Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyber Insurance

Cyber Security Oversight: Why it Belongs in the Board Room

Cybersecurity in the Board Room

Cybersecurity in the Board Room

Traditionally, cyber security has been considered the exclusive domain of IT and security operations departments, which were charged with the purchase and deployment of technology to defend against network intrusions. However, the long line of devastating data breaches at Target, JPMorgan Chase, Home Depot, and dozens of other established, respected brands is changing all that. Nowadays, the responsibility for the safety, security, and integrity of an organization’s network has shifted to executive management and boards of directors. For some though, the question remains why cyber security should be a board oversight issue.

Over the last few years, cyber threats have emerged as some of the most significant business risks facing organizations. For many, the Target breach was a watershed event. The subsequent law suits and settlements that totaled in the tens of millions of dollars revealed the scale of the financial impact associated with cyber-attacks. Since boards of directors have a fiduciary responsibility to preserve corporate financial value, these breaches were a rude wake up call. Meanwhile, the courts are holding businesses accountable for implementing appropriate security practices to protect consumers’ personal information. The Home Depot, which booked $161 million of its pre-tax expenses to cover a breach, including $19.5 million for the consumer settlement, is a good example.

In response, boards have started changing their view of cyber security as being a core function of IT management, and are now demanding that C-suites treat cyber threats as an enterprise risk that should be addressed from a strategic, company-wide, and economic perspective. They are now taking a very active interest in cyber security, and want to be kept informed of current and evolving risks, as well as the organization’s security preparedness and response plans. As a matter of fact, according to a recent study by accounting firm EisnerAmper (EA), directors of boards are most worried about cyber security risk (70 percent), reputational risk (66 percent), regulatory compliance risk (64 percent), and senior management succession planning (51 percent).

These results reflect the fact that boards now recognize that protecting against cyber-attacks and complying with evolving regulatory mandates is becoming more challenging and increasingly costly. As an example, the new European Union’s Data Protection Directive stipulates fines of up to 5% of a company’s global revenue, which creates a foundation for civil litigation. In cases where cyber security insurance is being considered as a regulatory fence against cyber risks, the boards’ risk committee is required to determine coverage for directors’ and officers’ liability, commercial general liability, prior acts, as well as property, and casualty insurance.

Operating in this new environment is not easy. A recent study by the National Association of Corporate Directors (NACD) revealed that over 90% of respondents believe their board’s understanding of cyber security risks still needs to improve. In this context, the U.S. Senate recently proposed a cyber security disclosure bill that would require public companies to describe what cyber security expertise their boards have, and, if they don’t have any, what steps the companies are taking to add this type of expertise to their boards.

While many experts believe the proposed bill is going too far – especially considering the existing shortfall of cyber security experts in the industry – it illustrates the need for oversight at the highest level. In fact, the NACD recommends that risk oversight becomes a function of the entire board. Since business strategy and risk nowadays go hand-in-hand, the full board—and not just one subcommittee—needs to be vetting the company’s cyber security practices and programs.

To elevate transparency and provide the necessary information to board members, organizations should consider implementing the following practices:

• Increasing the frequency of cyber security related presentations to the board;

Advertisement. Scroll to continue reading.

• Allowing CSOs and CISOs to present their findings and strategies directly to the board, rather than through some other C-level representatives;

• Treating cyber security as a matter of enterprise-wide risk, not just as a function of IT management; and

• Implementing a model that establishes a quantitative estimate for cyber risks, exposures, and potential damages to better align business objectives and security goals.

Ultimately, a proper oversight program can help companies streamline board reporting, integrate multi-department activities required to mitigate operational cyber risks, and ensure that reasonable security protocols and procedures are in place. Furthermore, it can help all stakeholders gain a better understanding what assets might be at risk, how to estimate potential losses, and how to mitigate threats using new security practices, investments, and cyber security insurance.

While many boards have woken up to the fact that they need to pay more attention to cyber security as part of their fiduciary responsibility, security executives should not stand by, waiting for their board to ask questions about cyber risk management. Instead, CISOs should pro-actively monitor their company’s risk posture and provide quantitative views of the organization’s risk posture on a semi-annual basis — at the very least.

Attend the 2016 CISO Forum Panel – Reporting Security and Risk Management to the Board, Moderated by Gartner’s Ash Ahuja

Related ReadingGetting the CISO a Seat

Related ReadingData Breaches Can Lead to Customer Drop-Off

Related ReadingCISO Study Outlines Challenges, Successes of Security Executives

Related ReadingMany CEOs and CISOs Not Communicating on Security, Survey Finds

Related ReadingTarget CEO Exit Highlights Business Side of Security

Related ReadingAre We Ready to Take These Breaches More Seriously Now?

Related ReadingHow a CISO Can Be a Change Agent Within a Company

Written By

Dr. Torsten George is an internationally recognized IT security expert, author, and speaker with nearly 30 years of experience in the global IT security community. He regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege for Dummies book. Torsten has held executive level positions with Absolute Software, Centrify (now Delinea), RiskSense (acquired by Ivanti), RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Cyber Insurance

Cyberinsurance and protection firm Boxx Insurance raises $14.4 million in a Series B funding round led by Zurich Insurance.