Last year alone, several cyber incidents left a trail of damage that demanded board action. We witnessed high-level CEO, CIO and CISO departures. The more headline-worthy the breach, the more victims are affected. The more dramatic the breach, the more likely the organization will be to suffer stock decline, steep fines, brand and reputational damage and associated loss of consumer and investor confidence.
While some boards are already cyber-active, others step in reactively only after the damage is done. Some companies may recover fully after much time, effort and financial investment. Others suffer devastating blows to their business viability and may require a change to their company’s fundamental business model as in the case of the recent Equifax breach.
From a macro view, directors must focus both on “protecting the house” and “protecting your product.” Protecting the house is laying down a comprehensive security foundation, including tools, process, and policy to protect the infrastructure, data and personally identifiable information (PII).
Enterprises that develop technology-based solutions must also protect the product. While it used to be common practice to develop a product first and think about security as an afterthought, today security must be engineered into the product during the development cycle. Consumers assume their cloud, SaaS or mobile application, medical device, or EV is inherently secure; it is up to product manufacturers to consider security as seriously as they do features, UIs and speed.
“Key to success is establishing a comprehensive Information Security Governance program and to make security an integral part of the organizational DNA, including training all employees on security best practices.”
Key to success is establishing a comprehensive Information Security Governance program and to make security an integral part of the organizational DNA, including training all employees on security best practices.
Here’s a 5-stage program boards should implement.
1. Plan (critical asset identification, risk assessment, security strategy definition): The board is responsible for ensuring that a risk assessment and strategy is in place with tolerable levels of risk for the enterprise, and prioritizing the business systems and functions for protection.
2. Protect (program design, implementation): The board should provide oversight and approve the cybersecurity program strategy, as well as approve policies, standards and metrics for control oversight.
3. Detect (threat monitoring, reporting, alerting and response): The board should require that an active cyber threat monitoring and remediation program is in place with periodic board briefings on threats, control effectiveness, responsiveness and emerging threat monitoring and control technologies.
4. Respond (event analysis, escalation, containment): Board members should be involved in the development of an Incidence Response Plan and be active participants during the company’s Incident Response Team’s table top exercises (mock breach drills).
5. Adjust (integrating lessons learned): Cybersecurity risks are ever-changing—it is imperative that the board remain involved in rethinking risk tolerances and the allocation of resources (including who sits on the board and for how long) to adjust the security programs as needed.
Ultimately, the board of Directors is responsible for managing cyber risk. Executive and IT leadership is accountable to establish the overall security strategy, establishing security budgets, policy and the execution of security programs and technologies. But it is the board that must play a critical role holding management accountable by reviewing these strategies and plans, and identifying acceptable levels of risk tolerance. Only through a top-down approach, where boards are setting the “tone at the top” regarding cybersecurity, will the enterprise be ready when the inevitable compromise occurs.