6 Concepts That Help Boards Oversee Cybersecurity
The U.S. Department of Homeland Security’s (DHS) top privacy official said today that a “clear mandate” from top management is the foundation of an organization’s ability to establish and implement an effective data security and privacy plan.
Despite the government’s massive cybersecurity failures, e.g. OPM, I still say, “Amen.”
Starting the company sprang from a belief that we had to make it possible for the board of directors to engage in cyber risk oversight, while protecting them from personal liability. We’ve found that astute corporate leaders treat cybersecurity as a company-wide responsibility, and we want to help them.
If you’re a board member, here are 6 concepts that will help you govern cybersecurity and lead your company to a better organizational risk posture:
- Combat the big assumption that security is “the exclusive domain of technologists.” Cyber risk originates from many quarters within an organization. Firewalls, intrusion detection, endpoint monitoring, and other technologies are critical but can be rendered useless by an untrained or careless employee. Workforce management must include training in security practices. Procurement officers need to place a high priority on vetting a vendor’s cybersecurity status before starting a relationship that could introduce more risk into a network (just ask Target!).
- Learn the difference between “threat intelligence” and “defense intelligence.” Security organizations often focus on the former, working diligently to find and plug every opening in the network and using technology to recognize new threats. Global threat intelligence providers report on 500,000 malicious websites, and the list turns over every day! Focusing on defense intelligence instead mitigates risk via internal changes within the organization that you control. A risk-based approach prioritizes defense intelligence over threat intelligence.
- Adopt a common standards-based model for cybergovernance. Once it’s in place, your staff will have a valid, well-defined way to measure the company’s progress in implementing effective controls and growing enterprise-wide cyber maturity.
- Realize that adding a cybersecurity expert to your board may not be a good answer to the challenge of effectively engaging the board. Beyond the fact that a severe shortage of board level experts exists, letting a director take an active role in determining specific measures could introduce an even greater amount of board liability.
- Find out who populates the informal org chart comprising everyone who plays a role in cybersecurity. While you may think Security handles everything, either you’ll find that people without that title are involved, or that they should be. Armed with this knowledge, you can encourage more multi-disciplinary collaboration that will make cyber activities more efficient and effective.
- Ask Security to redefine what “attack surface” means. It’s a common term used to describe the aggregate vulnerabilities that a firm exhibits, but it traditionally has been defined by IT statistics such as the number of network endpoints. In the list of major breaches, the root cause is almost never a lack of technology but rather the failure of an individual to realize a risk or to take an act that would mitigate it. Make the point that every employee and every partner and vendor represent part of the attack surface.
You are not alone. CEOs and directors everywhere are grappling with the threat that cyber breaches represent to the value and reputation of their company. Effective leadership involves rising to the challenge through a heightened awareness of the problem and an eagerness to apply new concepts to address it.