Six Ways Directors Can Move Organizations to Cyber Maturity
The increasing realization that cybersecurity is an organizational issue, not simply an IT problem, is leading members of corporate boards to ponder what role they should be play in addressing cyber risk. Beyond protecting themselves from personal liability, astute directors view improving the cyber maturity of the organization as part of their fiduciary duty.
A recently published article outlines the challenges that cyber risk poses, and the leadership opportunities it offers, to directors of companies in the defense industry. The points made apply universally, and they suggest pragmatic actions non-technical directors can implement to move their organization toward cyber maturity:
- Ensure that cybersecurity is managed by the appropriate board committee. Making cybersecurity a focus at each board meeting ensures that cyber risk becomes a high priority. “Without board leadership, a company’s cyber defenses may languish and its response to material cyber incidents is likely to be haphazard. Over time, this approach increases the risk of a significant loss that would harm shareholder value and expose directors to shareholder litigation — and the prospect of personal liability for directors.” Ensure that governance guidelines and committee charters include cybersecurity as a critical part of risk oversight.
- Encourage management to mold the corporate culture into one that takes cybersecurity seriously. Matt McCabe, senior vice president of network security and data privacy at Marsh FINPRO estimates that 70% of breaches are caused by an external third party. Breaches are most often not a failure of technology, but a failure by employees (see “Redefining the Cybersecurity Attack Surface”). Instead of looking only to IT for solutions, “mandate a company-wide cybersecurity training program and instruct management to review and update existing training programs to address new threats.”
“Companies spend millions of dollars on firewalls and secure access devices, and it’s money wasted because none of these measures address the weakest link in the security chain: the people who use, administer and operate computer systems.”
Kevin Mitnick, hacking expert
- Protect shareholders and management from claims by overseeing cybersecurity policies, engaging in cyber strategy, and carefully documenting activities. Directors are increasingly liable for ensuring that companies take cyber risk seriously. While they are at risk themselves, that risk extends to the management team and shareholders as well. The current estimated cost of a cyber breach is $4 million. Regulatory actions and derivative suits can be averted or, at the least, mitigated by not only ensuring engagement in cybersecurity across the organization, but also by aggregating information about all the measure being taken in board minutes and repositories. Presenting the plaintiff’s attorney with such data discourages pursuit of litigation.
- Ensure sufficient allocation of resources to implement cyber measures. Companies are used to managing technology resources very closely. CIOs are expected to make spending decisions based on the return on investment(ROI), and their budgets are watched closely by upper management. Calculating ROI for cyber measures is difficult, and sometimes these expenditures are treated like other technology spending. Enlightened directors overseeing cyber risk can help ensure that sufficient allocations are made to mitigate cyber risk.
- Encourage the executive team to implement assessment and monitoring of compliance requirements. The government seems to be inching its way toward mandatory compliance with cyber risk guidelines. While the NIST Framework is cited as the gold standard, the cyber portions of industry-specific frameworks like the HIPAA Security Rule and FFIEC’s Cybersecurity Assessment Tool demand attention as well. Board members can help companies prepare for more future regulations by urging management to fund efforts now to comply with key industry cyber benchmarks.
- Include cybersecurity assessment as part of the due diligence conducted on potential acquisition candidates. Financial, legal, and IT due diligence are the accepted practice during the investigation phase before an acquisition, Each area is important in evaluating potential post-acquisition risks, but just as important is gauging the amount of cyber risk a potential acquisition will add to the acquiring company. An extreme level of cyber risk could possibly reduce the ROI of an acquisition enough to cancel it. A more likely scenario is identification of cyber spending to be budgeted for during integration of the new entity.
Directors have an opportunity to change the way companies think about cybersecurity. By treating cyber risk on a par with financial and legal risk, board members align their fiduciary responsibilities with the current cyber risk reality.