In an era when data breaches can lead to corporate losses and ruin brand reputations, cybersecurity is no longer just an IT issue, it’s a board-level issue
The question of what corporate boards should be doing and how governments can help them was the topic of a session at the RSA Conference in San Francisco, moderated by Larry Clinton, president and CEO of the Internet Security Alliance. The Internet Security Alliance publishes the Cyber-Risk Oversight Handbook, which is a guide for corporate boards on how to consider cybersecurity risk-related issues.
“The whole idea behind the guide is to basically take cybersecurity and embed it in the sorts of things that boards do and talk about, like growth, productivity as well as mergers and acquisitions,” Clinton said.
Clinton noted that fundamentally there are several key principles that the guide suggests corporate boards consider. The first principle is that boards recognize and understand that cybersecurity is not just an enterprise IT issue – it is an enterprise-wide management risk issue.
Panelist Nora Denzel, who serves as an independent board director at AMD, Ericsson and Norton LifeLock, commented that thinking about cybersecurity more holistically means that it’s not just thought of as a cost center. Rather, cybersecurity is an enterprise-wide strategic risk that has to be managed.
Stefan Becker, head of the Private Sector Office for the German Federal Office for Information Security, said that the idea of looking at cyber-risk more holistically is one that resonates in Germany too.
“We can’t just think about cybersecurity as being about agencies or any one department,” he argued. “Everyone in an enterprise has to think about cybersecurity – that’s the key
to improving business impact.”
Boards Need to Work With IT Management
Another key principle outlined in the handbook is that it’s critical that corporate boards work with enterprise IT management, which is a point that was emphasized by Daniel Kroese, acting deputy assistant director at CISA.
“In the handbook, it states that it is incumbent on the decision makers and the places of authority in organizations to develop a full enterprise risk management cyber-framework, where the governance structure, the accountability, the people, processes and resources are abundantly clear,” Kroese explained.
By having that framework, Kroese said that it’s possible to dispel the myth that cybersecurity risk cannot be quantified. While it might be hard to get an exact number, he argued that, with a framework, accountability and risk can be managed.
Part of managing risk is being aware of threats, which is where the US government is playing a role. Kroese noted that CISA has information sharing programs to help corporate boards and executive management make strategic decisions about cyber-risk. Since the government has a broader view, it can also help identify areas of systemic risk, where risk spans multiple organizations and even industries.
The Human Element and the Role of the CISO
During the question and answer session that followed the panel, a member of the audience asked what CISOs should do to help the board.
Denzel commented that she tries not to ‘rough up’ the CISO, because she knows there is a labor shortage in cybersecurity. Rather, she said the boards she’s on prefer to give the CEO a hard time.
“Part of your role is to educate us,” she added. “Most boards don’t have a tech background.”