Cyber Security Risk is a Board-Level Issue

For years have the cyber security professionals struggled to bring up to the management’s attention the importance of proper and timely dealing with the cyber security risks. They were busy overcoming obstacles such as problems with understanding of the business versus technology terminology, understanding of the exact nature of the cyber security risks by the non-infosec people, explaining to business what may be the consequences of having the cyber security risks materialize, and what appropriate actions the responsible business owners should take in order to mitigate these risks. They have established the understanding, with a help of compliance requirements and of the cyber security, critical network and infrastructure and personal data protection regulations, although the most responsible companies have never had to wait for the laws and regulations in order to set their risk management systems properly.

Based on the interviews conducted with 200 CISOs in UK and USA in 2019 [1], the following findings illustrate an example of the progress made in having the cyber security positioned on the top of their organizations’ agendas:

·       96% either slightly or strongly agreed that senior executives have a better understanding of cyber security than they did five years ago.

·       67% said their businesses prioritize cyber security above all other business considerations.

·       76% indicated that cybersecurity risk has become important enough to businesses that CISOs will begin to be named as CEOs.

The professional community has done a good job, however, it is time to move forward, or one level up – cyber security now more than ever needs to be seen not only as the regular agenda point on management’s meetings, but also discussed as an important Board-level issue too. And the CISOs – Chief Information Security Officers, need to be prepared to step up once they are called to the Board meeting.

Taking into account that the average cost of a data breach today is $3.9 million inclusive of legal fees, fines, lost productivity, crisis response efforts, remediation, and that the loss of intellectual property, competitive insights, or consumer trust can often be the greatest source of long-term damage in the wake of a data breach [2], and having in mind that the Board owns the strategy of an organization, it is of no question that cyber security related risks need to be clearly understood by the Board members.

As defined by the US National Association of Corporate Directors (NACD), the following should be considered as the cyber risk oversight principles [3] the responsible Boards should be driven by:

1.     Boards need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.

2.     Boards should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.

3.     Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.

4.     Board directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget.

5.     Board-management discussion about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.

However, the issues lay within the current capabilities of both the Board members and the CISOs to meet these expectations.

Typical Board members are former business executives who have led a variety of operational functions and have an orientation toward financial metrics; for them, cyber security risk and its technical concepts and vocabulary often feel foreign; their average age is 63, and most probably they did not encounter cyber security risk during the course of their careers [4].

On the other side, typical CISOs come from an IT or audit background, often do not think in the Board-level terms, have a primarily tactical focus, and are often struggling to secure the organization from cyber threats and stay in compliance with the frameworks and complex regulatory requirements. CISOs also often do not have all the necessary information about the strategic initiatives Board is concerned with, and most importantly, they do not communicate the issues with the Board directly, but through the CEO or executive management that are usually present at the Board meetings.

The question arises, how to close these gaps? By identifying the common language both the Board and the CISO understand, and that is the risk management language. This includes clearly setting the risk appetite, establishing objective risk metrics, monitoring the key risk indicators, and setting the adequate risk management strategy and required actions that the CISO can execute through the cyber security program, that is understood and supported by both the management and the Board.

The Board will typically want to know what are the top cyber security risks for the organization, how efficient is the cyber security program in addressing them, is the organization equipped with the right skills and technologies to defend against evolving threats, have there been any significant incidents or data breaches, how efficient is the security spending, and what is the state of compliance with the cyber security related regulations. They would also like to be informed about the cyber security risks associated with any important business initiatives, with the supply chain, and these associated with eventual mergers and acquisitions.

In getting ready for the meeting with the Board, the CISO should address all these concerns in the format relevant to the audience and easy to understand. It is not the responsibility of the Board to become IT experts, but the Board must know what questions to ask the IT departments. In addition, boards must provide the leadership and the commitment necessary – by proactively overseeing and holding management and the C-suite responsible - to make protecting the organization from cyber-attack a priority [3]. The top cyber security risks the organization is facing and its potential impacts, whenever possible, should be expressed in the financial terms the Board usually understands the best.

CISO should also use this opportunity to efficiently present the major cyber security improvement projects and challenges, the current state of the cyber security program, its influence, and its efficiency, using objective metrics wherever possible.

Although the research conducted in February 2020 [5] found that the Board does take cyber security seriously, with 47 percent saying that cyber security is a “great” concern to them, and that they are more likely than CISOs to think that cyber threats are a “high” or “very high” risk to their business (90% vs 66%), and are also aware of the high-pressure nature of the CISO’s job, with 74 percent saying they believe their security team to be moderately or tremendously stressed, many still hold the CISO responsible for a breach and expect them to deliver more value to the business.

By following the approach presented herein, a deeper Board’s understanding of the CISO’s work, and a deeper Board’s involvement with informed insight of what it takes to deal with the cyber security risks, will be achieved. This will enable much stronger management support at all levels in the organization for the cyber security initiatives, will reduce the organization’s exposure to the cyber security threats, and will make the CISOs’ lives much less stressful.

References

[1]    https://www.helpnetsecurity.com/2019/09/24/ciso-role/

[2]    https://www.ibm.com/security/data-breach

[3]    https://www.oas.org/en/sms/cicte/docs/ENG-Cyber-Risk-Oversight-Handbook-for-Corporate-Boards.pdf

[4]    https://insights.diligent.com/cyber-risk

[5]    https://www.securitymagazine.com/articles/91652-new-survey-reveals-ciso-stress-and-the-toll-it-takes