The Internet was invented in a government laboratory and later commercialized in the private sector. The hardware, software, and networks were originally designed for open communication. Cybersecurity initially was not a major consideration. That mindset has surely changed due to the explosion of connectivity and commerce on the Internet. And also from the threats. A recent McAffee study disclosed that there was one new cyber-threat every three seconds in the fourth quarter of 2016.
Corporate board director roles have been traditionally reserved for those with expertise and leadership experience in management and best practices. Cybersecurity expertise historically has not been a primary concern for Directors. but it has become an evolving requirement for accountability in the era of digital connectivity.
The bottom line is that almost every type of business, large and small, touches aspects of cybersecurity whether it involves finance, transportation, retail, communications, entertainment, healthcare, or energy. Cyber-threats are ubiquitous.
The frequency and maliciousness (including Ransomware and Distributed Denial of Service attacks to networks) of cyber-attacks has become alarming. There are growing cyber-threats to corporate operations, reputation, and theft of IP that not only can affect stock prices, but the viability of a company.
The growing threat of data breaches from hackers has made cybersecurity a global urgency. According to IBM, the cost of an average data breach has now risen to about $4 million. According to Gartner, spending on cybersecurity to try to ameliorate data breaches is expected to reach $90 billion in 2017.
Dr. Chris Brauer, Director of Innovation in the Institute of Management Studies, sums up the state of cybersecurity for board members succinctly: “overcoming the threat boils down to two things: accepting that you will be breached (awareness) and the ability to do something (readiness).”
Targets of the increasing incidence of phishing and other types of social engineering breaches include many corporate giants, such as Target, Anthem, and Yahoo. Even the federal government has been targeted, most notably the breach at the Office of Personnel Management where 22 million personnel records were taken.
In spite of this, there is still a lack of awareness and specialized knowledge on most corporate boards. For example, according to a National Association of Corporate Directors (NACD) survey, only 14% of the board members queried expressed a deep knowledge of cybersecurity topics.
The cybersecurity landscape is complex, and it is extremely difficult to encapsulate all the various aspects that may confront a corporate board. Suzanne Vautrinot, President of Kilovolt Consulting and Major General and Commander, United States Air Force (retired), does provide a very good framework for addressing the landscape: “The board’s role is to apply the principles of risk oversight, to advise on strategy and help push to overcome challenges—in this case, cybersecurity gaps and challenges.”
Following that strong lead from General Vautrinot, I developed a condensed “cheat sheet” with themes to hopefully provide boards with insights and impetus to address the cybersecurity threat at the C-Suite level. The four themes include: risk management, responsibility, communication, and expertise.
- At its very core, the practice of cybersecurity is risk management. It requires being vigilant and encompasses educating employees, identifying gaps, assessing vulnerabilities, mitigating threats, and having updated resilience plans to respond to incidents. Board directors should have a working understanding of risk management (and risk exposure) and have context on the different array of threats and threat actors. They should also be knowledgeable on the guiding axiom of the National Institute of Standards and Technology (NIST) Framework: Identify, Protect, Detect, Respond, Recover.
- Cybersecurity is a responsibility. Elements of cybersecurity include policies, processes, and technologies. Every company is unique in culture, mission and capabilities, but in terms of cybersecurity, the management (including board members) and employees are accountable for overseeing those elements. A requirement for every board member should be that cybersecurity must be treated as a company priority.
- Cybersecurity’s backbone is effective communication. The CISO, CTO, CIO, and executive management must align strategies, collaborate, and regularly assess their information security programs, controls, and safety of networks. Communication enables readiness by the sharing intelligence on threats and new security innovations. Security awareness training is also an important mandate for everyone at any company, especially the board.
- Cybersecurity requires expertise. Ideally, a corporate board should include a blend of internal and outside subject matter experts. It is always useful for executive management to get perspectives and ideas from experts on the outside. It helps avoid complacency. Areas of special knowledge should incorporate: legal compliance, cybersecurity technology solutions and services, training, liability insurance, governance, and policy. Information security management should include people with an ISO 27001 standard expertise and a knowledge of best practices.. Prudent policy advice necessitates that companies develop strong relationships with government. The recent passage of The Cybersecurity Information Sharing Act promotes public/private cooperation on data threat sharing, especially with the Department of Homeland Security.
Of course my cheat sheet is just a starting point. There is certainly room for more items and description. I highly recommend a new book written by Paul A. Ferrillo of the Weil Gotshal law firm and Christophe Veltsos of Minnesota State University, Mankato, entitled “Take Back Control of Your Cybersecurity Now: Game Changing Concepts on AI and Cyber Governance Solutions for Executives” for an in depth analysis of cybersecurity and corporate board issues. With the backdrop of the startling NACD survey that found 80% of boards’ members lack deep cybersecurity expertise, hopefully the issue of the lack of board cybersecurity competency will get more of the attention that is needed.
Chuck Brooks is Vice President of Government Relations & Marketing for Sutherland Government Solutions. In both 2017 and 2016, he was named “Cybersecurity Marketer of the Year by the Cybersecurity Excellence Awards. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn” out of their 450 million members. Chuck’s professional industry affiliations include being the Chairman of CompTIA’s New and Emerging Technology Committee, and as a member of The AFCEA Cybersecurity Committee. In government, Chuck has served at The Department of Homeland Security (DHS) as the first Legislative Director of The Science & Technology Directorate at the Department of Homeland Security. He served as a top Advisor to the late Senator Arlen Specter on Capitol Hill covering security and technology issues on Capitol Hill. In academia, Chuck was an Adjunct Faculty Member at Johns Hopkins University where he taught a graduate course on homeland security for two years. He has an MA in International relations from the University of Chicago, a BA in Political Science from DePauw University, and a Certificate in International Law from The Hague Academy of International Law.