'THE DAILY CORPORATE GOVERNANCE REPORT’ (for public company boards, the C-suite and GCs)
? ? ? ? ?Please see the items below with the related links (NOTE: access to link content may be metered, require a no-charge registration or require a paid digital subscription)?
? ? ? ? ? ? ? (i) WSJ spotlight on the culprit in the recent massive data breaches at AT&T and UnitedHealth, namely 'multifactor authentication' (MFA)/HBR post on cyber resilience v. cyber prevention: Although it turned out that the unprecedented, worldwide IT outage on Friday (reportedly the largest such outage in history) was not the result of a cyberattack, but rather was caused by a flawed software update by cybersecurity firm CrowdStrike (one of the world's largest, with about 15% of the market) which crashed computers running on Microsoft Windows, it certainly put the spotlight on the devasting effect a cyber incident may have on a business and its IT systems; (a) below discusses the causes of the recent massive cyber incidents at AT&T and UnitedHealth, while (b) describes the importance of "cyber resilience" over and above cyber prevention:
? ? ? ? ? ? ? ? ? ?(a) The cybersecurity failures that led to several significant recent data breaches, including the massive recent ones at AT&T (see item (ii) from July 15/24) and UnitedHealth Group (see item (iv) from April 24/24), are discussed in this WSJ article last Wednesday, "Data Breaches Highlight Lack of Basic Cyber Controls":
? ? ? ? ? ? ? ? ? ? ? ?"Breaches at companies including AT&T and UnitedHealth Group?in recent months have one thing in common: Hackers gained access because basic security measures weren’t implemented. There was no software bug or formidable nation-state hack, or clever social-engineering tactic that let attackers in. Rather, it was because companies didn’t enable multifactor authentication on one or more key systems.?
? ? ? ? ? ? ? ? ? ? ? "MFA is a foundational security control that requires users to log in through several steps such as a text message code, access token or authenticator, in addition to a password. Government agencies, law enforcement and insurers have warned for years that MFA is one of the best methods for stopping most unsophisticated cyberattacks.
? ? ? ? ? ? ? ? ? ? ? ? "Yet MFA isn’t used universally.?Employees complain that it slows them down, staff forget to set it up in test environments—and then forget about those—only to leave the door wide open for hackers to get in. The consequences can cost billions of dollars. “In our current threat landscape, if you’re not using MFA anywhere it’s available, you’d better be ready to explain why,”?said?Jake Williams, a faculty member at cyber advisory firm IANS Research?and former vulnerability analyst at the National Security Agency.......
? ? ? ? ? ? ? ? ? ? ? ?"Meg Anderson, chief information security officer at investment-management company?Principle Financial, agrees that corporate customers are at fault if a cyberattack occurs because they didn’t enable MFA on a particular application. “The responsibility is on the customer to choose a product that offers multifactor, and then to configure it,” she said. “Our policy and standards include that as a requirement,” she said. 'The security team would be accountable to make sure that was happening'......."
? ? ? ? ? ? ? ? ? (b) Keri Pearlson is Executive Director of the research consortium?Cybersecurity at MIT Sloan?(CAMS), and is a strong proponent of "cyber resilience", which he believes is dominated by the pursuit of "cyber prevention". He discussed the concept of cyber resilience in this HBR post last October, "A Tool to Help Boards Measure Cyber Resilience" (see item (ii) from Oct. 11/23), and discusses it again in this HBR post last Thursday, "When Cyberattacks Are Inevitable, Focus on Cyber Resilience." Below is the headnote summary to the post:
? ? ? ? ? ? ? ? ? ? ? ? ?"Summary: Cybersecurity experts and the companies that employ need to let go of their prevention mindset and adopt one focused on resilience. A prevention mindset means doing all you can to keep the bad guys out. A resilience mindset adds a layer: while you do all you can to prevent an attack, you also work with the expectation that they still might break through your defenses and invest heavily preparing to respond and recover when the worst happens. Companies that have successfully built resilience have done a few things differently: built a culture of cybersecurity, prepared and practiced their responses to cyber attacks, embraced “secure by design” principles, and put in place communication processes so they can respond no matter what happens."
? ? ? ? ? ? ? ? ? ? ? ?Below are excerpts from the post:
? ? ? ? ? ? ? ? ? ? ? ?"There’s a common — but serious — mistake cybersecurity experts make: they focus all their resources on keeping malicious actors out of our system.......We cannot be 100% protected from every cyber eventuality.....So, what should cybersecurity experts and the companies that employ them do? Let go of their prevention mindset and adopt one focused on resilience.
? ? ? ? ? ? ? ? ? ? ? ?"What is cyber resiliency? And why is it different than cyber protection?: A prevention mindset means doing all you can to keep the bad guys out. A resilience mindset adds a layer:?while you do all you can to prevent an attack, you also work with the expectation that they still might break through your defenses and invest heavily preparing to respond and recover when the worst happens. Resilient organizations specifically devote significant resources to drawing up plans for what they will do if an attack happens,?designing processes to execute them when the time comes, and practicing how to put these plans into action. Prevention is critical — but it’s not enough......
? ? ? ? ? ? ? ? ? ? ? ? "In my work as a researcher in conversation with chief information security officers and other cyber experts, I have noticed that many leaders focus most, if not all, of their security resources on prevention and leave recovery to business continuity plans that aren’t usually designed with cyber incidents in mind. Instead, leaders need to embrace a mindset of cyber-resilience.?
领英推荐
? ? ? ? ? ? ? ? ? ? ? ? ?"My vision of cyber-resilience is this:?A company experiences a breach, but the breach does minimal if any damage: No hit to reputation, no impact on operations, no loss of financial revenue, no loss of data or other assets, no supply chain access, no loss of IP, etc.?Admittedly, this vision is not likely today given the complexity of both our digital environments and the volume of potential threat vectors targeting them. But at the same time, without an aspirational goal, managers will continue to make sub-par decisions......
? ? ? ? ? ? ? ? ? ? ? ? ?"What Organizations with a Resiliency Mindset Do Differently: In my conversations with cyber executives — both those involved in CAMS’ research consortium and those outside of it — I’ve found that leaders of resilient organizations do a few things differently: ........."
? ? ? ? ? ? ? (ii) CISO reporting lines:?to the CEO or CIO?: Andy Ellis was chief security officer at Nasdaq-listed, cloud and security firm?Akamai Technologies?(he is now the operating partner at YL Ventures, an American-Israeli venture capital firm that specializes in cybersecurity investments), and he discusses (with others) the reporting lines of the chief information and security officer (CISO), arguing that CISOs should report directly to the CEO, in this Fortune article last Wednesday, "Why CISOs should report to the CEO—and not the CIO", with inter alia reference to this YL Ventures report, "CISO Reporting Landscape 2024":
? ? ? ? ? ? ? ? ? ?"One in five chief information security officers report directly to their CEO. Andy Ellis says that’s not nearly enough. “It’s really about being in the room where it happens,” says Ellis......Ellis asserts that the CISO must have a seat that’s level with leaders who manage IT, legal, and finance and that by working directly with the CEO, a company’s top cyber expert can be empowered to strategize with a cyber-first mindset when a business pursues new ventures, rather than cleaning up messes after they occur.?
? ? ? ? ? ? ? ? ? ?"If for some reason the CISO is unable to report to the CEO, the next best person is the chief technology officer, according to Ellis.?A survey?by YL Ventures, based on interviews with 50 cybersecurity executives, found that roughly 16% have that reporting structure in place. A quarter of CISOs report to the chief information officer, which Ellis says creates?“unhealthy tension.” That’s because the roles don’t neatly overlap?and could result in conflict when a CISO is trying to implement cybersecurity governance across a company’s entire technology stack, while at the same time, their boss may only oversee enterprise IT.......
? ? ? ? ? ? ? ? ? "CISOs should also be bolder and more precise about the data they report to the C-suite and board.?Ellis says the industry lacks standardization in metrics and that the details they do share, like how many employees clicked on a suspicious link, aren’t particularly insightful. That would be like the finance department sharing how many people had a mistake in their expense report. "It needs to come up a level and it needs to be more consistent and more actionable,” says Ellis, who advocates for CIOs to have 'a little more moral courage to be able to stand up and say how we’re building our technology stack is the problem. People are not the problem.'......."
? ? ? ? ? ? ? (iii) press release of the day: NYSE/TSE-listed, multinational specialty pharmaceutical?company Bausch Health Companies Inc.?announced on Friday in this press release?the appointment of a new CFO from outside the company, replacing the interim CFO, as follows:
? ? ? ? ? ? ? ? ? ? "Bausch Health Companies Inc. today announced the appointment of two new members to its Executive Leadership Team (ELT).?
? ? ? ? ? ? ? ? ? ? ? ? ? -- Jean-Jacques Charhon ("JJ") will join the Company as Chief Financial Officer on August 19, 2024. JJ has over 25 years of experience in financial leadership roles with public and private companies across healthcare, high tech and services, primarily at General Electric, Hewlett Packard, Novartis and Purdue Pharma. Upon JJ's arrival, John Barresi, the Company's Interim Chief Financial Officer, will resume his role as SVP, Controller.....
? ? ? ? ? ? ? ? ? ? ? "On August 19, 2024, JJ will join the Company from Signant Health where he was Executive Vice President and Chief Financial Officer and was primarily responsible for financial planning and analysis, accounting & controllership, treasury, tax and procurement......."
? ? ? ? ? ? ? ? ? In connection with his appointment, the new CFO and the company entered into an Employment Agreement, the terms of which are summarized in the related?Current Report filed with the SEC, as are additional compensation arrangements for the interim CFO John Barresi that were approved by the Talent and Compensation Committee of the Board "in recognition of Mr. Barresi’s ongoing critical role to the Company’s continued success."
? ? ? ? ? ? ? ?--------------------------------------
Please contact me if you would like to be on the distribution list and receive every issue of this newsletter directly in your inbox.