Cybersecurity and Boards of Directors, A Growing Area for Due Diligence
Cybersecurity has become a hot topic with Boards of Directors around the world. It is important for those of us charged with nurturing security programs to be ready and able to help them execute their duties. To do that, we need to understand their needs and build security programs that can address those needs.
The Duty of Care
The Duty of Care is a clear starting point. The Institute of Corporate Directors publication, Directors’ Responsibilities in Canada, describes this duty as the “need to exercise the care, diligence and skill of a reasonably prudent person in comparable circumstances.” To meet this duty, Directors must ensure they have relevant information when making business decisions, and have experts whose input they can trust to make the relevant decisions. There appears to be a gap in getting this information and expertise in front of the board.
According to a recent poll by the National Association of Corporate Directors (NACD), 59 percent of directors report finding it challenging to oversee cyber-risk. Only 19 percent of respondents report that their boards possess a high level of knowledge about cybersecurity. To remedy this, a Chief Information Security Officer (CISO) or similar internal security program leader, can fill the gap in expertise when discussions about cybersecurity are given regular and adequate time on the board meeting agenda.
However even for organizations that do have cybersecurity on the agenda there is a strong pattern of technical reporting rather than information relevant to business decision making. Most cybersecurity discussions conducted in the boardroom are around lagging items, such as how many events there were in the past, and specifics of security control performance. This is supported by the NACD, which reports that fewer than one-in-five directors receive cybersecurity investment related information, versus past events.
Closing the Gap
Cybersecurity professionals need to be able to bring information to Boards of Directors that explain, like other business risks, cyber-risk management is a continuum. There is no project, once completed, that can make an organization 100 percent secure. It requires an enterprise-wide management program that runs indefinitely. In this sense it is not different from safety, environmental, or human resources programs. It is a business capability that can be managed when provided adequate budget, expertise and attention.
To illustrate the organization’s place on the continuum, it is better to represent cybersecurity risk in an index demonstrating a broad range of inputs. As seen in the NACD statistic above, it is often tempting to report a bunch of operational IT security metrics. However, like the cybersecurity operator who uses operational security alerts from across the infrastructure for their day-to-day work on a system, Boards of Directors have a system to oversee. To perform that function and inform their decisions, they need sensors gathering data. The Board’s system is the enterprise as a whole. Technical alerts and issues are only one piece of the cyber-risk puzzle. While Important and should be reported, relying on this type of data too heavily leaves out much of the available information about the enterprise. To help boards meet the duty of care, cybersecurity leaders must, deploy more non-technical ‘sensors’. Cybersecurity is happening throughout the organization. It is not just an IT issue.
In addition to technical sensors, security leaders should be working with and accounting for cybersecurity in their business supply chain, and partner interconnections and customer service relationships. As vendors and customers connect to an organization’s business processes the two sides’ risks intermingle. Our risk is theirs and theirs is ours. Vulnerability in a partner’s organization is vulnerability in our own enterprise. The severity of exposure depends on the security program. We also need sensors among our products and services groups, tracking the human element, legal inputs, and alignment with physical security.
By taking this enterprise sensor approach, cybersecurity leaders can more fully determine where on the cyber-risk continuum the enterprise is and use this information to help the board in meeting their duty of care. In turn boards can issue a clear statement of risk appetite defining which risks, at which level, the enterprise is willing to take to meet its goals. Risk appetite and reciprocal goal setting will inform security management program decisions throughout the lifecycle, allowing for resource allocations that are consistent with enterprise strategy. In this pattern, the development of new sensors and continuous improvement of existing reporting can follow suit.
CyberNB is a Special Operating Agency of Opportunities NB.