In early March, the U.S. Department of Homeland Security announced a dangerous vulnerability in a commonly used piece of infrastructure software, Apache Struts, and urged organizations to patch their systems. But Equifax, one of the nation’s largest credit bureaus, was asleep at the switch.
Unaware it was even using a vulnerable version of Struts, the company failed to take corrective action, according to now-suddenly-retired CEO Richard Smith. Hackers pounced in mid-May and accessed the personal information of more than 145 million people – nearly half the U.S. adult population – including Social Security numbers, names and birth dates. Equifax discovered the attack in July and publicly disclosed it in September.
It would be easy to think of the Equifax breach as just an isolated incident, except that it’s only the latest example of a breach in a company holding huge amounts of sensitive data. The infamous Target hack in 2013 and the Yahoo fiasco (3 billion user accounts compromised), among others, exposed similar holes in corporate cybersecurity.
To put it bluntly, cybersecurity is in a state of crisis. More than 80 percent of U.S. companies say their systems have been hacked in an attempt to steal or change important data, according to a Duke University study. Hardly a month goes by without a breach damaging a company’s brand and shareholder value.
“Cybersecurity is a core business risk demanding attention at the very top – at the board level.”
It’s not as if companies aren’t taking cybersecurity seriously. In fact, they are devoting enormous resources to security products and services—to the tune of $86.4 billion this year and a projected $93 billion in 2018, according to research firm Gartner.
But they continue to lose the battle. And a major reason has to do with how companies manage cybersecurity. For too long, companies have thought of cybersecurity as a technology problem to be overseen by the chief information security officer or the chief information officer, or as a compliance issue to be managed with audit functions. Their answer usually has been to simply throw more money at the problem—a “buy one of everything” mentality that may satisfy compliance requirements and allow the CISO to build a bigger empire but doesn’t necessarily result in better security.
Rather, cybersecurity is a core business risk demanding attention at the very top – at the board level—and a more holistic, proactive and analytical approach.
Until now, boards generally have dealt with cybersecurity somewhat passively. It’s not that they don’t appreciate the threat—board members have become more vocal about their concerns and have begun asking security-related questions of executives in meetings. Board-management interactions, however, are still typified by rote presentations by the CIO or CISO on the company’s cybersecurity control environment—for example, here is how we are meeting the National Institute of Standards and Technology’s cybersecurity framework.
This tactical, jargon-laden information too often goes over the head of board members, who rarely possess cybersecurity expertise, and doesn’t get to the heart of the matter: What is the cost/benefit of the company’s cybersecurity investments, where are we versus where we need to be, and how are we measuring the risk?
Instead, board members should initiate conversations that cut through the noise. They should insist on details about how the company is decreasing the risk of attack and managing any that occur. They should develop a baseline of the company’s cybersecurity posture today and proactively identify gaps. They should remember the business adage—“what gets measured gets managed”—and seek ways to monitor metrics such as the number, nature and extent of vulnerabilities and establish benchmarks.
The National Association of Corporate Directors has issued a great list of suggested questions for boards to ask C-level executives, including:
What was our most significant cybersecurity incident in the past quarter? What was our response? What was our most significant near miss? How was it discovered? How is the performance of the security team evaluated? What process is in place to ensure you can escalate serious issues and provide prompt, full disclosure of cybersecurity deficiencies? To these, I would add: How, in a quantitative way, do we know if our cybersecurity program is working effectively?
Given the increasing cyber threat and the unsustainability of ever-rising cybersecurity budgets, companies can no longer continue to rely on simplistic, siloed approaches to cyber risk. With boards leading the way, they must shift to a different model in which cyber risk is quantified and integrated into the company’s overall enterprise risk framework, leveraging practices already applied to strategic, financial and operational risks.
Here are 4 specific steps boards can take:
- Establish a cybersecurity risk policy with clear risk appetite statements, and address exposures that are above tolerance levels.
- Integrate qualitative assessments with quantitative analytics in order to provide a more accurate risk profile. The board needs actionable information on risk drivers: cyber risk exposure, probability of breach, loss severity in the event of breach, and risk-control correlations and interdependencies.
- Armed with quantitative data, the board and management should make informed decisions about how much cyber risk the company is willing to accept in pursuit of its business strategy. The data also should lead to smarter decisions about allocating resources, buying cyber insurance or using a security rating service like BitSight. (Disclosure: I am a BitSight advisor.)
- A recent surveyfound that 91 percent of boards cannot interpret their cyber report. Management should report to boards in ways that are clear and understandable and provide continuous feedback on cybersecurity effectiveness. A board-level cyber risk report should include commentary and metrics on the threat environment, risk exposures and trends, and effectiveness of key controls and the overall cybersecurity program.
Boards are ultimately accountable to shareholders for a company’s direction and health, so it makes sense that they should take the reins on better ways to deal with the formidable cybersecurity challenge. No one wants to be the next Equifax.