French Caldwell, chief evangelist for governance, risk and compliance company at MetricStream, notes a time years ago – when he was a vice president and fellow at Gartner – when boards didn't take much notice of cybersecurity pros. “Now they have them on speed dial,” he says. While that might be a bit of a dated term (don't we dial just about everyone with a single click these days?), you get the idea. Security IT and corporate boards ran in different circles.
For years, pundits and executives have promised that those two worlds would merge in the boardroom, but that never happened, and it mostly seemed like just so much lip service. But that's changed as the CISO's reporting responsibilities have moved further up the chain. “People are now reporting to the CEO, CFO or the chief risk officer,” Gary Hayslip, CISO for the city of San Diego, has said. “Many CISOs are being asked to participate on boards.”
A recent Bay Dynamics study confirms that ascent – and the board's growing focus on cybersecurity. “The survey reveals that boards of directors in larger companies are taking cybersecurity and cyber risk much more seriously than they were just two years ago,” says Michael Osterman, president of Osterman Research. “Board members are increasingly recognizing the critical importance of becoming better educated about cyber-related issues and relying on trusted advisers that can increase their expertise on critical cybersecurity and cyber risk issues.”
John Bruce, CEO, IBM Resilient
French Caldwell, chief evangelist, MetricStream
Michael Osterman, president, Osterman Research
Amjed Saffarini, CEO, CyberVista
Ryan Stolte, founder and CTO, Bay Dynamics
So, what made 2016 different? Certainly, having politicians and political candidates drag cybersecurity into the mainstream (President Obama has made cyber a priority during his term with CNAP, and more recently commanded a report from the Commission on Enhancing National Cybersecurity). Candidates Hillary Clinton and Donald Trump even fielded a question about cybersecurity during one of the presidential debates. Too, endless chatter about Clinton's private email server brought information privacy and protection to the forefront, as well as the prudence of applying enforceable security policies from the top down. Allegations that Russian operatives infiltrated the election process ostensibly to influence its outcome – which an endless stream of leaked emails from Clinton and other entities associated with the Democratic Party seemed to imply – underscored the seriousness of threats to both the public and private sector and drove home the point that there was no time to dawdle in finding remedies.
Boards also simply couldn't ignore the threats that loomed over the companies they govern. “They're definitely more aware, and headline-grabbing breaches have elevated the topic in the minds of all of us,” says Bruce, whose company's “Global Cyber Resilient” study, conducted by the Ponemon Institute, found that 53 percent of respondents had suffered at least one data breach in the past two years.
Given the scope of the breach landscape and with crippling DDoS attacks, insider threats, clever cybercriminals, hacktivists and nation-state shenanigans all elbowing their way into the boardroom, it's only sensible that the super heroes charged with vanquishing them would follow.
“In 2016, cybersecurity not only became a leading practice, but also a board priority,” says Amjed Saffarini, CEO of CyberVista. “We believe the Yahoo breach – an event which caused immeasurable cybersecurity-related challenges for both boardrooms at Yahoo and Verizon, the company that was acquiring Yahoo – represented a cyber-tipping point.”
After the breach, he notes, those boards could no longer ignore cybersecurity's role in mitigating the respective risks associated with running their companies and conducting acquisition diligence.
While the Yahoo case found “the board actively deprioritizing security for the sake of having the membership numbers look good, in the case of St. Jude [Medical] it was a failure to recognize that the company was now operating in the domain of connected devices and data,” Saffarini says. “These were two different – yet similarly defining moments – for board cybersecurity priority in 2016.”
Increasingly, too, liability, at least in theory, is shifting in some cases to boards. After the Target breach three years ago, its board quickly became, well, a target – so their interest is often a matter of self-preservation and protection. John Sapp, CISO at medical device company Orthofix, said the firing of top-level execs at Target and Sony after those organizations experienced serious breaches has turned more than a few heads.
A trio of reports from Bay Dynamics demonstrates a positive shift in how boards of directors are prioritizing and approaching cyber risk issues, says company founder and CTO Ryan Stolte. “It is clear that boards understand that they are responsible for setting the cyber risk appetite of an organization. This current report shows that board members want to understand and be actively involved in the cyber risk reduction process.”
Three security actions CEOs must take
In the past 20 years as a CSO/CISO and global consultant to hundreds of businesses, I've seen first hand the transformation of cyber risk and the impact on businesses in many industries. Regardless of industry differences, cyber risk is the game-changing business challenge of the 21st century.
Click here for Chanaga's complete opinion article.
Recent changes in Washington, D.C., including the Department of Justice's appointment of Hui Chen as its first-ever compliance counsel and the release of the Yates Memo, has led to chief compliance officers (CCOs) fearing that they, their CEOs and others at the top may be held personally responsible for the misconduct of their employers.
DLA Piper's “2016 Compliance and Risk Report: CCOs Under Scrutiny,” which queried 78 corporate in-house counsel and compliance professionals, found that 80 percent of respondents were at least somewhat concerned about the change in tone from Washington and 81 percent were at least somewhat concerned about their personal liability or the personal liability of their company's CEO.
In fact, it is compliance – which has grown increasingly challenging as the number and complexity of regulations and legislation has increased – that most preoccupies boards. One of Bay Dynamics's surveys found that cybersecurity has become the boardroom's top priority, ahead of concerns about other operational risks. Right behind that are fears of lawsuits and regulatory penalties, inspiring greater action and reaction than even a breach, the survey says.
Boards clearly must do more than invite CISOs to sit shoulder to shoulder with them in the boardroom. “Being aware of it and doing something about it are clearly two different things,” says Bruce (left) at Resilient. “Our “Cyber Resilient Organization” study shows that more than half of the respondents polled don't have a regularly scheduled presentation on the organization's state of security to their board of directors.”
Of course, as with all successful relationships, it all starts with a conversation. Or two. Or a thousand. While CISOs and boards communicate much better, the “language difference” is still an obstacle. In one Bay Dynamics study, more than half of board members described security reporting as too technical. But, when cybersecurity pros talk in terms of risk, the board is in more comfortable – and actionable – territory. Increasingly, CISOs are broadening their knowledge and appeal by obtaining business-oriented certifications or even working toward their MBAs. And they're growing accustomed to the board's focus. “If you're a CISO and can't handle the spotlight, you're in the wrong job,” says Caldwell at MetricStream.
Board members, too, need to up their security game by gaining more than a passing knowledge of the security issues that their organizations might face, as well as the merits and shortcomings of the solutions available to them.
After 90 percent of the corporate directors participating a couple of years back in a survey from the National Association of Corporate Directors (NACD) said they wanted to improve their understanding of cybersecurity, the NACD asked the Internet Security Alliance and American International Group to create a “Cyber-Risk Oversight” handbook. The publication organizes cybersecurity best practices around five key principles: legal implications and liability; access to security expertise; understanding cybersecurity in terms of risk management; disclosure and mitigation; and building an adequately staffed and funded framework to manage that risk.
It helps too to get some cyber expertise on the board. The cybersecurity study found that only one in six board members had a “substantial expertise in understanding the nuances and implications of cybersecurity issues.”
They're aware and they want to resolve that deficit. “That includes making decisions that drive continuous compliance and going a step further by adding a board member with cyber-specific expertise who speaks the same language as the trusted security executives advising them,” says Stolte.
Clarifying lines of responsibility, too, go a long way in helping boards and cybersecurity pros know – and commit to – what's expected of them and head off potential confrontations at the pass.
To banish threats from the boardroom, too, boards must let go of those budget dollars…because as in many things in business and in the world at large, when you want to get things done, you have to, quite literally, put your money where your mouth is.