Boards’ New Approach to Cybersecurity: a Risk Management Issue, Not Just a Niche IT Concern

C-level managers and directors, increasingly concerned about the legal and financial implications of security breaches, have started to set up regular meetings and to participate in the overall security strategy.

As cybersecurity incidents often leave behind a broad swath of operational, reputational and financial damage, many boards of directors have begun to address cybersecurity as a serious risk-oversight issue with strategic, cross-functional, legal and financial consequences. Recent surveys show that 45% of boards participate in the overall security strategy and, consequently, security spending has increased 24%.

The main guideline regarding cyber security from the National Association for Corporate Directors (NACD), defined since 2014, was the need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.

According to the Internet Security Alliance and American National Standards Institute, cited by NACD, corporations have historically categorized information security as a technical or operational issue to be handled by the information technology (IT) department. This misunderstanding is fed by corporate structures that may leave functions and business units within the organization feeling disconnected from responsibility for the security of their own data. Instead, this critical responsibility is handed off to IT, a department that in most organizations is strapped for resources and budget authority. Furthermore, deferring responsibility to IT inhibits critical analysis and communication about security issues, and hampers the implementation of effective security strategies.

“Cyber risks should be evaluated in the same way an organization assesses physical security of its human and physical assets and the risks associated with their potential compromise. In other words, cybersecurity is an enterprise-wide risk management issue that needs to be addressed from a strategic, cross-departmental, and economic perspective,” the institute noted in “The Financial Management of Cyber Risk” paper.

Product launches or production strategies that use long, international supply chains can magnify cyber risk. Similarly, mergers and acquisitions requiring the integration of complicated systems, often on accelerated timelines and without sufficient due diligence, can increase cyber risk, according to NACD.

Another obstacle companies face in creating a secure system is how to manage the degree of interconnection that the corporate network has with partners, suppliers, affiliates and customers. Several of the most prominent recent breaches did not actually start within the target company’s IT systems, but through vulnerabilities in a vendor or supplier, directors say. Furthermore, an increasing number of organizations have some amount of data residing on external networks or in public “clouds,” which they neither own nor operate and have little inherent ability to secure. These interdependencies can undermine the security of the “home office.” Corporations are often interconnected with elements of the national critical infrastructure as well, raising the prospect of corporate insecurity becoming a matter of public security or even affecting national security.

As a result, boards should ensure that management is assessing cybersecurity not only as it relates to the firm’s own networks but also with regard to the larger ecosystem in which the company operates. Progressive boards will engage management in a discussion of the varying levels of risk that exist in the company’s ecosphere and take them into consideration as they calculate the appropriate cyber-risk posture and tolerance for their own corporation, as NACD’s “Cybersecurity: Boardroom Implications” recommends.

Managers should also understand what “crown jewels” the company most needs to protect, and ensure that management has a protection strategy that builds from those high-value targets outward. The board should instruct management to consider not only the highest-probability attacks and defenses, but also low-probability, high-impact attacks that would be catastrophic, the document also notes.

The NACD Blue Ribbon Commission on Risk Governance recommended in 2014 that risk oversight be a function of the full board, considering that a large percentage of boards had continued to assign most tasks related to risk oversight to the audit committee. Two years later, PwC’s survey shows that board involvement has helped improve cybersecurity practices in numerous ways. Board participation has opened the lines of communication between the cybersecurity function and top executives and directors. Other notable outcomes cited by survey respondents include identification of key risks, fostering an organizational culture of security and better alignment of cybersecurity with overall risk management and business goals.

“Companies tend to have a more technology-centered view,” said Claude Yoder, global head of analytics for insurance provider Marsh, cited in the survey. “But I think as more and more information on cyber comes out, companies are expanding their technology-centered view to include people and processes.”

Final thoughts

Today’s CISO or CSO should be a senior business manager who has expertise not only in cybersecurity but also risk management, corporate governance and overall business objectives. He or she should have access to key executives to provide insight into business risks and should be able to competently articulate risk-based cybersecurity issues to the C-suite and board. Put simply, the cybersecurity leader should be able to effect change on par with C-level executives, authors of the study recommend.

“To me, it’s about teaching the board that security is not some hairy monster out there hiding in the dark. Instead, it’s a risk that can be managed as an economic decision,” said Stuart Berman, IT security architect of Steelcase.

In 2015, 54% of the companies surveyed* have a CISO in charge of the security program.

“Many executives are declaring cyber as the risk that will define our generation,” said Dennis Chesley, Global Risk Consulting Leader for PwC.

 

*The results are based on responses of more than 10,000 CEOs, CFOs, CIOs, CISOs, CSOs, VPs and directors of IT and security practices from more than 127 countries.