The Board of Directors (BoD) is ultimately responsible for the future of their company. Shareholders expect, if not demand, that the companies they have invested in mitigate risk in every form. When financial irregularities result in fines (or worse), investors hold the Chief Financial Officer (CFO) and BoD accountable. These days, the same holds true for security breaches.
After a very public breach of Target systems in late 2013, Institutional Shareholder Services (ISS) recommended that seven of the retailer’s 10 board members be voted off the board. That did not happen, not immediately anyway. However, the proverbial ice has been broken.
How do Directors prepare for this increasing accountability? Last year, the Federal Financial Institution Examination Council (FFIEC) released a new ‘maturity model’ information security guidance program. To achieve higher levels of maturity, there are specific requirements for Board visibility into information security posture.
The evolution of information security
Information security evolved in 2016, driven by a rise in risk awareness. Some of this change stems from a natural progression of events, reflecting the upward slope of complexity inherent to our Internet-connected world. Disruptive leaps forward in technology and online conveniences present unavoidable new risks to both businesses and consumers; mature security programs should be able to adapt to such step changes.
No company can say they have zero risk of a security breach. The BoD needs to focus on answering the following questions to keep risk at acceptable levels:
- What is our risk profile?
- How do we know?
- How do we protect our company from breaches and their aftermath?
Change happens - fast
In 1984 (the year, not the book), science fiction writer William Gibson defined the term ‘cyber space’ as:
“A consensual hallucination experienced daily by billions of operators in every nation … A graphic representation of data abstracted from the banks of computers in the human system.”
This is a remarkably apt description, considering he formed it a full 10 years before the general public became aware of ‘The Internet’.
The Internet has profoundly changed the world in just a few decades, and we’ve had a hard time keeping up with the repercussions. Consumers, regulators, businesses and IT professionals have become more cognizant of cyber security issues in the past few years. Most world events now create some kind of cyber security-related impact. For example, the withdrawal of the UK from the European Union could mean yet another set of privacy laws that multi-national companies have to abide by. Such changes, especially when unexpected, present significant oversight issues for large enterprises.
In the past year we’ve seen the Securities and Exchange Commission (SEC) levy fines against companies for cyber security lapses; likewise the Office of Civil Rights (OCR) has brought data-breach related sanctions on healthcare companies. Fines and investigations will increase as industry and government agencies strive to manage shared vulnerabilities and safeguard consumer privacy.
Security organisations evolving
While many use the terms interchangeably, a distinction is emerging between information security and cyber security. To illustrate, we’ll examine the responsibilities of Chief Cyber Security Officers (CCSO) and Chief Information Security Officers (CISO) as defined below.
The role of CCSO is a relatively new position, but becoming more common. CCSO responsibilities focus on:
- Understanding of and familiarity with the threat environment as it pertains to the use of the Internet (cyber space) from within their own computing networks
- Contrast this ‘threat set’ with the footprint their company presents
- Secure against hazards at the intersection of the threat set and corporate-wide footprint
- Limit the damage and scope of breaches
Take note that there is nothing in this description relating to data classification, audit committee reporting or regulatory compliance. The focus is on threats, exposure, and limiting the impact of breaches.
CISO responsibilities are evolving to encompass the following:
- Securing information in any form – physical documents, word of mouth, and on devices connected to company networks
- Developing and maintaining data classification and user awareness programs
- Meeting Governance, Risk, and Compliance (GRC) requirements
- Reporting on security issues to any interested entity – both internal and external
Again, there is no universal agreement on these terms and roles. These two frameworks may overlap, depending on individual corporate needs, histories, and organisations. To satisfy both internal and external reporting requirements, these teams should share intelligence and information.
The need for board oversight
The term ‘Risk Appetite’ is heard often these days. Information security professionals have been familiar with this concept for years, but now it is reaching Board level visibility. The BoD should approve a Risk Appetite statement to serve as the foundation for security programs and reporting. Boards should also review the annual risk self-assessment and evaluate management decisions about allocating resources to address the findings.
The underlying principle is that the Board (or appointed committee) should maintain direct visibility into cyber security posture and how it is aligned with improvement efforts. The supporting documentation for the FFIEC’s Cyber Security Assessment Tool (released in mid-2015) contains related recommendations for Boards and CEOs.
Educating the board
Boards do not usually include cyber security experts. At AsTech, we anticipate that organisations will increasingly seek to include this expertise. Boards also engage outside experts to support and inform their decision-making. To that end, the BoD must learn how to make the best use of external consultants and identify trusted sources of timely cyber security related information.
We recommend a few annual reports on cyber security trends that are information-rich sources geared toward helping non-technical professionals understand the threat environment. Examples include:
- Verizon - Data Breach Incident Report (DBIR)
- Ponemon - Cost of Data Breach Study
- Whitehat Security - Threat Reports
Risk management review
Managing risk begins with understanding the current threat environment and identifying the specific ways in which your company is exposed to it. This is not risk elimination, as that is an unattainable goal.
Companies should complete a thorough risk self-assessment on an annual basis. This assessment must include vendor/partner risks, which have become very prominent in the last few years. The BoD should constantly ask those responsible to demonstrate that the information security program addresses the risk profile of the company, including incident response plans that address various types of breaches.
Reporting is key
A consistent flow of meaningful information is essential to managing risk and security. When it comes to cyber security, most Directors know they cannot rely on status reports such as: “We haven’t had any breaches this year, so everything is OK”.
Boards need current, clear information about the effectiveness of their security programs. For example, board members need to know that Internet traffic is being logged—and also that the data is being analysed, anomalistic findings acted on, and remediation efforts evaluated. Trend data is important for measuring effectiveness. Were the investments of the last two quarters worthwhile? If not, why?
Examples of useful information for Board level decisions include:
- Year over year external penetration test (ethical hack) results – this will show vulnerability baselining and/or demonstrate if recent measures have been successful. If there has been expansion or contraction of the target footprint, results should be normalised.
- Review reports on completion rates for employee security awareness training on data handling, electronic communications, etc. What is the follow-up plan?
- Results of ‘table top’ exercises simulating various types of breach and response mechanisms. Response procedures should include a documented relationship with a professional forensics firm.
- Vendors and partners present varying levels of risk to an organisation. The Board must be regularly review how this is being managed; priorities should be based on individual vendor risk profiles.
These are examples and not an all-inclusive list, but should help start productive conversations within the reporting structure.
Start preparing now
Along with managing current threats and defensive measures, putting mechanisms in place for continual improvement is crucial for success in 2017 and beyond. The technology underpinning threats and countermeasures is on a very steep growth curve. Looking over the horizon, Directors may find it useful to take these recommendations into account:
- Establish the most effective organisational structure to meet cyber security objectives.
- Revisit or develop Board cyber security oversight mechanisms, beginning with approval of a formal ‘Risk Appetite’ statement.
- Find Board-appropriate sources to stay informed on emerging cyber security concepts and trends.
- Add a Risk Management Review to Board agendas.
- Establish the metrics of success/failure and ensure they are being reported.
Boards will increasingly be held accountable for security incidents. It’s no longer feasible to blame IT or simply replace the CSO after a breach. Education is of the utmost importance.
Understanding risk and mitigation efforts will be a continuous process through which Directors will be more than informed bystanders…they will be an integral part of their organisation’s security program.
Greg Reber, Founder and CEO, AsTech
Image Credit: Wright Studio / Shutterstock