Not so long ago, many corporations largely relegated cybersecurity to their IT departments and stepped aside. They did what they could but were essentially passive Band-Aid artists, typically with neither the time nor the inclination to anticipate creative attacks—and certainly not the power or the funds to try to get ahead of the game.
Strategy, essentially, was nonexistent. This approach didn’t work particularly well and has become obsolete because of an explosive technological transformation fueled by global digitization, including mobile computing, the cloud, analytics and social media.
Today, the ballgame typically entails the CEO and board of directors overseeing risk management, and it has begun making a positive difference. There remains room for improvement, but overall, there has been a major leap in attention to cybersecurity with the essential help of a savvy and seasoned chief information security officer (CISO). A sound strategy is almost always part of the mix.
The timing is propitious because cybersecurity is heading in a direction in which it will get the same scrutiny as finance—i.e., the required adoption of widespread standards and the auditing of these standards, with risk insurer insistence on excellent hygiene.
Directors writ large have come to appreciate the types of threats that might target their crown jewels, how those risks would impact their bottom line and how they may be stopped or at least mitigated as proactively as possible. They are also working to ensure that cybersecurity investments are appropriate for the levels of risk faced by the organization. Too often, security budgets still remain tied to a fraction of overall IT budgets instead of being developed independently, but, thankfully, this is changing.
Fewer High-Profile Cyber-Breaches
News of this security overhaul is leaking out because of an unusual development—the relative dearth of high-profile cyber-breaches since the waning months of 2018 and throughout 2019. There have been minimal new incursions at the likes of giants such as Yahoo, Equifax, FedEx, Sony, the federal Office of Personnel Management, eBay or Marriott International.
One exception has been a woman recently charged with hacking into tens of millions of Capital One Finance Corp records in one of the largest-ever bank data thefts. But in terms of high-profile attacks, it has been just that—a notable outlier. More typical incursions include the illicit exposure of 2.3 million disaster survivors at the federal Emergency Management Agency. Another was the theft of data on 7.7 million customers at the American Medical Collection Agency, a health care debt collector. Compared to nearly year-long periods in the past, this was small stuff, and not by accident.
“Cybersecurity cannot be guaranteed, but a timely and appropriate reaction can,” noted a report a year ago from the Directors and Chief Risk Officers Group (DCRO), an organization composed of more than 2,000 board and C-suite officers from more than 100 countries.
The budding success of top-level corporate cybersecurity oversight is particularly noteworthy given that the risk landscape is constantly peppered with new threats, regulations and evolving cybersecurity vulnerabilities and attack methods. Technology disciplines are alien to many directors and CEOs, who are most often chosen for their knowledge and experience in management, governance, accounting or finance. But they are quickly learning to approach technology-focused risk through the same lens as any other risk, by working hard to develop a rigorous understanding of the challenges and a process for managing it.
This requires, among other things, cutting through technical jargon and demanding crisp responses to questions from all-important CISOs—experts with the skills to reduce risk and who have a knack for collaboration and developing influence.
Why Governance Is Important
Cybersecurity governance is important because board directors are directly responsible for overseeing risk management. Breaches are costly and can quickly escalate into legal liability for corporations.
This level of oversight didn’t exist in the past, in part because cyber-breaches were relatively new and not deemed all that threatening. They were essentially siloed “IT problems.” But in today’s digital economy, the entire enterprise runs on IT infrastructure. So boards must oversee the strength of their internal controls and also make sure their managers are held accountable for the continuous training of other employees in security roles. Also required are checks to make sure that security teams oversee rigorous testing on a regular basis, preferably by third parties.
Particularly important for board of directors at public companies is close oversight of an information security strategy and development of a governance framework—one intrinsically linked to business objectives—to implement it. This sidesteps needlessly focusing on ad hoc tactical point solutions.
Boards increasingly assess cybersecurity risk on a regular basis and after an incident to ascertain whether or not the risk was assessed accurately. Boards with the best oversight have a director with a security background.
Continuous improvement in security measures doesn’t stop here, either.
Boards Know They Must Adapt to Changing Times
As noted in recommendations by DCRO, an organization’s security responses must continually adapt as cyber-risks evolve. In particular, boards should increasingly urge management to drop a traditional, prevention-driven approach and begin operating under the assumption that the organization has already been breached. This requires leveraging threat intelligence and threat modeling, testing defenses and reaction, and practicing what-if scenarios to determine what to do if these fail.
In addition, board directors and managers need to be increasingly vigilant about third-party cyber-risks, which create a multitude of entry points into the IT environment, many of which are likely to blend in with legitimate traffic.
Lastly, boards must make sure that employees are well-trained to act as the first line of defense, requiring a continuous learning program. Nobody should be exempt from practicing basic cyber-hygiene.
Good CISOs Are Crucial
To be sure, there is room for improvement. Directors are still hampered somewhat by their limited understanding of cyber issues and the quality of reporting they receive from management. Much of the effort to improve the situation falls on the shoulders of the CISO, as it should. The best CISOs limit techno-babble and overemphasis on operational metrics at the expense of strategic issues and also realize, in times of stress, that it’s more important to be a skillful leader than a subject matter expert.
The good news is that much more information is available today to guide CISOs on key cybersecurity issues to take up with their boards, and they are taking advantage of it.
Robert R. Ackerman Jr. is the founder and managing director of AllegisCyber, a venture capital firm specializing in cybersecurity, and a co-founder and executive at DataTribe, a cybersecurity startup “foundry” in metropolitan Washington D.C.