What Can CISOs Take From the New NYSE Cybersecurity Guide?
In October 2015, the New York Stock Exchange (NYSE) released a book, “Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers.” While the book’s targeted audience does not include chief information security officers (CISOs), we examined it to determine if it could prove valuable to that audience.
The cover bears the names of two well-respected organizations in the security industry, Georgia Tech’s Institute for Information Security and Privacy, and the Internet Security Alliance. Available in both PDF and e-book formats, the book totals 355 pages, which includes nearly 30 pages of profiles for contributing authors and businesses. Each chapter is also available for individual download online.
While the word “definitive” appears in the title, the book’s disclaimer warned against taking advice at face value: “It should not be relied upon as a substitute for specific professional advice. Professional advice should always be sought before taking any action based on the information provided,” the guide stated.
What’s in the Book?
The book’s introduction is provided by Tom Farley, president of the NYSE, who opens with, “No issue today has created more concern within corporate C-suites and boardrooms than cybersecurity risk.” For those who still think of cyber risks as an IT issue, Farley said, “Today, managing cybersecurity risk has expanded far beyond the realm of IT; it has become a business continuity necessity to ensure shareholder value remains intact and that privacy and corporate intellectual property is protected.”
Having specifically called out the importance of cyber risks to ensuring shareholder value and the stability of the markets, notably by addressing the threat of systemic disruption, he also cautioned companies to remain vigilant. This was not just from a technology perspective, but also from a human perspective, adding that companies need to improve the impact of their security training and awareness programs.
The foreword, authored by Visa’s CEO Charles W. Scharf, outlined some key aspects of effective security programs. The first is to “be open and honest about the effectiveness of your security program and regularly share an honest assessment of your security posture with the executive team and board.” This is an interesting point: Many CISOs will share, in private, how their executives may not be so open to receiving or sharing an “honest assessment” of security posture.
Scharf even shares with the reader the five categories Visa’s security program is scored on: risk intelligence, malware prevention, vulnerability management, identity and access management and detection and response. He noted that scores may increase or decrease depending on the company’s defenses as well as on how relevant threats change.
The second recommendation he has is to “invest in security before investing elsewhere.” This is obviously something that executives and boards will need to digest further, but it sets an important tone for the funding of security programs. He finished the section by stating that cybersecurity “is an area where there are no grades — it is pass or fail, and pass is the only option. Cybersecurity needs to be part of the fabric of every company and every industry, integrated into every business process and every employee action. And it begins and ends at the top.”
The rest of the book is organized into 10 major sections, including the unnumbered introduction:
- Introduction: The Cyberthreat in the Digital Age
- Section I: Cyber Risk and the Board of Directors
- Section II: Cyber Risk Corporate Structure
- Section III: Cybersecurity Legal and Regulatory Considerations
- Section IV: Comprehensive Approach to Cybersecurity
- Section V: Design Best Practices
- Section VI: Cybersecurity Beyond Your Network
- Section VII: Incident Response
- Section VIII: Cyber Risk Management Investment Decisions
- Section IX: Cyber Risk and Workforce Development
What’s the Benefit for CISOs?
While the book is aimed at directors and officers, the hefty page count makes it very unlikely that these people will find the time to read through it all. Security leaders who imagined having long, fruitful conversations with their executives and the board will likely have to wait a few more years before such conversations take place. However, the chapter-by-chapter nature of this book does make it easy for a director or officer to pick up, leaf through and dive into something that catches their eye. CISOs should be ready for that.
So while this book is clearly labeled as being targeted at directors and officers, CISOs and aspiring security leaders should skim through it, take notes and draw inspiration for their next briefing as risk leaders. The book does contain advice from some of the leading minds and businesses on the topic of the management and governance of cyber risks — something that’s an intricate part of the CISO role.
One such chapter that I would recommend to CISOs is the last in the book, titled “Evaluating and Attracting Your Next CISO: More Sophisticated Approaches for a More Sophisticated Role.” As the authors point out, “although the CISO rarely reports directly to the chief executive officer, he or she must have the qualities expected at the CEO-1 level.”
Another benefit that a CISO can draw from having read this book is to then share a particularly relevant section or chapter with other executives and officers while clearly pointing out that the book was written for them.