Just how much are companies struggling to get a handle on cybersecurity risks and digital disruption? According to the National Association of Corporate Directors (NACD)’s “2019 Governance Outlook,” boards are uneasy about the various digital risks their organizations face. The report is designed to provide leadership with a picture of the business landscape, and as you might expect, regulations, cybersecurity risks and disruptive technology feature prominently in the list of concerns.
More precisely, when asked to name the top five trends likely to have the greatest impact in the coming year, NACD respondents pointed to changes in the regulatory climate first (49 percent), followed by the potential for an economic slowdown (48 percent) and cybersecurity threats in third (42 percent). NACD commented on these findings, noting that “companies are bracing for the effects of proliferating cybersecurity and data-privacy rules as regulators play catch-up in overseeing the digital economy.”
In light of a regulatory landscape that is becoming more complex and costly — especially post-incident — boards need better insight into the organization’s cyber risk exposure and its ability to handle and recover from those risks. Here are a few questions board members can ask themselves to gauge their oversight and engagement.
Do We Fully Grasp Cybersecurity Risks?
Boards understand that digital disruption is a reality of business today. Sixty-two percent of board directors view “atypical, disruptive risks” as more important to organizations today than five years ago, according to NACD. While boards are confident in management’s ability to deal with known risks, directors are less certain of their preparedness for disruptive risks — only 19 percent of respondents were extremely or very confident.
Organizations know that their competitors are actively looking to leverage artificial intelligence (AI), big data, blockchain and the internet of things (IoT), but the ability to foresee how those changes would impact their own cybersecurity risk posture is limited. AI and the IoT in particular were viewed by NACD survey respondents as the two technologies most likely to disrupt their companies — but they were also ranked as the first and third most likely to benefit them, respectively.
Beyond the challenges of data security and modern digitization, the impacts of rapid changes in the regulatory landscape means that companies must continuously scan the horizon to determine whether they’re still in good standing. In the U.S., the NACD noted the rollout of multiple state-level regulations in California, Vermont, New York and South Carolina, as well as the recent creation of the Cybersecurity and Infrastructure Agency (CISA) within the U.S. Department of Homeland Security (DHS).
For boards, this is a reminder to ensure that management has properly integrated disruption-related information in their strategy, performance and decision-making processes. Boards should also ensure they are getting quality information — in the form of risk metrics and trend lines — from management regarding the potential impacts of disruptive risks. Procedures for escalating critical and time-sensitive information to the board should be reviewed. For chief information security officers (CISOs), this is an opportunity to re-engage with the board, the C-suite and the organization overall to ensure that digital risks are appropriately considered and accounted for at all levels of decision-making.
How Effective Is Our Cybersecurity Management?
The NACD report specifically called out the need for boards to appropriately review the effectiveness of their organizations’ cybersecurity management programs. By now, enough organizations have found themselves jolted, fined or sued, or even had their operations temporarily shut down as a result of a cybersecurity incident, to understand that simply taking the CISO at their word isn’t a valid option.
Directors are encouraged to challenge management about the outcomes of the security program as a whole, and whether the organization has invested appropriate levels of time, talent and money into its security projects. The often thorny issues of accountability and ownership are also important because digital risks can propagate across silos and locations. The board must assign clearly articulated ownership and accountability of various cybersecurity risks.
This renewed attention from the board is an opportunity for CISOs to review the quality of the information they share with the board, to ensure they’re operating as cybersecurity advisers and strategists to the entire organization. But with a greater level of trust comes greater demands: When management and the board are asking more skeptical questions about the benefits of the security projects on the road map, CISOs need to be ready to demonstrate the value of those investments.
Do We Have Adequate Oversight?
Finally, the report contains several reminders of the need for boards to ensure that they are taking on the appropriate duties when it comes to cybersecurity risks. Directors need to ensure they are seeking and receiving adequate education on the topic. Board directors should also seek independent assurances about the cybersecurity program, which for many means leaning on the internal audit function to perform a cybersecurity assurance examination. Of course, board directors can also choose — and they are often encouraged — to consult external advisers.
For CISOs, the additional scrutiny could easily be taken as unwanted or even negative attention. Instead, they should think of it as an opportunity to get support from and engagement with the very top levels of the organization. This channel offers CISOs the opportunity to provide more education about the digital threat landscape — being careful to leverage business metaphors instead of getting deep in the technical weeds. This is also an opportunity for CISOs to get involved with, or even lead, a group to develop ideas and insights about trends and opportunities, especially regarding digital transformation.
At a time when there is tremendous pressure to safeguard ever-expanding caches of sensitive data — dispersed across the organization and often across countries — and when it is critical to improve one’s resilience in the face of increasing digital dependence and interdependence, board directors must deepen their oversight of cybersecurity risks. CISOs, on the other hand, should help shed light on board-level concerns and prepare for the likely questions that boards will ask them during their next interactions.
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato