Boards remain concerned with the security and availability of information systems and the protection of confidential, sensitive data from the commercial cyber war in which their organizations are engaged. Many executives think their risk tolerance is low, yet act as though it is relatively high, thus necessitating board engagement with cybersecurity
A top five risk for many organizations across many industries, cyber risk presents a moving target as organizations undergo major IT transformations, accelerate cloud computing adoption, increase digitization investments, advance data and analytics sophistication, and expand mobile device use to leverage exponential increases in computing power for competitive advantage. As these innovative IT transformation initiatives keep expanding the digital footprint, they outpace the security protections companies have in place. This dilemma presents a sobering reality: Security and privacy internal control structures that are effective in reducing risk to an acceptable level today will inevitably become inadequate in the future — and even sooner than many may realize. In fact, organizations already may be breached and not know it. Boards of directors need to ensure that the organizations they serve are improving their cybersecurity capabilities continuously in the face of ever-changing cyber threats.
Our research indicates that board engagement in information security matters is improving. In the spirit of further improvement, we have identified some business realities to consider.
- The organization must be prepared for success. Managing cybersecurity is not just about managing the risk of bad things happening, it’s also about handling the upside of a company’s successful digital initiatives. As companies harvest new sources of value through digitization and business model innovation, more progress is needed to mature the performance of security and privacy capabilities across the enterprise. The wise course is to plan for incredible success. Directors should ensure that the organizations' cybersecurity policies and systems are resilient enough to handle that success.
- It is highly probable that the company is already breached and doesn’t know it. The old thinking of “it’s not a matter of if a cyber risk event might occur, but more a matter of when” is dated. It’s happening — now. For most companies, cyber risk events have already happened and may still be underway. Yet many organizations do not have the advanced detection and response capabilities they need. The proliferation of data privacy regulations around the globe and the publicity about data breaches affecting politicians, governmental agencies, global financial institutions, major retailers and other high-profile companies, along with the growing presence of state-sponsored cyberterrorism and espionage, are leading directors and executives alike to recognize the need for “cyber resiliency” to preserve reputation and brand image.
Boards should be concerned about the duration of significant breaches before they are finally detected. Our experience is that detective and monitoring controls remain immature across most industries, resulting in continued failure to detect breaches in a timely manner. Tabletop exercises alone are not sufficient to address the increasing sophistication of perpetrators and the significant impact of a breach. Simulations of likely attack activity should be performed periodically to ensure that defences can detect breaches and responses are timely. In addition, an organization’s preparedness to reduce the impact and proliferation of an event is key. Accordingly, boards should focus on the adequacy of the company’s playbook for responding, recovering and resuming normal business operations after an incident has occurred. The playbook should also include responses to customers and employees to minimize reputation damage that could occur in a breach’s wake.
- The board should focus on adverse business outcomes that must be managed. Most businesses know what their critical data assets and information systems are, the so-called “crown jewels.” However, they forget to focus on the business outcomes they are looking to manage when they assess security risks. Considering risk outcomes or scenarios leads to enterprise security solutions that are more comprehensive than steps taken based on a narrower focus on specific assets and systems.
To illustrate, once an application is deemed key to the success of the business, it is typically considered “in scope” and managed. If the risk pertains to sensitive data leakage, the security solution is often focused on the source application and implementation of generic security controls. But the risk of an adverse outcome extends beyond the technology perimeter and may be an even greater risk. Users have access to data, regularly download it and might even email it, either ignoring or forgetting the business imperative to protect it. Therefore, controls over what happens to critical data assets once downloaded cannot be ignored. They won’t be if user leakage is an integral part of the adverse outcomes to be managed. That’s why boards should insist IT leaders look at information security risks holistically, focusing on strategies to manage adverse business outcomes rather than throwing money at addressing every technical weakness.
- Cyber threats are constantly evolving. Because the nature and severity of threats in the cyber environment change incessantly, protection measures must evolve to remain ahead of the threat profile. While recurring assessments are important, they should not be relied on as the sole means to identify new threats to manage. Boards should inquire as to how the organizations' existing threat management program proactively identifies and responds to new cyber threats, taking into consideration the company’s crown jewels, the business outcomes it wishes to avoid, the nature of its industry and business model, and its visibility as a potential target. Directors should also insist on an assessment of the related cyber risks resulting from major systems changes. It is always less expensive to build security into a system’s design early rather than to retrofit it later.
Cybersecurity is like a game of chess, so play it that way. IT security organizations must be steps ahead of cyber adversaries, waiting and ready with an arsenal of technology, people, processes and prowess. The old game of sole reliance on technology to deliver an effective and sustainable security monitoring solution falls short time and again when combating the onslaught of ever-changing threats to businesses today. Security functions need to change the way they deliver protective services and move far beyond initiatives to create enterprise-wide cyber awareness. Accordingly, boards should expect:
- A clear articulation of the current cyber risks facing all aspects of the business (not just IT);
- A summary of recent cyber incidents, how they were handled, and lessons learned;
- Short- and long-term road maps outlining how the company will continue to evolve its cyber capabilities to address new and expanded threats, including the related accountabilities in place to ensure progress; and
- Meaningful metrics that provide supporting key performance and risk indicators of successful management of top-priority cyber risks that are being managed today.
For those organizations facing significant gaps between the current state and the target state in their capabilities for managing security risks, a cybersecurity program office is an emerging practice for managing large security projects successfully with a focus on technology, people and processes aligned with the enterprise’s key risks.
- Cybersecurity must extend beyond the four walls. Notable gaps in knowledge of vendors’ data security management programs and procedures currently exist between top-performing organizations and other companies — particularly in areas that might stand between an organizations' crown jewels and cyberattackers. As companies look upstream to vendors and suppliers (including second tier and third tier) and downstream to channel partners and customers, they are likely to find sources of vulnerability. Directors should expect management to collaborate with third parties to address cyber risk in a cost-effective manner across the value chain when assessing insider risk because electronic connectivity obfuscates the notion of who constitutes an “insider.” As the use of cloud-based storage and external data management vendors increases, the importance of vendor risk management grows.
- Cyber issues cannot dominate the IT budget. Without question, boards should ensure that cybersecurity is appropriately addressed and sufficiently resourced. However, as important as the cyber imperative is, directors should not allow it to stifle innovation. Over the past decade, IT departments have been reducing operations and maintenance costs consistently, funneling most savings to fund other priorities like security. Taking into account other priorities, including compliance and system enhancements, Protiviti’s research indicates that mature businesses are left with only 13 percent of their IT budgets for innovation.
With a strained budget, it becomes critical for IT leaders to focus on: first protecting what’s important (the crown jewels); keeping up with the cyber threat landscape to identify the kinds of attacks that are most likely to occur; and being proactive about incident response so that systems can be put back online with minimum impact to the business. Without this discipline, cybersecurity will continue to consume larger portions of the IT budget. Innovation will then suffer, and the business could ultimately fail — not because a cyber threat is realized, but because the disproportionate and unfocused spend on operational risk has distracted the business from the strategic risk of failing to mount a competitive response to new entrants and/or innovators.
- Directors should gauge their confidence in the advice they’re receiving. While there is no one-size-fits-all solution, boards should periodically assess the sufficiency of the expertise they rely on for cybersecurity matters. There may be circumstances where the board should strongly consider adding individuals with technology experience, either as members of the board or as advisers to the board, especially when the board’s agenda is crowded.
Cybersecurity is likely to remain center stage as a top risk for a long time as companies increase their reliance on new technologies in executing their global strategies. The realities of managing cyber risks are that they are impossible to eliminate, resources are finite, risk profiles are ever-changing, and getting close to secure is elusive. Thus, it is imperative for companies to target protection investments on the business outcomes that can adversely impact the organizations' crown jewels, understand the changing threat landscape and risk tolerances, and prepare for the inevitable incidents.
Questions for Boards
Following are suggested questions that boards of directors may consider, in the context of the nature of the entity’s risks inherent in its operations:
- As a board, are we sufficiently engaged in our oversight of cybersecurity? For example:
- Do we include cybersecurity as a core organizational risk requiring appropriate updates in board meetings?
- Do we have someone on the board or advising the board who is the focal point for this topic?
- Are we satisfied that the company’s strategies for reducing the risk of security incidents to an acceptable level are proportionate and targeted?
- Does the board receive key metrics or reporting that present the current state of the security program in an objective manner?
- Is there a policy on securing board packets and other sensitive material communicated to directors? If not, is there potential exposure from sharing confidential information through directors’ personal and professional email accounts and free file-sharing services that are not covered by the company’s cybersecurity infrastructure?
- Have we identified the most important business outcomes (both unanticipated successes of the digital initiative, as well as adverse events) involving critical data and information assets (the crown jewels)? With respect to those outcomes occurring:
- Do we know whether and how they are being managed?
- Does our security strategy differentiate them from general cybersecurity?
- Do we assess our threat landscape and tolerance for these matters periodically?
- Are we proactive in identifying and responding to new cyber threats?
- Does the company have an incident response plan? If so:
- Have key stakeholders supported the development of the plan appropriate to the organizations' scale, culture, applicable regulatory obligations and business objectives?
- Have we thought about the impact specific cyber events can have and whether management’s response plan is oriented properly and supported sufficiently?
- Is the plan complemented by procedures providing instructions regarding actions to take in response to specific types of incidents? Do all the stakeholders for a planned response know their respective roles and responsibilities? Is it clear for which events the board should play a key role in overseeing the response efforts?
- Are effective incident response processes in place to reduce the occurrence, proliferation and impact of a security breach?
- Are we proactively and periodically evaluating and testing the plan to determine its effectiveness? For example, does management have regular simulations to determine whether the detective capabilities in place will identify the latest attack techniques?
- In the event of past significant breaches, have we made the required public disclosures and communicated the appropriate notifications to regulators and law enforcement in accordance with applicable laws and regulations?
Board Perspectives: Risk Oversight - Issue 90