Cybersecurity – what are the boardroom implications?
Boards should ensure they have sufficient cybersecurity information and expertise to ask the right questions of management, writes Dan Swanson.
Safeguarding assets has been an important objective of all organisations for centuries. In today’s digital age, however, what does safeguarding your assets really mean? Who is responsible for it? And how is ‘protection’ actually achieved? Just as important, what threats, risks, and challenges does cybersecurity add to the organisation’s already many responsibilities?
‘Although the risks presented by technology are not new to the corporate arena, the dynamic nature of cybersecurity presents a unique challenge to companies and boards. The increasingly fast pace of technological changes creates many targets, and makes defense systems more complex and more difficult to manage and control.’ (Cybersecurity: Boardroom Implications – a 2014 NACD paper).
Who is responsible for information asset protection? While chief information security officers and chief financial officers are important players regarding information asset protection and security, they are not the true ‘guardians’ of the organisation’s critical informational assets. For example, in hospitals, CFOs are not responsible for safeguarding patient records; at insurance companies, they are not the guardians of policyholder records. In the pharmaceutical or technology sectors, the company’s crown jewels (its intellectual property) are not the direct responsibility of the CFO or the CISO.
All of these forms of data have associated expenses and are used to generate revenues (billings, annual fees, royalties), for which the CISO has ultimate security oversight. The CISO in turn must ensure the integrity of the chain of custody by enforcing rules applicable to key managers and other authorised personnel in their roles as the day-to-day ‘guardians’. In short, internal control is affected by people at every level of an organisation. In fact, many managers are more directly responsible for day-to-day asset protection than the CISO or CFO.
What are the implications? Addressing the following questions will help determine key implications of how to protect your digital assets, ensure cybersecurity is appropriately considered, and what actions to take:
will an organisation’s information security management system become critical to the safeguarding of the CFO’s financial records? Will those systems emerge as the main means of safeguarding an organisation’s assets?
will CFOs and finance staff need to understand and implement informational asset protection measures to be effective in their roles of supporting the guardians of the organisation’s assets?
will we need more guidance on the definition, classification, and protection of information assets?
will CISOs need to work more closely with and educate the finance function (and all operating departments, really) about how to best implement a sustainable information protection and security programme?
should the organisation establish a data management function and data governance policy, standards, and procedures? Both the function and governance could be headed by a senior manager reporting to the chief operating officer or chief executive officer. What role(s) should the chief information officer take in information protection?
will the board and CEO need to provide more in the way of expectations?
will internal audit and external audit spend more resources on evaluating the protection of all of an organisation’s assets, physical and digital? The internal audit function in particular needs to think more strategically about enterprise-wide security and ensure that enterprise-wide risk management is a guiding theme for prioritising the organisation’s efforts.
The bottom-line: top management must implement an information security management programme that truly safeguards all assets of the organisation, and also addresses the many risks, threats and challenges involved with cybersecurity.
Cyber Risk Oversight, a publication of the National Association of Corporate Directors (NACD), in collaboration with AIG and the Internet Security Alliance, takes the position that directors should ask questions. (The executive summary is free, but the detailed questions are in appendices that are only free to members).
The publication presents five key principles to consider:
1) directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue 2) directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances 3) boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda 4) directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget 5) board management discussion of cyber-risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
Are all your organisation’s assets appropriately protected in the digital age? I recommend making this a regular topic of discussion at your management committee meetings, and also put it on the board agenda on a regular basis. An effective tone at the top starts with top management and the board taking action to implement appropriate security controls.
Finally, the board should ensure it has sufficient information and expertise to ask the right questions of management at regularly scheduled board meetings. They should demand both internal audit and risk management assistance in assessing cyber-risk and the adequacy of management’s programmes for managing it. The CEO should ensure the executive management team provides appropriate and ongoing attention to this critically important subject.
Given the breadth of the topic this month I’ve included a series of leading resources and concise articles to provide further information, context, and other studies’ recommendations to this very comprehensive and complex subject.
Dan Swanson – president, Dan Swanson and Associates
1. Cybersecurity: Boardroom Implications Cybersecurity has become an urgent concern for companies—regardless of size or industry. Data breaches and other cyber threats pose significant competitive, reputational, and litigation risks and require increasingly costly investments in detection and mitigation.
Cyber criminals are stealing up to a terabyte of data each day, resulting in global losses in the hundreds of billions of dollars. In just four years, the average annualised cost of cybercrime to an organisation has risen 78%. Further, the average time required to detect and respond to a cyber attack has increased by nearly 130%.
To help board members address this critical topic, the National Association of Corporate Directors (NACD), Protiviti, and Dentons organised a series of roundtable discussions across the country. The meetings convened three diverse groups of directors with experts in the field of cybersecurity. The purpose of the discussions was to address how cybersecurity is currently challenging boards, frame the key issues of which directors should be aware, and pinpoint areas necessitating guidance with future discussions.
Cyber threats take many forms, and the response to those threats is unquestionably a management-level responsibility. As such, the roundtable discussions focused on implications for the boardroom: how directors can effectively oversee cybersecurity risk, the necessary processes and policies to protect sensitive networks, systems, and data from unauthorised access or attack, and the potential for financial and legal problems created by cyber threats.
2. Information Security Governance (The IIA’s Global Technology Audit Guide) Information is a significant component of most organisations’ competitive strategy either by the direct collection, management, and interpretation of business information or the retention of information for day-to-day business processing. Some of the more obvious results of IS failures include reputational damage, placing the organisation at a competitive disadvantage, and contractual noncompliance. These impacts should not be underestimated.
This GTAG will provide a thought process to assist the CAE in incorporating an audit of information security governance (ISG) into the audit plan, focusing on whether the organisation’s ISG activity delivers the correct behaviours, practices, and execution of IS. GTAG 15: Information Security Governance will assist efforts to:
help internal auditors understand the right questions to ask and know what documentation is required
describe the internal audit activity’s (IAA) role in ISG.
3. Cyber-Risk Oversight Handbook In the past 20 years, the nature of corporate asset value has changed significantly, shifting away from the physical and toward the virtual. One recent study found that 80% of the total value of the Fortune 500 now consists of intellectual property (IP) and other intangibles. Along with the rapidly expanding ‘digitisation’ of corporate assets, there has been a corresponding digitisation of corporate risk. Accordingly, policymakers, regulators, shareholders, and the public are more attuned to corporate cybersecurity risks than ever before. Organisations are at risk from the loss of IP and trading algorithms, destroyed or altered data, declining public confidence, harm to reputation, disruption to critical infrastructure, and new legal and regulatory sanctions. Each of these risks can adversely affect competitive positioning, stock price, and shareholder value.
Leading companies view cyber-risks in the same way they do other critical risks – in terms of a risk-reward trade off. This is especially challenging in the cyber arena for two reasons. First, the complexity of cyber threats has grown dramatically. Corporations now face increasingly sophisticated events that outstrip traditional defences. As the complexity of these attacks increases, so does the risk they pose to corporations. As noted above, the potential effects of a data breach are expanding well beyond information loss to include significant damage in other areas. Second, competitive pressures to deploy increasingly cost-effective business technologies often affect resource investment calculations. These two competing pressures on corporate staff and business leaders mean that conscientious and comprehensive oversight at the board level is essential.
NACD, in conjunction with AIG and the Internet Security Alliance, has identified five steps all corporate boards should consider as they seek to enhance their oversight of cyber risks.