Corporate boards of directors have a fiduciary duty to understand and oversee cyber security. For most effective oversight, boards should approach cyber security from a good management-practices perspective rather than a technical perspective.
VIP Kolkata Call Girl Howrah 👉 8250192130 Available With Room
For Corporate Boards, a Cyber Security Top 10
1. For Corporate Boards, a
Cyber Security Top 10
Oversight should be grounded in sound management practices,
Garp.org ▪ August 11, 2017
By: David X Martin
Corporate boards of directors have a fiduciary duty to understand and oversee cyber
security. For most effective oversight, boards should approach cyber security from a good-
management-practices perspective rather than a technical perspective.
Here is a top 10 list of what their issues should be:
Strategy. There are no offensive strategies in cyber security — only defensive strategies. In
addition, you cannot protect everything. It is therefore critical for board members to, first,
determine which assets are most valuable, and second, determine the most effective strategy
or strategies to protect them.
2. For some companies, the most valuable asset is customers’ private financial information.
For others, it might be intellectual property, or perhaps a proprietary data base, or possibly
even a cache of embarrassing emails.
Once the board ascertains the value of what needs to be protected, they can better prioritize
and allocate resources to avoid and mitigate cyber security threats. At that point they can
decide whether their cyber security budget is appropriate.
For example, if you are on the board of an investment company and your most value
information is clients’ personal financial data, you would want to ensure that the protection
of this data is correctly prioritized and handled with a great degree of security. You do not
have to be an IT specialist to make this determination — you do have to be a good manager.
Chief Information Security Officer. In today’s wired world, it is not a question of if a
cyber security issue will happen, but when. Unfortunately, in far too many instances, the
chief information security officer (CISO) is selected based predominantly on superior
technical skills and/or military experience. Leadership skills — communication and crisis
management — are equally, and sometimes, more important than technical skills. In the
day-to-day management of technology, or in a crisis, it is far better to have a skillful leader
rather than a subject-matter expert.
Employees. The biggest cyber security vulnerability in the future will be between
employees’ fingers and their computers — in other words, the human element in an Internet
of Everything world. Companies will be taking in more external data to make better
decisions. The board needs to ensure that there is a balance between this need for external
data and employees’ sense of urgency about the critical nature of cyber security.
For example, how does the company handle policy exceptions by senior executives, who
typically are the least compliant and hence the most vulnerable to attack? Or, how do you
handle inherent conflicts of interest, where the person managing cyber defenses is the same
one reporting breaches and responses?
Governance. Cyber security is not just an IT issue — it is an enterprise-wide management
issue. For example, when developing new products and services, you need to strike the right
balancebetween innovation and risk. In most cases, the more you increase security, the less
user-friendly and convenient your product becomes.
In regard to risk, cyber security needs be considered in the context of overall operational
risk and continuity planning, as well as third-party due diligence and, most importantly,
your company’s culture — all of which requires a holistic approach at the enterprise risk
level. Cyber security risk itself needs C-level accountability and board oversight to drive the
agenda and manage empowered employees with the right skill sets. The board should also
create a self-assessment framework to ensure that best industry practices are being
implemented and real progress is being made.
Metrics. Key performance indicators for cyber security are usually highly technical and
often not related to what is important to the business. An example of good metrics for the
board should be some type of balanced scorecard that includes: customer satisfaction
(customer system downtime caused by information security [IS] incidents), reputation
(number of IS incidents reported in the media), financial (IS budget as a percentage of IT
3. budget), strategy (IS maturity level: 0 - 4 vs industry average of 2.2), and brand protection
(average time required to take down fraudulent websites).
Anticipating Change. The traditional approach to security relies on prevention strategies. It
treats incident response as an exception-based process. In contrast, an intelligence-driven
mindset is based on the assumption that you have already been compromised and therefore
need to continuously evolve to stay ahead of the curve in terms of intelligence and
incidents.
The U.S. Centers for Disease Control and Prevention is a good example: Outbreaks of
diseases in foreign countries are monitored continuously; once an outbreak is identified,
remedies are made available to all parties before and during an outbreak.
Boards need to ensure that senior executives fully understand the new vulnerabilities as
their company moves into new markets, uses new suppliers, offers new products, and/or
employs different technologies. Directors should also encourage the review of new
technologies for access management, artificial intelligence, and distributive data that could
potentially enhance their companies’ cyber defenses.
Culture. Corporate cultures do not change quickly; they evolve at a glacial pace. Therefore,
the security culture has not kept pace with the threat landscape in which organizations
operate.
A company’s cyber security culture has two important characteristics: Security practices are
intertwined with business operations; and security is owned and lived by all employees.
Security needs to be framed as a critical enabler that helps the company deliver its promise
to customers. It also needs to be viewed by the workforce at all levels as a shared endeavor
based on trust, not surveillance. The tone at the top needs to be set by senior management
— and the board needs to be vigilant in establishing the right cultural policies and
monitoring performance using scorecards.
Regulatory. New regulatory frameworks will broadly address cyber risk management by
establishing three lines of defense: First, the business unit to implement policies, assess risk
and report incidents. Second, an independent risk management function that monitors the
effectiveness of controls and reports exceptions and incidents. Third, an independent audit
function.
The board will undoubtedly be involved in the event of a serious breach. It is therefore
important that clear policies and procedures are established and that the board has a
response plan in place that has been tested beforehand. But, keep in mind, benchmarking
against best practices in cyber security also provides regulators, law enforcement, and class
action lawyers with roadmaps for liability.
Reevaluation. Acknowledging mistakes and learning from them leads to better decision-
making. Cyber security post mortems should be encouraged in briefings about the
company’s security model and vulnerabilities. There is no substitute for proper deliberation
and engagement on cyber security issues.
Good Judgment. Public scrutiny after cyber attacks has made cyber security a board issue
and key responsibility. In a crisis, the only thing people remember when it comes to
4. judgment calls is the outcome. A good outcome is usually the result of a well considered,
disciplined process, reflecting collective wisdom, and commitment to results.
Board meetings are an opportune time for corporate directors to reassess how they exercise
their governance responsibilities with regard to the management of cyber security risk. In
today’s global cyber minefield, it is essential that boards of directors not just monitor
performance, but incentivize excellence in this area.
David X Martin (dxm@cybxsecure.com) is a former chief risk officer and was founding
chair of the Investment Company Institute’s Risk Committee. He is an adjunct professor,
author, expert witness, and co-managing director of cybX. He previously contributed to
GARP Risk Intelligence.