It's been a topic of discussion for some time: Cyber threats are serious risks to enterprises and it is the responsibility of the boards to provide oversight.
The problem, according to a new blog post written by Stacey Barrack, senior director of the Internet Security Alliance (ISA), is that most of the team members comprising corporate boards, while savvy in business, may not always have insight and basic awareness about cyber issues and, therefore, need to learn how to understand cyber risk.
To further understanding the ISA has partnered with the National Association of Corporate Directors in conjunction with AIG, to issue the second edition of the “Cyber-Risk Handbook” for corporate boards. The publication lays out the ground rules rather emphatically: "The very first principle boards need to understand is that cybersecurity is not an IT issue, it's an enterprise-wide risk management issue."
This new paradigm is largely owing to a transformation over the past 25 years from a dependence on physical assets toward the virtual, the ISA claimed. Further, complementing the evolution is a new responsibility for boards around the digitization of corporate risk: This involves protecting new forms of stored data, including ensuring that critical infrastructure is protected, and maintaining compliance with regulatory mandates.
"Each of these risks can adversely affect competitive positioning, stock price, and shareholder value," the report stated.
The challenge arises when cyber risk is assessed in terms of risk-reward, a principle comfortable for board members educated to recognize ROI. But, with cyber the gauges are not so clear. How much budget should be allocated on security tools and services intended to protect the enterprise from cyberattack when the ROI is not always so tangible?
This is where an educated boardroom is essential, the report explained. "Managing and mitigating cyber-risk impact requires strategic thinking, and it starts with realizing cybersecurity is an enterprise-wide risk management issue, not merely an IT issue," the report stated.
Rather than silo the functions of the technical personnel away from the business functions, integrate the departments to improve the entire team's awareness of security matters, the ISA explained.
"Directors should ensure that management is assessing cybersecurity not only as it relates to the organization's own networks, but also with regard to the larger ecosystem in which it operates," the report said.
And this means that it is up to the board to communicate with managers around the risks inherent throughout a company's environment. This is the means to determining the appropriate measure of cyber-risk posture.
When queried about how boards can be convinced about the risk from IT security, Larry Clinton, president of the ISA, told SC Media on Friday, that for years cyber experts have been saying we need to get boards and senior management more involved in cybersecurity.
"Unfortunately, what that generally translated into was trying to teach the boards about IT," Clinton said. "Boards really don't want to talk about IT (except in relation to how it can increase profits)."
Rather, he advises, cybersecurity advocates need to focus more on learning the language of the senior management and boards and focus less on IT-speak. "What ISA and NACD have tried to do is embed cybersecurity in the issues boards and senior management want to talk about – mergers/acquisitions, innovation, new product launches and strategic partnerships. The reality is that in the digital world, every significant business decision has a cybersecurity component. We need to place cyber in that context to get better understating and salience to the need for gather cybersecurity – that starts by realizing that cybersecurity is actually not an "IT" issue but an enterprise wide risk management issue."
And what about persuading execs to increase budget, or strategies, to bolster IT implementations?
Clinton said that cybersecurity is such a comparatively novel and complicated issue that it is essential to provide non-IT execs (including senior staff and the board of directors) with a coherent framework to understand the issue and that framework needs to be expressed in terms the business understands – not IT-speak.
"That is what ISA and NACD tried to do in crafting the Cyber-Risk Handbook for corporate boards," he explained. "The independent research suggests this is the right path. PwC, in its "2016 Global Cybersecurity Survey" found that organizations that used the Cyber-Risk Handbook that ISA prepared for the National Association of Corporate Directors (NACD), led to increased cybersecurity budgets averaging 24 percdnt."
This survey, he pointed out, also found that boards that used the principles layed out in the handbook to guide their cybersecurity programs had improved alignment of organizational goals with cybersecurity, better risk management, and an enhanced culture of security throughout the enterprise.
When asked if he believed if the majority of board members were attuned to the needs for cyber protections, Clinton had a firm "no."
But, he added, things are getting much better over the past few years. "Only a few years ago cybersecurity ranked outside the top 10 of issues boards were concerned with," Clinton told SC. "Now some research suggests it is the number one issue for boards – surpassing executive compensation which is really saying something. I think we have matured past the need for cyber awareness. We now need to focus on cybersecurity understanding – which is very different."
Boards are telling the ISA they are now being bombarded with all manner of consultants, each with their own magic formula and secret sauce, Clinton said. They are looking to ISA and NACD for guidance in terms of understanding this complicated world and not just from a technology perspective. "They want to know about the economies of cybersecurity and the public policy also," Clinton explained. "It's a fairly steep hill we have to climb in a fairly short time (because the attacks are getting more sophisticated and the network getting weaker), but boards are clearly more focused on this issue than ever before and I have to say that the work NACD has done and is doing in that regard is an underreported and critical element in making our overall cyber ecosystem more resilient."
Clinton added that the ICA will be following up with a series of blogs geared toward expanding cyber understanding and providing concrete steps organizations can do to address this issue.