Security Experts:

Cyber Security Oversight: Why it Belongs in the Board Room

Cybersecurity in the Board Room

Traditionally, cyber security has been considered the exclusive domain of IT and security operations departments, which were charged with the purchase and deployment of technology to defend against network intrusions. However, the long line of devastating data breaches at Target, JPMorgan Chase, Home Depot, and dozens of other established, respected brands is changing all that. Nowadays, the responsibility for the safety, security, and integrity of an organization’s network has shifted to executive management and boards of directors. For some though, the question remains why cyber security should be a board oversight issue.

Over the last few years, cyber threats have emerged as some of the most significant business risks facing organizations. For many, the Target breach was a watershed event. The subsequent law suits and settlements that totaled in the tens of millions of dollars revealed the scale of the financial impact associated with cyber-attacks. Since boards of directors have a fiduciary responsibility to preserve corporate financial value, these breaches were a rude wake up call. Meanwhile, the courts are holding businesses accountable for implementing appropriate security practices to protect consumers’ personal information. The Home Depot, which booked $161 million of its pre-tax expenses to cover a breach, including $19.5 million for the consumer settlement, is a good example.

In response, boards have started changing their view of cyber security as being a core function of IT management, and are now demanding that C-suites treat cyber threats as an enterprise risk that should be addressed from a strategic, company-wide, and economic perspective. They are now taking a very active interest in cyber security, and want to be kept informed of current and evolving risks, as well as the organization’s security preparedness and response plans. As a matter of fact, according to a recent study by accounting firm EisnerAmper (EA), directors of boards are most worried about cyber security risk (70 percent), reputational risk (66 percent), regulatory compliance risk (64 percent), and senior management succession planning (51 percent).

These results reflect the fact that boards now recognize that protecting against cyber-attacks and complying with evolving regulatory mandates is becoming more challenging and increasingly costly. As an example, the new European Union’s Data Protection Directive stipulates fines of up to 5% of a company’s global revenue, which creates a foundation for civil litigation. In cases where cyber security insurance is being considered as a regulatory fence against cyber risks, the boards’ risk committee is required to determine coverage for directors’ and officers’ liability, commercial general liability, prior acts, as well as property, and casualty insurance.

Operating in this new environment is not easy. A recent study by the National Association of Corporate Directors (NACD) revealed that over 90% of respondents believe their board’s understanding of cyber security risks still needs to improve. In this context, the U.S. Senate recently proposed a cyber security disclosure bill that would require public companies to describe what cyber security expertise their boards have, and, if they don't have any, what steps the companies are taking to add this type of expertise to their boards.

While many experts believe the proposed bill is going too far – especially considering the existing shortfall of cyber security experts in the industry – it illustrates the need for oversight at the highest level. In fact, the NACD recommends that risk oversight becomes a function of the entire board. Since business strategy and risk nowadays go hand-in-hand, the full board—and not just one subcommittee—needs to be vetting the company’s cyber security practices and programs.

To elevate transparency and provide the necessary information to board members, organizations should consider implementing the following practices:

• Increasing the frequency of cyber security related presentations to the board;

• Allowing CSOs and CISOs to present their findings and strategies directly to the board, rather than through some other C-level representatives;

• Treating cyber security as a matter of enterprise-wide risk, not just as a function of IT management; and

• Implementing a model that establishes a quantitative estimate for cyber risks, exposures, and potential damages to better align business objectives and security goals.

Ultimately, a proper oversight program can help companies streamline board reporting, integrate multi-department activities required to mitigate operational cyber risks, and ensure that reasonable security protocols and procedures are in place. Furthermore, it can help all stakeholders gain a better understanding what assets might be at risk, how to estimate potential losses, and how to mitigate threats using new security practices, investments, and cyber security insurance.

While many boards have woken up to the fact that they need to pay more attention to cyber security as part of their fiduciary responsibility, security executives should not stand by, waiting for their board to ask questions about cyber risk management. Instead, CISOs should pro-actively monitor their company’s risk posture and provide quantitative views of the organization’s risk posture on a semi-annual basis — at the very least.

Attend the 2016 CISO Forum PanelReporting Security and Risk Management to the Board, Moderated by Gartner's Ash Ahuja

Related ReadingGetting the CISO a Seat

Related ReadingData Breaches Can Lead to Customer Drop-Off

Related ReadingCISO Study Outlines Challenges, Successes of Security Executives

Related ReadingMany CEOs and CISOs Not Communicating on Security, Survey Finds

Related ReadingTarget CEO Exit Highlights Business Side of Security

Related ReadingAre We Ready to Take These Breaches More Seriously Now?

Related ReadingHow a CISO Can Be a Change Agent Within a Company

view counter
Torsten George is currently a cyber security evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).