From a cyber security perspective, the 2015 and 2016 headlines have been dominated by a number of high profile data breaches: Sony, Ashley Madison, TalkTalk, Yahoo … Those have put the cyber security topic on the Board’s agenda in many corporations and have also been drawing the attention of politicians.
Fundamentally, we believe that the Board of Directors needs to go back to basics on these matters: Time has now gone to continue approaching cyber security purely from a Risk perspective. Risk is ultimately about “things that may or may not happen”. When it comes to cyber security, the Board should start from the premise that cyber attacks are a matter of “when”, not “if” – and should shift the focus towards understanding and managing what is actually getting done to protect the organisation.
The Board must not be allowed to believe that it needs to be involved simply because the cyber security topic is making headline news. The topic is making headline news because security breaches are occurring more and more often. This, in turn, is due to decades of complacency, neglect or short-termist “tick-in-the-box” practices around the Information and IT Security space. The problem is not new and those practices have resulted in low maturity and protection levels, that surveys keep highlighting year after year (for example in the 2015 and 2016 RSA Cyber Poverty Index surveys).
In large organisations exhibiting such low levels of cyber security maturity, it would be misleading to allow the Board of Directors to believe it’s a simple problem to fix – or that it simply requires the Board’s supervision around a handful of key aspects. It is also misleading to allow the Board to believe in ready-made technical solutions or that throwing money at the problem will solve everything, as McKinsey & Co have highlighted in a 2015 article that itself echoed their 2014 findings for the World Economic Forum.
“Cyber Security is a high-stakes topic, so it is a CEO-level one”, states the McKinsey article. However, the problem has some depth – and in many large organisations, where Cyber Security maturity levels are low, it could be rooted in 10 to 15 years of failure.
Understanding the true historical perspective of the problem and removing the roadblocks that have prevented progress in the past (people, resources, priorities … whatever they might be): These are the real issues which many organisations’ Boards of Directors now need to confront and address.
The Six Questions the Board of Directors Needs to Ask
1. What does it mean to us?
First of all, the Board must form an understanding of the nature of the cyber threats that might target the firm.
Cyber threats do not target all organisations in the same way – and some industry sectors are more exposed than others. Cyber security results from the application of proportionate controls to protect the business against the cyber threats it faces.
Understanding those threats is key to success and approaching the problem from a generic “one-size-fits-all” angle – or simply based on the content of media coverage – is dangerous and can lead to misguided judgements.
2. Who’s in charge?
Having established its own understanding of the concepts, the first concern of the Board should be to ensure that cyber security responsibilities are clearly and unambiguously distributed across the organisation.
Cyber security should be formally part of the portfolio of a Board member, and accountability cascaded down (directly or indirectly) to an individual specifically tasked to make sure the business is, and remains, protected from cyber threats. This responsibility would lie with the CISO in many large organisations.
The reporting line of the CISO should be clear – and at a level allowing visibility, credibility and accountability across the organisation. The actual reporting line itself should be dictated by the priorities of the organisation, ahead of arbitrary separation of duties considerations.
The repartition of roles across the various lines of defence and across corporate silos should be clear. A sound Security Governance Framework and Target Operating Model should document those aspects across IT and beyond – into HR, Procurement, Legal, Corporate Communications and business units. They should cover, without complacency, the true geographical perimeter of the organisation and its dependency on third-parties where relevant.
3. What are we doing about it?
Having established that a sound Security Governance platform is in place across the business, the Board should ensure that key protective measures are (and remain) in place.
Starting with a sound appreciation of the threats the business faces (both internally and externally), a determination of the controls required to protect the business against such threats should naturally follow. These should be consolidated in a Cyber Security Controls Framework, specifically tailored to each organisation.
Relying on recognised generic industry frameworks and good practice catalogues instead is often preferred (or recommended by some vendors), but the approach has its pros and cons. On one hand, it is a sound way of making sure that all angles are covered; on the other, it could easily lead to over-engineering and over-spending – particularly for smaller firms.
Fundamentally, the Board should ensure that controls are proportionate to the threats the business faces – otherwise their deployment could be challenged or costs may escalate. The Board must look beyond which framework is actually being used, to focus on the way the controls it contains are effectively implemented across the organisation. Once again, it should also take into account the organisation’s true geographical perimeter and its dependency on third-parties where relevant.
4. How exposed are we?
The Board should ask for periodic reports showing adherence of the organisation to its Cyber Security Controls Framework, and the primary focus should be on any deviations from this. Such deviations create opportunities for threats to target the business and cause harm, creating “Risk” – in the most classical sense of the word.
The Board should be concerned with any main issues – whether they’re financial, organisational or technical – which are preventing the implementation of the Cyber Security Controls Framework, ensuring they remain updated on what is being done to address these.
The key threats should be those to which the firm is the most vulnerable (i.e. those against which it is the least protected). Once the key threats are identified, the Board should ensure that their organisation’s incident response capability is regularly tested in those areas – if relevant.
The overall Cyber Risk Posture of the organisation should result from the analysis of deviations from an established Cyber Security Controls Framework.
5. How are we dealing with what is not under our direct control?
The Board should be concerned with 2 very different aspects in that space:
(i) Dependency on Third-parties: The Board should be acutely concerned about dependency on third-parties, across the business and IT, as we have highlighted several times above. Many controls in the Cyber Security Controls Framework will have to be cascaded down to (and implemented by) a variety of external firms, but the organisation may have no actual means to enforce those – even if a breach in the other party environment could cause catastrophic damage to the business. As such, effective vendor risk management could be of critical importance for some organisations.
The Board should start by building an understanding of the diversity and numbers of such vendors, and of those on which the business is most dependent. This must not be seen as a mere IT issue and it is key to approach it in terms of business processes. Following this, the Board should build an overview of those vendors’ levels of adherence to the Cyber Security Controls Framework – or where relevant, of their unwillingness to cooperate with cyber security assessment efforts.
Finally, the Board should ensure that unsatisfactory outcomes are being addressed – ensuring they remain updated on these matters. Board members also sitting on the Boards of some of the offending third-parties may want to take the matter into their own hands if and where they can.
Again, it is key to ensure that this is not turned into an IT matter – and that all business relationships are in scope.
(ii) Media & Political Interest: The Board should also be acutely concerned with the outcome of a cyber security breach spilling over into surrounding corporate areas – potentially contaminating their brand, customer trust, or shareholders’ confidence.
The dynamics of recent cases show that contamination often occurs as a result of aggressive media and political interest following breaches of privacy or service disruptions affecting the general public.
While it is difficult to predict where media attention will be in relation to any particular service incident, the Board can build an understanding of the amount of sensitive personal data the organisation stores and processes. The Board should ensure it possesses a clear understanding of its legal duty of protection towards the privacy of its organisation’s customers and staff – as well as the measures that are in place (or not) as part of the Cyber Security Controls Framework. The Board of international organisations should also be aware that those obligations may vary from country to country.
In all cases, the Board should ensure that the Security Governance Framework is active across all relevant corporate silos and reaches into all areas that may be involved in case of a breach – and that those interactions are regularly tested.
6. How do we protect our investment in cyber security?
The Board should be aware that cyber threats evolve constantly and that there is no silver bullet solution, technical or otherwise.
Ongoing protection can only come from a strong controls culture, embedded in the way the firm works. Such cultural shift could take time, particularly in organisations where cyber security maturity is low to start with, so taking a long-term view and sticking to it is key to success.
Ensuring that key personnel (the CISO and their team in many large organisations) remain in charge over the period is also key, and means they may have to consider their tenure over a 5 to 7 year horizon in many cases. Changing approach every 2 to 3 years every time a new CISO comes in is a recipe for disaster and could be very simply why so many large organisations still show such a low level of cyber security maturity.
The Board should also ensure that its direct involvement in cyber security matters is clear, unambiguous and widely publicised across the enterprise. The cyber security message from the Board should in turn be cascaded down across the organisation through regular management channels, and it is key for the staff to see that management (at their level) takes cyber security at heart. This type of bond is generally stronger, longer-lasting and cheaper to establish than any type of engagement through awareness development campaigns – which often miss the point entirely by being too tactical or too technical.
Finally, having examined all aspects listed above, the Board should consider the current level of cyber risk Insurance protection the firm holds (if any), and whether it provides adequate cover.
The Insurance question should come last, and the Board should consider adjusting cover if possible to match the findings highlighted by previous questions. The cyber risk insurance market is evolving fast, and products may be available today that were not available last time the Board inquired.
Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.