“At the board level, I don’t think the board can ever dig deep enough to understand what’s going on under the covers.” — The National Association of Corporate Directors (NACD), “The Evolving Relationship Between the General Counsel and the Board.”
Board directors are faced with the nearly insurmountable task of providing adequate oversight of cybersecurity risks. While they are used to dealing with various types of risk, many directors feel uneasy with their own level of understanding and decision-making around cyber risks, and require the expertise of an external risk adviser.
A 2016 report by the EY Center for Board Matters titled “Board Matters Quarterly” ranked data breaches and insider threats as the types of risk that have increased the most, above internal fraud, capital project risks and risks related to mergers and acquisitions. When asked how the level of concern about each risk area changed in their organizations over the previous year, 62 percent of board directors reported a slight or significant increase (30 percent and 32 percent, respectively). However, the same publication noted in its 2017 report that 44 percent of boards voted against allowing specialists to join their ranks, while 34 percent voted in favor and 22 percent were undecided.
“As Warren Buffett says, it takes 20 years to build up a reputation and five minutes to lose it,” Dr. Len Konar, chairman of the boards of directors at Steinhoff International Holdings Ltd., Exxaro Resources and Old Mutual Investment Group, wrote in a Deloitte report titled “Ingredients for Success: Striking the Right Balance.” “From a governance point of view, boards need to be aware of the top-line risks and how they can affect the organization’s reputation.”
Digging Out of Cyber Risk Quicksand
Boards are used to dealing with economic, environmental, geopolitical, societal and even some technological risks. Much like a driver doesn’t need to know the details of how an engine works to safely steer a car through traffic, directors don’t need to have deep expertise in cybersecurity controls and protocols to steer the organization through the minefields of today’s threat landscape.
However, cyber risks are different from other risks because they can impact any and all areas of the business at lightning speeds. As 2017 has shown, organizations of all sizes and across all sectors can find their operations impacted or even entirely halted as a result of cybersecurity incidents. Events such as the Petya/NotPetya ransomware attacks come to mind, as well as the large number of organizations that have suffered breaches or cyberattacks.
Board directors have a fiduciary duty to make the right choices when it comes to cybersecurity. But how can they govern over something that is as shifty as quicksand when they are accustomed to regular, stationary, flat surfaces? Without cyber knowledge on the board itself, directors have to turn to other resources to provide expertise and advice.
Are Internal Resources Enough to Advise Boards?
Savvy boards have already shifted the nature of their conversations to better understand the impact that cyberthreats pose to business objectives and have begun asking for levels of assurance of the efficiency of controls. These boards have tasked their CIOs and CISOs to step up their game, lose the technobabble and connect the dots about how cybersecurity impacts the business.
However, just as directors must stretch their capabilities to improve their understanding of cyberthreats, CISOs and CIOs must adapt to the increased frequency of interactions and the heightened scrutiny that boards are placing them under. As if to warn CISOs about the dangers of simplistic solutions, the EY “Board Matters Quarterly” report from 2015 stated, “Putting a price tag on each customer record hacked makes cyber risks feel tangible, but hard costs and savings don’t paint the entire picture or clearly define the role that board members have in overseeing cyber risks.”
So much for the cost-per-record statistics. Back on the topic of internal resources, we know that information presented to the board should be reliable and relevant. Does the information meet that criteria? How would board members know?
According to an NACD report titled “The Evolving Relationship Between the General Counsel and the Board,” the general counsel must “ensure that the board is getting the full picture — the good, the bad and the ugly.” Would your internal experts, CIO or CISO feel comfortable sharing the good, the bad and the ugly with the board? Would the CIO or CISO be able to correct for his or her own biases? Would the board listen? More importantly, would directors trust the information received, or would the board perceive this as just another plot to justify ever-increasing cybersecurity budgets?
The Evolution of Internal Audit
Let’s talk about internal audit (IA). The good news is that IA has been evolving for the past decade, and auditing is no longer confined to checklists and reviewing the veracity of statistical samples. In 2016, the Institute of Internal Auditors observed in a special report titled “Assessing Cybersecurity Risk: Roles of the Three Lines of Defense” that chief audit executives (CAEs) “are challenged to ensure management has implemented both preventive and detective controls.”
Unfortunately, many IA departments focus primarily on evaluating internal controls over financial matters. Some simply do not have the level of executive support to undertake an effective audit of cybersecurity governance, and fewer still are in a position to evaluate the board’s level of oversight over cyber risks.
But let’s assume that your particular situation is better, and let’s use the Federal Financial Institutions Examination Council’s (FFIEC) “Cybersecurity Assessment Tool” maturity ratings for Advanced and Innovative — the top two levels — to illustrate what effective and mature internal audit of cybersecurity areas would look like.
- Advanced: The independent audit function regularly reviews the institution’s cyber risk appetite statements compared to assessment results and incorporates gaps into the audit strategy. Independent audits or reviews are used to identify cybersecurity weaknesses, root causes and the potential impact to business units.
- Innovative: The independent audits or reviews are used to identify cybersecurity weaknesses, root causes and the potential impact to business units.
A final limitation of IA has to do with the way the audits are scoped. As many seasoned security experts will attest, with the right scope, even an insecure server can pass an audit. Cybercriminals are not restricted by your organization’s budget or scoping rules — they go after whatever data is nearby and useful to their cause.
Five Ways an External Cyber Risk Adviser Can Help
In its “Cyber-Risk Oversight” report, NACD stated that boards “should have adequate access to cybersecurity expertise, and discussions about cyber risk management should be given regular and adequate time on board meeting agendas.” The report goes on to state that boards should bring “additional expert perspectives on cybersecurity into the boardroom by scheduling deep-dive briefings with third-party experts,” law enforcement and/or existing independent advisers.
If boards don’t have cybersecurity expertise within their ranks, they need to be able to have regular and adequate access to it. Let’s explore ways that an external cyber risk adviser can be especially useful to directors.
1. Provide Fresh, Unbiased Perspective and Advice to Board Directors
A good risk adviser is a counterweight to the many issues we raised previously. A qualified adviser looks at both the technical and nontechnical risk factors that the organization faces and evaluates the effectiveness of controls along the full spectrum of people, processes and technology.
Such a qualified adviser can review not only the organization’s cybersecurity strategy, but also the way the strategy is being implemented and the way that effectiveness is measured and improved. They can translate cyber issues into relevant concerns for the various areas of the business. They can also ask the tough questions, such as:
- How do we know that the cybersecurity program is effective?
- How is each line of business managing its own cyber risk?
- Is cyber risk management improving?
2. Understand Positive and Negative Risks
One of the factors that differentiate leadership in areas of risk compared to operational areas such as cybersecurity activities is the understanding that risks aren’t always negative. The organization may be presented with some positive risks that it should take. A cyber risk adviser should be risk-neutral, considering both positive and negative risks, as opposed to risk-averse, which would effectively limit the value of the advice provided by those used to dealing with compliance and audit issues. According to Norman Marks, the right person should “help executives make intelligent decisions when it is appropriate to accept a cyber risk to reap a business reward.”
3. Analyze and Improve Cyber Risk Metrics and Dashboards
Directors need access to data that is accessible, reliable, relevant and timely. This data should be presented in business-centric terms with trends and benchmarks. An external risk adviser can help the organization assess the strength and reliability of its cyber indicators, make suggestions to improve future cyber risk metrics and dashboards, and put higher-quality information at the fingertips of board directors.
4. Identify and Communicate Governance Gaps
An external cyber risk adviser can identify potential red flags when it comes to the board and the organization’s governance of cybersecurity issues. Examples of such gaps include:
A fragmented governance structure with tangled reporting lines or distrust and dysfunction between the various units. Organizations require regular engagement, business-focused updates, better dashboards, and open and honest dialogue;
An incomplete cyber strategy that only looks at certain threats or lines of business, ignoring supply chain risks and overlooking the need to be cyber resilient;
Underfunded security functions, high attrition rates and an inability to hire and retain qualified security staff;
Failure to implement cybersecurity projects and investigate delays or problems to get to the root of the issue; and
Unwillingness to enforce accountability for cyber risks and cyber risk mitigation. This often happens when lines of business refuse to acknowledge their roles and responsibilities in dealing with cyber risks and instead relegate issues back to the IT realm.
5. Evaluate and Monitor Cybersecurity and Cyber Risk Programs
A board’s cyber governance activities can be summarized by the principle of evaluate, direct and monitor. Directing is straightforward once a board has put an effective process in place to monitor and evaluate management’s cybersecurity activities. However, the tasks of monitoring and evaluating cyber risks can be significantly more challenging for board directors.
For example, we know that boards need to ascertain that management’s portfolio of cybersecurity activities will provide the intended level of risk reduction and that, should an intrusion occur, systems and controls will be appropriate to detect, respond and recover in a timely manner. So how are directors to monitor and evaluate those? How would boards evaluate the status of a security program and whether the proposed security strategy would have an appropriate level of positive business impact? Boards have to be able to evaluate management’s cybersecurity strategy and determine whether assertions about the organization’s defenses are valid or just wishful thinking.
Solving the Cyber Risk Puzzle
There is a significant difference between understanding the information presented and having in-depth knowledge that helps identify gaps and challenge potential issues. An external cyber risk adviser can provide this depth for the board’s benefit. He or she can ensure that the board is provided the right level of information, link cyber risks to their impact on business objectives and point out organizational biases. They can provide feedback on how well the organization makes decisions about how to handle cyber risks.
As Dr. Andrea Bonime-Blanc, cyber risk governance author and researcher for The Conference Board, wrote in the Harvard Law School Forum on Corporate Governance and Financial Regulation, “Both internal and external expertise play key roles in addressing cyber threats.” A good external cyber risk adviser can help the board fulfill its fiduciary duty regarding cybersecurity and develop a strong understanding of how the organization’s people, processes and technology help achieve objectives, drive profits and protect shareholder value.
Solving the cyber risk puzzle is challenging, but a puzzle is always easier to solve when you have a trusted set of eyes helping you look out for key pieces.