As many organizations start to plan for another year, the heated topic of cybersecurity and risk starts to move to the top of corporate planning agendas. I was at a meeting of lead directors and cybersecurity came up. Almost half of them wanted to know what questions they needed to ask so they could avoid liability if there were a breach. We realize that board members come from a broad set of backgrounds and the challenges introduced by cybersecurity for most of them are new and not part of their core expertise.
Up until recently, these issues have been managed by people well-hidden in the IT organization's hierarchy. We think this is what makes board members nervous -- and why they ask questions about liability, instead of questions about how to address the real situation. Given our long history of engaging both board members and C-level executives in this area, we felt it appropriate to discuss three key areas that must be addressed as this topic grows even more relevant for executives and directors higher in the corporate hierarchy:
1. Disclosure & CrisisThe United States Securities & Exchange Commission (SEC) has issued guidance on proper disclosure of cybersecurity risks and incidents. In addition to standard regulatory disclosure (Sarbanes-Oxley; Dodd-Frank, PCI, HIPAA), the new guidance creates a need for a board-of-directors to jump into this topic feet-first. As a result, board members need to:
a. Briefing: Receive an immediate briefing on this new guidance by the company's executive team or corporate counsel. It is critical to understand that this is squarely now your issue to deal with as a board-member.
b. Reporting: Ensure that you are comfortable with the company's quarterly and annual reporting on this topic -- the reporting does not have to be packed with technical detail, but needs to clearly articulate the cybersecurity risks and control measures that impact the organization. In the end it is ultimately your responsibility as a board-member to ensure that the company has adequate cybersecurity protection, procedures and public disclosure in its filings.
c. Ask Why: Be prepared to ask "why?" According to the SEC, if an organization states they do not feel they can and/or will be breached, then they may be asked to disclose why this is the case. The SEC has already issued commentary for filing organizations to publicly disclose this information. Think of it this way, as an experienced leader and manager, let your professional skepticism or "spider-sense" kick-in when you feel like answers are either incorrect or if they seem evasive. One example we've seen is that many managers state that they have "all the necessary technology" but when prompted about how much is 'deployed and working as intended,' there are waves of various responses. You should make it obvious you are concerned about this topic. In the process you will find that your interest and participation will reap additional unforeseen benefits as the (often) disconnected nature to this part of the business is reduced.
2. Riches, Ruins & RegulationsThe 3Rs to start any Security & Risk discussion:
a. Rich: How could someone get RICH off of the Company's assets?
b. Ruin: How could someone RUIN the Company?
c. Regulations: What REGULATIONS does the organization need to comply with?
The 3Rs were first defined in Security Battleground: An Executive Field Manual.
These questions may seem obvious to uncover the real nature of organizational security. However they are seldom asked and even more rarely pursued for answers that truly make a difference to a large number of organizations. In proper context: ask your executive teams to "play hacker" by asking these simple questions and responding to you with the answers. This will provide the context or a base from which to work and understand their perspective. Your role is simply to audit the responses and findings -- do the responses make sense and have they considered all of the possible answers to gain complete awareness to what's at stake for the business.
As an experienced leader and manager, let your professional skepticism or "spider-sense" kick-in when you feel like answers are either incorrect or if they seem evasive.
Once you are comfortable with these answers, then ask if the executive team has control-measures, reporting, and/or metrics in place to regularly monitor against the 3Rs. It is highly doubtful you will debate one individual measure over another, but the business intuition you have honed over the years should enable you to understand at a simplistic level whether the controls are adequate enough to address the 3Rs questions.
Think of it this way: if someone acquired a rare painting in their home, standard doors and locks would probably not be enough; but locking it in a vault where no one could admire it would be too much. The goal is (at every turn) to bring sensible objective understanding and measurement to what often is perceived as a very subjective area of a company's business. In the end, taking a 3Rs approach can help be a barometer to determine if you are under or overspending on cyber.
3. Business & Security AlignmentEnsure Alignment of your Business Plan and your Security Expectations. Cybersecurity and Risk Management are topics that reach across all operating units of an organization. Relegating one team to manage and address risk might work for accountability, but only if you and the executive management team empower them to effect required changes across the company. Putting a team over this topic with a mandate yet no real backing is a recipe for a false sense of security and will likely end up as a disaster for everyone involved.
For example, if there is a strategic imperative to move into emerging markets for growth or expansion of manufacturing into another country, the business case for doing so must ensure a discussion and review of what the security and privacy risks exist and how the organization is suited to address them.
Considering these concerns after the fact puts you directly in conflict with items one (1) and two (2) above. In short, this is just good governance.
When this approach is taken, the outcome can often be a solid business process that not only provides greater security but an increase of business efficiencies. Most critically this process can bring about a type of cultural change that can ensure all parts of the business are clear and diligent on their role in securing the organization.
In the end, we all know that cybersecurity cannot be swept under the rug or lumped-in with other concerns or issues. Risk mitigation, data loss or intellectual property breaches can bring a company to its knees, and its key executives and board-of-directors along with it. Thus forcing the proper degree of up-front diligence can prevent what is otherwise avoidable.
About The Author:Kevin Reardon is a Senior Director in McAfee’s Office of the CTO. During his 17 years in the IT security field, he has worked with product delivery and implementation teams at McAfee and was vice president of operations and compliance strategy at Preventsys. An expert on policy frameworks for a variety of industries and sectors, Kevin has advised numerous Fortune 500 companies on designing and implementing programs, strategies, and training for security systems and processes. Kevin is co-author of Security Battleground: An Executive Field Manual published by Intel Press and he has contributed to several key publications on the topic of Security, Privacy and Compliance