The Board of Directors (BoD) is ultimately responsible for the futures of their companies. Shareholders expect, if not demand, that the companies they have invested in mitigate risk in every form. If there are financial irregularities that result in fines or worse, investors hold the Chief Financial Officer (CFO) and BoD accountable. The same holds true these days for security breaches.
After a very public breach in late 2013, Institutional Shareholder Services (ISS) recommended that seven of Target Corporation’s 10 board members be voted off the board. That did not happen, immediately anyway.
So, how do directors prepare for this increasing accountability? Last year, the Federal Financial Institution Examination Council (FFIEC) released a new ‘maturity model’ based information security guidance program. To achieve higher levels of maturity, there are requirements for specific board or board appointed committee visibility into information security posture.
The Evolution of Information Security
No company can say they have zero risk of a security breach. Some, however, are at lower risk than others. The BoD needs to focus on answering the following questions:
- What is our risk profile?
- How do we know?
- How do we protect our company from breaches and their aftermath?
In the past year we’ve seen the Securities and Exchange Commission (SEC) levy fines against companies for cybersecurity lapses. Although the SEC is still apparently trying to find a balance in these penalties between symbolic and punitive, they have ‘broken the ice’ so we can expect more to come.
The Need for Board Oversight
The term ‘Risk Appetite’ is being used more frequently these days. Information security professionals have been familiar with this concept for years, and one of the things that is changing now is that this is reaching board level visibility. To that end, there should be a Risk Appetite statement, approved by the BoD, which serves as the foundation for information security programs and reporting.
Boards or BoD committees review the annual risk self-assessment and evaluates management’s decisions to prioritize and allocate resources to address the results of the assessment.
The underlying principle here is that the Board or BoD committee has direct visibility into cyber security posture and the efforts to relate that posture to improvement goals. An example of these recommendations can be found within the supporting documentation for Boards and CEO’s for the FFIEC’s Cyber Security Assessment Tool, released in mid-2015.
Risk Management Review
Risk management is just that – managing the intersection of threats and exposure to them. This is not ‘risk elimination’, as that simply is an unattainable goal. Managing risk begins with understanding the threat environment and knowing how your company is exposed to it.
Companies should be completing a risk self-assessment on an annual basis. This assessment must include third party risk as these have become very prominent in the last few years. The BoD should constantly be asking for demonstration by those responsible that the information security program addresses the risk profile of the company, including incident response plans, adequately addressing various types of breaches, should controls fail.
Reporting, Reporting . . . Reporting
Getting the right information is critical to managing anything. BoDs have the most important management positions in any board directed company but as far as cybersecurity is concerned, most directors know they can no longer rely on status reports such as: “We haven’t had any breaches this year, so everything is OK”.
Boards need to know what is going on within their information security programs and their effectiveness. They don’t need data, they need information. A case in point: if a CISO reports that all internet traffic is being logged, that doesn’t mean anyone, or anything, is actually looking within the logged data for anomalistic behavior – and acting upon it.
Trend data is all-important, as it provides a measure of effectiveness. Were the investments of the last two quarters worthwhile? If not, why not? Examples of useful information for board level decisions include:
- Year over year external penetration test (Ethical Hack) results – this will show vulnerability baselining and/or demonstrate if recently implemented protective measures have been successful. If there has been expansion or contraction of the target ‘footprint’, the results have to be normalized in some way.
- Security awareness training – how many people have gone through security awareness training including data handling, electronic communications, etc.
- Results of ‘table top’ exercises simulating various type of breach and response mechanisms, very similar to Business Recovery Programs which have been in place for quite some time. Breach response procedures should also include a documented relationship with a professional forensics firm.
- Vendor management program status – different vendors/partners present varying levels of risk to an organization. The Board must be aware of how this type of risk is being managed, beginning with a prioritization based on that risk for each vendor/partner.
These are examples and not an all-inclusive list, but hopefully will spark the right conversations within the reporting structure.
The Time for Preparation is Now
While companies have to look at current security posture and threat environment, putting mechanisms in place for continual improvement is crucial for success in 2017 and beyond. Looking over the horizon, directors may find it useful to take these recommendations into account, if they have not begun to incorporate them already:
- Consider the most effective organizational structure to meet cyber security objectives - realign the C-suite if necessary, defining the responsibilities for CSO/CISO/CCSO
- Revisit or establish board cyber security oversight mechanisms, beginning with an approved formal ‘Risk Appetite’ statement to which all risk discussions will be related.
- Find Board-appropriate sources to stay informed on emerging cybersecurity concepts and trends. Trusted cybersecurity experts can be called upon for independent verification of internal recommendations, but there is no substitute for self-contained knowledge.
- Add a risk management review to board agendas with appropriate periodicity. As part of this review, those responsible for developing risk mitigation plans should address the risk profile of the company, including third party risk.
- Establish the metrics of success/failure and ensure they are being reported, especially with heuristic information. Cybersecurity investments need to show effectiveness over time.
The accountability of boards for security incidents will continue to grow. It’s no longer feasible to ‘blame IT’ or simply replace the CSO after a breach. After all, the board was responsible for hiring the position. Education is of the utmost importance.
Understanding risk and its mitigation options will be a continuous process of which directors will be more than informed bystanders…they will be held accountable.