Senior Consultant, Information Security Services
United StatesContact Robert
There will always be malicious actors who find a way around any new technology that cybersecurity professionals invent. To secure organizations in the next phase of technological advancements, we need more innovative leadership approaches. The Board of Directors must become knowledgeable about the critical risks that the company faces. This requires corporate boards of directors to develop effective ways to fulfill their fiduciary responsibilities to shareholders, as well as their oversight responsibility for managing business risks. Cybersecurity is now a matter that directors cannot abdicate responsibility for, or simply delegate to operating managers. In addition to being knowledgeable leaders, they must have a personal commitment to cybersecurity. Despite knowing this, many directors still seek answers on how to proceed.
Board members were surveyed by members of the Cybersecurity at MIT Sloan (CAMS) consortium to better understand how they deal with cybersecurity. Only 68% of respondents said the board discussed cybersecurity regularly or constantly in the survey. 9% of board members said it wasn't discussed.
Board members had several options when it came to understanding their roles. There was no consensus about what the board's role should be, despite 50% of respondents saying it had been discussed. According to 41% of respondents, the board's role is to provide guidance to operating managers or senior leaders, 14% of respondents indicated they participated in a tabletop exercise (TTX), and 23% stated they are "standing by" so that the board can respond when needed. Nevertheless, 23% of respondents said the board did not have a strategy or plan.
The following actions should be taken by directors, along with smart questions that they should ask in their next meeting, based on the findings.
It used to be thought that protecting organizations from cyber incidents were primarily about safeguarding their data. Executives were concerned about leaks of personal information, theft of customer lists, and fraudulent charges on credit cards. Although these issues remain, cybersecurity is more than just a matter of protecting data. Cybersecurity has taken on an increasingly prominent role as our processes and operations have been digitized, industrial complexes have been connected to control systems enabling remote control of large pieces of equipment, and supply chains are linked with automatic ordering and fulfillment processes. In addition, our threat landscape has become increasingly complex. If data is not protected appropriately, poor oversight can lead to more than just fines. An organization's directors must have a clear understanding of the cyber-physical and cyber-digital threats it faces.
To be prepared for disasters, the BOD has the responsibility of ensuring the organization has a solid plan. It’s not the board’s responsibility to write the plan. An organization's cybersecurity strategy can be supported by a variety of frameworks. NIST Cybersecurity Framework is the common framework used across many industries, which was developed by the National Institute of Standards and Technology (NIST). Creating a cybersecurity strategy is worthwhile for directors and executives because it is simple to understand and provides a structure for both short-term and long-term objectives. The framework provides cyber professionals with many levels of detail when it comes to installing controls, processes, and procedures. Effective implementation of NIST can prepare an organization for a cyberattack and mitigate the negative after-effects when an attack occurs.
A key goal of cyber professionals is to ensure confidentiality, integrity, and availability of systems and data (the "CIA" of cybersecurity). The board should discuss that, but the discussion will differ from the board's focus on risk, reputation, and business continuity.
Cybersecurity professionals concentrate on technical, organizational, and operational aspects of risk management whereas the board strategizes about how to manage business risks. In areas like business and cybersecurity, the languages used to manage them are different. This might make it challenging to understand the real risks and how to address them. Due to the complexity and technical nature of cybersecurity, the board may not fully understand cyber risks and the protective measures that need to be taken. The problem can be addressed, however, in several ways.
A director does not need to be an expert in cyber security (although having one on the board is a wise idea). The gap between the board's role and that of cybersecurity professionals can be narrowed by focusing on common goals: ensuring the organization's safety and operational continuity. In order to maintain a high level of information sharing, systems controls, and human behavior, it is crucial to establish clear, consistent communications. It is also imperative to compare the organization's cybersecurity risk management practices and methodologies to existing best practices and methodologies. As a third step towards closing the gap, directors can ask their cybersecurity executives smart questions.
Several layers of protective measures can safeguard valuable information and sensitive data by preventing an attack and addressing different attack vectors. This is if one of the defensive mechanisms fails. As a result of its layered defenses, this multi-layered approach is often called the "castle approach."
Layers of a defense often include technology, controls, policy, and organization mechanisms. Technology defenses include firewalls (and many companies have multiple firewalls), identity and access management tools, encryption, penetration testing, and many others. With the advent of new and persistent threats, artificial intelligence promises to strengthen these barriers. We cannot be safe enough with technology alone. The SolarWinds breach was detected by an astute associate who noticed something unusual and carried out an investigation. It is the role of security operations centers (SOCs) to provide oversight and human involvement to detect things that software cannot, such as the SolarWinds breach, which was discovered by an astute colleague. However, even SOCs cannot guarantee 100% security.
Policies and procedures must be established by management so that they can be implemented to meet control requirements. In today's world, everyone in our organizations must provide some level of defense. To avoid falling victim to scams and social engineering attempts, everyone should be aware of scams and social engineering attempts. It is also critical to note that directors are also targets and must know enough not to be fooled by false emails or notices.
The majority of cybersecurity problems are caused by human error. Employee mistakes accounted for 88% of data breach incidents which have continued to grow, according to a Stanford University study. Organizational alignment is not a technical problem -- it's an organizational problem to align all employees around cybersecurity practices and processes. For cyber security to be effective, all members of the organization need to be aware of anomalies, alert leaders, and ultimately mitigate risks.The most effective way to accomplish this is to create a cybersecurity culture, according to researchers at MIT. Cybersecurity culture refers to a work environment that reflects attitudes, values, and beliefs that encourage best cybersecurity practices. The employees of the organization are committed to protecting the organization's assets in addition to following their job descriptions. It doesn't mean every employee becomes a cybersecurity expert; it means they are held accountable for overseeing and acting like a "security champion." A human layer of protection prevents, detects, and reports malicious behavior. These values and beliefs for action are reinforced and personified by leaders who set the tone and prioritize this kind of culture. This is also a responsibility of the BOD. Whenever directors ask questions about cybersecurity, they are implying that it is a topic of importance to them, signaling a need for corporate executives to prioritize it. You should ask your board the following questions to ensure that they are familiar with how your organization handles cybersecurity. Simply asking these questions will also raise awareness of the importance of cybersecurity, and the need to prioritize action.
There is no such thing as 100% security. Difficult decisions must be made. The BOD must make sure the organization’s most significant assets are secure at the highest reasonable level. Are you talking about your customer's data, your company's systems, or its IP? In order to begin protecting anything, it is imperative to ask what is being protected and what needs to be protected. It is pointless to have a cybersecurity strategy if we do not agree on what needs to be protected.
Multilayered defenses, policies and procedures, and other risk management approaches are used to protect. However, boards need to know what layers of protection are in place, and how well each layer protects the organization. They don't need to decide how to implement each layer, but they must know what layers are in place.
Unless the board ensures that the organization has both protection and detection capabilities, it is ignoring a crucial element of its fiduciary responsibility. The Board must ensure that it understands how breaches are detected and agrees with the level of risk associated with this approach, since many breaches aren't detected immediately.
How are we going to handle ransom requests? It is likely that the board will not be directly involved in the detailed response plan, but the board does want to ensure that one exists. Are there any executives or leaders involved in the response plan? What is their role? What are the communications plans (after all, if systems are breached or unreliable, how will we communicate?). Who alerts authorities? Which authorities are alerted? Who talks to the press? Our customers? Our suppliers? Having a plan is critical to responding appropriately. Although you do not want to start planning how to respond until a breach occurs, it is highly unlikely the plan will be executed exactly as intended.
BOD members would benefit from knowing their roles and practicing them. Can the board decide whether to pay the ransom, talk to the largest customers, or meet with organization executives in an emergency to make just-in-time decisions? It is critical to have a plan of communication between the BODs and executive leadership on the response plan. When there is an incident at your company, you want to make sure that the response muscle is ready to work as soon as possible. Fire drills and tabletop exercises can help build that muscle memory.
Business recovery plans have not been tested by many executives that have been surveyed about their cybersecurity plans. Depending on the severity of the cyber incident, there can be significant differences in how businesses recover. Often, an attacker who encrypts or manipulates files makes data recovery more difficult. What is the responsibility of the board of directors for business recovery? If there is a plan, has it been tested in the context of a cyber incident?
No amount of investment will guarantee 100% security. Due to the budgeting process, it is essential that businesses ensure they have a skilled security team with the requisite knowledge and expertise. This enables them to address technical problems and understand vulnerabilities within the core critical functions of the organization. In that way, the company will be better able to allocate investment where it is most needed. Investors should evaluate investments according to their risk tolerance and level of protection. Cyber-attack simulations and penetration/vulnerability tests can be used to accomplish this. By taking these actions, vulnerabilities are exposed, risks are minimized, and funds are appropriately invested based on risk exposures and budgets.
Cybersecurity threats are managed by boards in an influential and unique way. The Trustees are not responsible for day-to-day management but are responsible for oversight and fiduciary duty. Don't wait until tomorrow to ask about critical vulnerabilities. In a board meeting, asking smart questions might just prevent a breach from becoming a total catastrophe.