C-suites and boards of directors are increasing their knowledge of IT security risks and needs – before a breach happens.
Security trainer Jim Manico from Anahola, Hawaii-based Manicode Security recently was about to teach a class of developers. First to speak was the multibillion-dollar firm's CEO: “Look, developers, when you're faced with revenue versus security, we've always traditionally said go push revenue. In 2016, that's over. I want you to prioritize security over revenue.”
Manico says the CEO's preamble was a shock to his system. “Boards and C-level executives are now accountable,” Manico says. “They're seeing executives get fired. They're finding religion because they have to.” Such a mentality is the characteristic of successful security programs, he adds.And this is not just by accident, Manico says. “They have board and C-level sign off around decisions of financial expenditures. Management must get board buy-in when asking for huge sums of money to pay for cybersecurity strategies.” It's the difference, he adds, between doing security haphazardly or really committing to it.
“Boards have got to get inquisitive and drill down into the major buckets this money is going into,” he says. Boards worth their salt should be talking regularly to the CISO, he says, and asking what are the CISO's top three concerns and major buckets of expenditures in the coming year?
Jonathan Bernstein, CEO, Bernstein Crisis Management
Jim Manico, founder, Manicode
Larry Ponemon, founder, Ponemon Institute
Amjed Saffarini, CEO, CyberVista
Davia B. Temin, CEO, Temin and Company
Meanwhile, CISOs need to know how to communicate to boards so that attacks or data breaches are not viewed as revelations. Anyone who argues that they don't talk to the board about these matters is an amateur, Manico says. “If your board is not involved in security, they're fools. It's about saving your company money and data.”
Board members need to be on top of initiatives, with awareness training for the entire staff, says Manico. He illustrates his point with a client that's a midwestern regional bank. He met with developers after speaking at an IT security conference and was asked whether he'd have a private meeting with the bank's board. “They were very receptive because their job was not to pass a compliance audit. They wanted to know how to not get hacked.”
Cybersecurity clearly falls under board-level governance and oversight, notes Davia Temin, CEO of Temin and Company, a New York-based reputation management firm that advises mostly financial firms on all types of crisis situations.
But a prevalent undercurrent seems to be that once the board gets involved things slow down and are not as productive as they could be, says Larry Ponemon, the founder of The Ponemon Institute, a Traverse City, Mich.-based cybersecurity think tank.
The November 2014 Target breach, for example, cited by 89 percent of board members queried, served as a wakeup call for boards that hadn't previously shown much interest in cybersecurity, Ponemon points out.
Boards have rapidly adopted cybersecurity as an issue because they've seen the potential for trouble quickly, agrees Temin.
However, not all boards have incorporated cybersecurity into their annual plans or oversight activities. The good news is that more and more are leaning in that direction after reading about high-profile breaches in the news. “It's a very popular topic on the governance speaking circuit,” Temin (left) adds.
Crisis manager Jonathan Bernstein sense boards' current cybersecurity interest smacks “a bit of desperation,” yet driven by the bottom line.
“I think boards and organizations are aware of how shareholders expect more of them in a post-Enron age,” says Bernstein, whose Monrovia, Calif.-based Bernstein Crisis Management recently has seen an uptick in C-suite requests for crisis management best practices, training and vulnerability audit reports as the result of high-profile private sector and government hacks.
Considering the potential for serious damage to profitability and reputation, Temin says she doubts that many boards have not had a cybersecurity conversation. Boards still will not fund defensive efforts with unlimited resources, but it's still up to management to make the case where internal risks lie.