C-suites and boards of directors are increasing their knowledge of IT security risks and needs – before a breach happens. Larry Jaffee reports.
Security trainer Jim Manico from Anahola, Hawaii-based Manicode Security recently was about to teach a class of developers. First to speak was the multibillion-dollar firm’s CEO: “Look, developers, when you’re faced with revenue versus security, we’ve always traditionally said go push revenue. In 2016, that’s over. I want you to prioritize security over revenue.”
Manico says the CEO’s preamble was a shock to his system. “Boards and C-level executives are now accountable,” Manico says. “They’re seeing executives get fired. They’re finding religion because they have to.” Such a mentality is the characteristic of successful security programs, he adds.
And this is not just by accident, Manico says. “They have board and C-level signoff around decisions of financial expenditures. Management must get board buy-in when asking for huge sums of money to pay for cybersecurity strategies.” It’s the difference, he adds, between doing security haphazardly or really committing to it.
“Boards have got to get inquisitive and drill down into the major buckets this money is going into,” he says. Boards worth their salt should be talking regularly to the CISO, he says, and asking what are the CISO’s top three concerns and major buckets of expenditures in the coming year?
Jonathan Bernstein, CEO, Bernstein Crisis Management
Jim Manico, founder, Manicode
Larry Ponemon, founder, Ponemon Institute
Amjed Saffarini, CEO, CyberVista
Davia B. Temin, CEO, Temin and Company
Meanwhile, CISOs need to know how to communicate to boards so that attacks or data breaches are not viewed as revelations. Anyone who argues that they don’t talk to the board about these matters is an amateur, Manico says. “If your board is not involved in security, they’re fools. It’s about saving your company money and data.”
Board members need to be on top of initiatives, with awareness training for the entire staff, says Manico. He illustrates his point with a client that’s a midwestern regional bank. He met with developers after speaking at an IT security conference and was asked whether he’d have a private meeting with the bank’s board. “They were very receptive because their job was not to pass a compliance audit. They wanted to know how to not get hacked.”
Cybersecurity clearly falls under board-level governance and oversight, notes Davia Temin, CEO of Temin and Company, a New York-based reputation management firm that advises mostly financial firms on all types of crisis situations.
But a prevalent undercurrent seems to be that once the board gets involved things slow down and are not as productive as they could be, says Larry Ponemon, the founder of The Ponemon Institute, a Traverse City, Mich.-based cybersecurity think tank.
The November 2014 Target breach, for example, cited by 89 percent of board members queried, served as a wakeup call for boards that hadn’t previously shown much interest in cybersecurity, Ponemon points out.
Boards have rapidly adopted cybersecurity as an issue because they’ve seen the potential for trouble quickly, agrees Temin.
However, not all boards have incorporated cybersecurity into their annual plans or oversight activities. The good news is that more and more are leaning in that direction after reading about high-profile breaches in the news. “It’s a very popular topic on the governance speaking circuit,” Temin (left) adds.
Crisis manager Jonathan Bernstein sense boards’ current cybersecurity interest smacks “a bit of desperation,” yet driven by the bottom line.
“I think boards and organizations are aware of how shareholders expect more of them in a post-Enron age,” says Bernstein, whose Monrovia, Calif.-based Bernstein Crisis Management recently has seen an uptick in C-suite requests for crisis management best practices, training and vulnerability audit reports as the result of high-profile private sector and government hacks.
Considering the potential for serious damage to profitability and reputation, Temin says she doubts that many boards have not had a cybersecurity conversation. Boards still will not fund defensive efforts with unlimited resources, but it’s still up to management to make the case where internal risks lie.
As a trend, board-nominating committees recently have put cybersecurity and technological proficiency (oversight and execution) as a key component making up the skills matrix they are looking for in new directors, Temin (left) points out.
This is an avenue for younger folks to join corporate boards and it presents an opportunity for CISOs and other cybersecurity experts who are also skilled at leadership and governance, she says.
Many board members can use their financial backgrounds to determine whether financial statements are adequate or not. But rarely do they have the skillsets to evaluate a company’s security posture, underscoring the need for world-class CISOs, consultants and in-house security staff to prepare beforehand and handle whatever hits, Temin points out. These days, boards also want to be updated frequently if a serious breach occurs, and know from management what’s being done to rectify and prevent future attacks.
“Target was a realas a real turning point,” Ponemon (right) says. Board members now are typically focused on compliance-related matters. Normally, it’s cursory and not a deep-level risk assessment, but enough information to give the board comfort, he says. Boards view their roles as tactical, delegating responsibilities to their management, which is actually dealing with such risks.
As well, since Target, boards are now more receptive to paying for cybersecurity insurance, Ponemon notes, citing about 30 percent of the Fortune 1000 taking out such policies with some level of coverage. Organizations that already have boards involved in cybersecurity decision-making are eligible for a premium reduction.
A Ponemon study [see sidebar] found that, historically, boards have not been generous funding cybersecurity activities. “They’re more likely to see it as adequate, and a lot of people see it as inadequate, so the board becomes a hindrance because they don’t fund at the appropriate level,” Ponemon says.
This situation is confirmed by Amjed Saffarini, CEO of CyberVista, an Arlington, Va.-based sister company of education firm Kaplan. When CyberVista began talking to boards and upper management it also anecdotally heard: “We had great plans, but the board didn’t approve them,” notes Amjed Saffarini, CEO of Arlington, Va.-based CyberVista.
“The root cause was that boards were not fully understanding the value proposition of the proposals that were being put in front of them,” he explains. “It was not that they were ignoring risk or deliberately trying to cut down the security of the company,” he adds. Instead, CyberVista detected a wide gulf between the perception of enterprise risk management cultures between the security teams and boards.
Saffarini says boards need to realize that cyber is just another enterprise risk, such as insider trading for a financial firm.
“It starts at the top and it’s teachable,” he says, noting the average board member is 61 years old. “You can really change the behavior and culture of a company from a security perspective without touching even an iota of code,” Saffarini says.
Board game: Sobering stats
Last June, the Ponemon Institute released sobering survey statistics after surveying 245 board members and 409 IT security professionals, mainly CISOs, CIOs and CTOs in a variety of industry sectors. The report found:
- 35% of board members said cybersecurity was not on their agenda;
- 41% of IT security professionals think their board is informed about threats facing the organization;
- 18% of board members were unsure if they had a data breach, and 23 percent thought they did;
- 26% of board members admitted to having none or minimal cybersecurity knowledge; and
- 18% of IT security professionals believe board cybersecurity governance practices are “very effective,” compared with 59 percent of board members who thought so.