15

Jan

2020

It’s complicated: The Board & Cybersecurity

13 recommendations

Whether you are an inside or outside director of the board, Cybersecurity will be on your agenda in the near future if it has not been already.

The challenge: Neither do you speak the same language as your security professionals nor will they be able to present you with a silver bullet to address your Cybersecurity threats given their changing nature. Information security professionals might seem overly paranoid or technical to you. They do not understand the realities and true priorities you have to deal with in your role such as financial stability, competitors, investors, M&A, R&D or board politics.

Unlike those issues, Cybersecurity will likely never keep you awake at night contrary to what the Cybersecurity industry is hoping for. Moreover, should you in fact look into Cybersecurity it is difficult to evaluate actions and recommendations in terms of their effectiveness in managing your risk profile and cost.

In short, it’s a complicated relationship.

Here are some guiding principles and lessons for board members to improve the relationship:

1. Cybersecurity does not need to be your priority, just do not ignore it

According to estimates of the Ponemon Institute, a Cybersecurity research firm, the chance of experiencing a data breach now is 1 in 4 as of 2017. Costs can range from less than $10,000 to over $100 M, averaging around $4 M. If you are sitting on the board of an F-1000 company, these costs are probably negligible relative to your total revenue and company valuation. As a board member of an SME you might have a different opinion about the significance of such an amount but still feel safe for other reasons. You think your organization and the probability is too small to be of interest to cyber criminals and state sponsored hackers.

If your entities are in Europe or you process data from EU citizens (“EU data subjects”) anywhere in the world, the situation will change on May 25th, 2018 when the General Data Protection Regulation (GDPR) comes into effect. It will introduce fines between 2 to 4% of total global revenue (or EUR 10 to 20 M whatever is greater) among others if company records are not in order or a supervising authority and data subjects are not notified appropriately. There will also be audits you have to provide compliant responses to. Should you be an executive in the financial service industry, the EU’s revised Payment Services Directive 2 (PSD2) will not only change banking as we know it, but there are new EBA guidelines for security measures for operational and security risks that cover processes, people and technology. In case you operate in China, their Cybersecurity law will also have to dealt with as it takes shape.

Finally, the inevitable digital transformation means any business is exposed to new dependencies and broader Cyber attack surfaces. Just think of the “Meltdown” and “Spectre” vulnerabilities in Intel chips recently discovered by information security researchers of Graz’s University of Technology. You ll see more vulnerabilities, data breaches and compliance requirements in the future for sure.

2. If your business is not about Cybersecurity don’t try to make it one

If you don’t create Cybersecurity products or offer Cybersecurity services, Cybersecurity is not your business. If you can outsource your IT, catering, facility management, billing or security guards, you can do the same with Cybersecurity. There are exceptions such as a small group of people surrounding the CISO, security or data protection officer but there are generally very few reasons why you should not explore allowing outsiders to guard your data, compliance, products and the door to your building.

You do not need forensic experts, ethical hackers or a security operations center (SOC). You can even rent a CISO and data protection officer from Cybersecurity consultancies and law firms – (who fills this role for multiple organizations). Hiring and keeping resources will be time consuming and costly exercise due to the Cyber skills gap on the job market. Outsourcing Cybersecurity is just something that takes time to get used to.

3. Help your security professionals understand your business objectives

Before asking your Cybersecurity professionals to report to the board, ask them to describe your business’ mission and objectives to you. According to a survey among 400+ Cybersecurity professionals by Gartner, a research firm, less than 10% were able to articulate them.

Helping your Cybersecurity professionals understand the business’ objectives and how they drive your interests (priorities) as a board member on a daily basis will be mutually beneficial. They avoid investing time and effort in areas that are out of scope and there is less frustration about the content of their presentation. Along these lines, ask them to focus on the most likely risks for your business rather than all the potential risks.

A good board report shows input/output oriented KPIs to ensure that security processes fit to the organization. A report is only as valuable as its KPI’s. Have some long-term ones but make sure you review them frequently with your board and security professionals. Does collection lead to a burden of the organization or does it lead to adverse/unintended management decisions?

Finally, a lot of Cybersecurity professionals report (technical) metrics (data never speak for themselves) but do not ask for anything from the board.

4. Consider offering your Cybersecurity leader a seat at the table

As outlined above, the greater the inclusiveness in your boards priorities and decision making, the more value a Cybersecurity leader will generate for you and your organization. Offering the CSO / CISO a seat at the table just like CDO, CFO, CIO and CDO should be taken into consideration by any CEO. If there are reservations, change the role of the CSO/CISO to a more passive / advisory one when called upon on. Being part of the conversation rather than being informed by protocol later will be more efficient for all parties involved.

5. Nobody knows which Cybersecurity products and solutions will prevail or provide the best protection

Many people in the Cybersecurity industry wonder where the market will go next. You won’t be the one figuring this out for them. Instead you are confronted with the reality of the Cybersecurity industry.

New solutions/products are released almost on a monthly basis. Most solve one particular issue others claim to be a one-stop solution for most of your worries. Products from one vendor do not necessarily work together well or with other industry leading solutions. Many offer old wine in new bottles wrapped in fancy marketing terms with their ROI in your Cybersecurity tech/activities stack hard to calculate. In addition, some Cybersecurity product vendors will try to bend their products use case or lifecycle as much as possible without fully understanding your industry’s realities just to make a sale.

Between company’s trying to build an in-house Security Operations Center (SOC) and consultancies or technology firms efforts to setup/provide Managed Security Services (MSS), there is a shortage of qualified professionals that are willing to put up with the work and an oversupply of MSS. Many of the MSS SOC’s look impressive when you visit them but they are hardly profitable.

6. A fool with a product remains a fool with a product

The most impressive product on the block cannot work properly if configured incorrectly, is not maintained or circumvented by your employee’s shadow IT (e.g. they use private email, cloud storage or mobile instant messaging services). The product’s impact will remain illusive and the investment will not pay off. Investments in your employee’s loyalty and awareness to detect attacks or avoid human errors are as important as the latest product.

7. It’s difficult to show the ROI of Cybersecurity investments

Information security investments are direct costs hidden in your IT spending that do not result in higher market share, R&D, operating income or loss that your investors / shareholders care about most. They just like your customers want to know that you address the issue as in “Are you safe?” with minimal impact to what is most important to them.

Calculating an ROI is difficult and more guesstimate than estimate. There are too many unknown variables.

Lower information security spending compared to others does not mean your Cybersecurity posture is lower. It depends on your organization and its risk profile.

Finally, when you consider mergers & acquisitions of another company and products, ask about Cybersecurity, too. A newly integrated acquisition can be a new attack vector into the heart of your organization. Its poorly and insecurely designed products could expose you to law suits or bad press.

8. Your “IoTed” products need Cybersecurity by design

If you have products—from large machines to tiny wearable—don’t think about Cybersecurity and data protection after you “IoTed” (“Internet of Thing’ed”) them. Cybersecurity needs to be on the mind of your product teams as they digitize them and the underlying business models. This includes roles that traditionally do not have any background in information security such as product managers or engineers. Again there is no need to reinvent the wheel. Hardened operating systems, military grade encryption technology and more Cybersecurity tools are available on the commercial and open source market. Professional services for ethical hacking and vulnerability mapping as well. Secure software development lifecycles are not rocket science.

Depending on the size of your company and things you do, it can make sense to build small teams of Cybersecurity professionals. Above all, make sure your approach to Cybersecurity is flexible and not painful for the end-user.

9. Ask about resilience and risks

Resilience describes your organizations ability to maintain its mission while adapting to or recovering from changing conditions or disruptions (through a Cyber attack). Remember that this should include your supply chain or outsourcing partners. This starts by understanding your risks and developing a policy, plan and testing regime. This should help you prioritize your skill and budget resources.

10. Cybersecurity is annoying, help reduce the pain

You can put tight controls and Cybersecurity processes on your employees. However, the more you do, the more people will look for cracks in your Cybersecurity activities to do their work or harm. So ask your Cybersecurity professionals once in a while what they have done to keep Cybersecurity simple, smart and user friendly. If a door is open you can build a fence, install cameras, guards and dogs in front of it. You could also just lock it, give the key to a select few or ask why it exists at all. Security sometimes needs sophisticated measures and a variation of products but the simpler your IT architecture is, the easier security can be implemented. Among others, application and hardware standardization is a key element of tight Cybersecurity.

11. You are your organization’s biggest Cyber weakness

Many data breaches are the result of frustrated or mistreated employees. Yet Cybersecurity aware employees and an open communication culture are your first and last line of defense. They can protect your business like no product will ever be able to do. Support trainings and set an example by participating and following your policies at the board level. It’s usually the executives and close support organization that do not follow security protocols, have different IT equipment and therefore become the prime target for hackers due to their level of access to sensitive information.

12. Virus, Malware and Hackers are not equal

Viruses are old school. Malware is just means to an end. No attacker will destroy and turn off devices they can misuse— even the ones that encrypt all your data with Ransomware. Instead attackers will keep a low profile or maintain hacked devices as long as possible (e.g. for botnets). Hackers with an objective to just disturb and break systems are rare. It’s rather a phenomenon of hacktivists that have e.g. political motivations or lack skills. According to some estimates, Cybercrime today is more profitable than drug trafficking. Private and state-level “investors” pay millions for hardware, software/system vulnerabilities and hackers to steal information from everywhere. Hacking services are available just like you can buy an instance from a Cloud service provider.

13. Sharing is caring

Let’s face it. It’s embarrassing to reveal to outsiders that you have been hacked. New laws now require your organization to do it anyway. Even if competition is fierce, consider it a board level mission to collaborate within your industry and beyond on Cybersecurity. It’s a job made for your level. Identify information you are willing to share frequently to move from reactive to proactive in your Cybersecurity strategy. If you want to make the connected world a little safer, information sharing is really about caring and situational awareness. See the idea below from the financial service industry.

Clearing House and Exchange Forum (CHEF) Payments Risk Council (PRC) Payments Processor Information Sharing Council (PPISC) Business Resilience Committee (BRC) Threat Intelligence Committee (TIC) Community Institution Council (CIC) Insurance Risk Council (IRC) Compliance and Audit Council (CAC) Cyber Intelligence Listserv. Asset Manager Council (AMC) Broker-Dealer Council (BDC) FS-ISAC. CYBER INTEL. BRC. CIC. BDC. CAC. TIC. PPISC. CHEF. AMC. IRC. PRC. SOC completes analysis, anonymizes the source, and generates alert to general membership. Member Reports Incident to Cyber Intel list, or via anonymous submission through portal. Members respond in real time with initial analysis and recommendations.

Über die Autor:innen
Alexander Schellong

VP Global Business, Infodas