anyone, or anything, is actually looking
within the logged data for anomalistic behavior – and acting upon it.

Trend data is all-important, as it provides a measure of effectiveness.
Were the investments of the last two quarters worthwhile? If not, why not?
Examples of useful information for board level decisions include:

Year over year external penetration test (Ethical Hack) results – this will
show vulnerability baselining and/or demonstrate if recently implemented
protective measures have been successful. If there has been expansion or
contraction of the target ‘footprint’, the results have to be normalized in
some way.
Security awareness training – how many people have gone through security
awareness training including data handling, electronic communications, etc.
Results of ‘table top’ exercises simulating various type of breach and
response mechanisms, very similar to Business Recovery Programs which have
been in place for quite some time. Breach response procedures should also
include a documented relationship with a professional forensics firm.
Vendor management program status – different vendors/partners present
varying levels of risk to an organization. The Board must be aware of how
this type of risk is being managed, beginning with a prioritization based
on that risk for each vendor/partner.

These are examples and not an all-inclusive list, but hopefully will spark
the right conversations within the reporting structure.

The Time for Preparation is Now

While companies have to look at current security posture and threat
environment, putting mechanisms in place for continual improvement is
crucial for success in 2017 and beyond. Looking over the horizon, directors
may find it useful to take these recommendations into account, if they have
not begun to incorporate them already:

Consider the most effective organizational structure to meet cyber security
objectives - realign the C-suite if necessary, defining the
responsibilities for CSO/CISO/CCSO
Revisit or establish board cyber security oversight mechanisms, beginning
with an approved formal ‘Risk Appetite’ statement to which all risk
discussions will be related.
Find Board-appropriate sources to stay informed on emerging cybersecurity
concepts and trends. Trusted cybersecurity experts can be called upon for
independent verification of internal recommendations, but there is no
substitute for self-contained knowledge.
Add a risk management review to board agendas with appropriate periodicity.
As part of this review, those responsible for developing risk mitigation
plans should address the risk profile of the company, including third party
risk.
Establish the metrics of success/failure and ensure they are being
reported, especially with heuristic information. Cybersecurity investments
need to show effectiveness over time.

The accountability of boards for security incidents will continue to grow.
It’s no longer feasible to ‘blame IT’ or simply replace the CSO after a
breach. After all, the board was responsible for hiring the position.
Education is of the utmost importance.

Understanding risk and its mitigation options will be a continuous process
of which directors will be more than informed bystanders…they will be held
accountable.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170202/821c2a6a/attachment.html>