Board and management responsibilities for cybersecurity
This article was originally published on CIO.com on February 9, 2018.
Failure of boards and mangers to address information security is expensive and the preventable, poorly handled Equifax breach may end up costing the company as much as $1.5 billion in direct costs by the time it all plays out (SeekingAlpha, 9/29/17). This lack of management attention was clearly demonstrated when Equifax acting CEO, Paulino do Rego Barros, Jr. told a congressional hearing “he wasn’t sure whether the company was encrypting consumer data.”
This problem is systemic and pervasive across the business landscape. In a January 10th article, the Wall Street Journal reported that “Board committees dedicated to information technology risks and strategy are still rare. Just four Fortune 100 companies operate one.” Moreover, only 37% of corporate directors “feel confident the company they serve is properly secured against a cyberattack,” In the broader arena of SMBs and local governments, board and management oversight of information security is even rarer and 37% seems grossly optimistic.
An even more disturbing revelation from that WSJ article was that some boards have “devised a response plan, including creating of a bitcoin account from which to pay ransoms.” I suppose there is a justifiable and quantifiable business case for this position from the board’s perspective, but it really sticks in my ex-military craw that any organization would negotiate with and reward criminals. Prevention and resilience are better policies.
What’s the role of the board and management?
There is no mystery about what boards and executives should be doing to ensure their organizations are paying attention to information security. Section 5 of ISO/IEC 27001 describes 18 requirements for “top management” with respect to developing an organizational information security management system (ISMS). These requirements include policy development, resource allocation, continual improvement, documentation, reporting, and a great deal more.
NACD (National Association of Corporate Directors) offers a 16-hour cyber-risk certificate course for directors. Upon completion of the course and an exam, participants receive a certificate from Carnegie Mellon University. NACD also publishes a free, informative, 44-page Cyber-Risk Oversight Handbook that describes “five principles for effective cyber-risk oversight,” along with a wealth of other information that includes an appendix with 48 questions boards should be asking management about Cybersecurity.
For local governments, ICMA publishes Local Government Cyber Security: Getting Started as well as other information. This guide has some useful information, but it doesn’t begin to approach the depth and quality of the NACD handbook. I would recommend that school board members, county commissioners. and city council members download and read the NACD handbook as well as the Growing Impact of Cybercrime in Local Government. The public sector doesn’t take cybersecurity seriously and local governments are in possession of huge deposits of PII and PHI.
My problem with the discussions of “the cyber” from both of these organizations is that they fail to address the broader discipline of “information security.” This isn’t simply a matter of semantics and cyber-risk has to be understood in the broader context of an overarching information security (InfoSec) program to be truly effective.
To put it simply, if senior leadership isn’t an integral part of your information security program, you don’t really have a program. Boards and executives should routinely devote CPU cycles to the issue, just as they would to any other critical business issue.
Making the case
The argument for comprehensive information security programs for even very small enterprises is simple, powerful, and backed by a constantly growing body of evidence. Failure to secure information costs money – and lots of it. The Anthem breach, in which the company was found to be neither negligent nor liable, cost them roughly $414 million and the Target breach cost $230 million (SeekingAlpha).
While the fiscal argument may make the best case for a security program, it sometimes takes a while to get traction because executives in smaller organizations may not immediately see how these gigantic breaches relate to their business. Consequently, one of my preferred techniques for making the case is to get the corporation counsel or municipal attorney involved from the start.
Bring lawyers and money
Lawyers begin making the connections faster than the rest of the team, especially if regulatory compliance issues are involved. They quickly connect the dots between stupid mistakes, negligence, breach, forensic and regulatory investigations, fines, public embarrassment, and the inevitable litigation. In most organizations, the lawyers tend to be highly regarded and they can see the whole movie playing in their head. They instinctively know that they won’t be playing the part of the hero unless they get the show going so they do a pretty good job of rallying the troops.
In one organization for which I developed a comprehensive policy, the process took several months of collaborative work with a large committee of stakeholders that included board members, management, HR, attorneys, and staff. The discussions sometimes became contentious, but the team approach was worth the effort because everyone was invested in the final product. It took the organization two years to fully implement the policy and when the first periodic risk assessment came due, one of the Director’s said: “you mean to tell me that this is going to cost money?”
Yeah, it costs money; but it costs a hell of a lot less money than a breach.