Archive for the ‘The Digital Director’ Category

Understanding the Cyber Dialogue

December 18th, 2015 | By

Cybersecurity is more than a technological issue—it’s a business issue. In a BoardVision video moderated by Judy Warner—editor-in-chief of NACD Directorship magazine—Mary Ann Cloyd, former leader of PwC’s Center for Board Governance, and Zan M. Vautrinot, former commander of the Air Forces Cyber Command and current director of Symantec, Ecolab, and Parsons Corp., discuss effective cyber-risk oversight, addressing the following questions:

  • How can boards communicate with management about cyber risk?
  • How does cyber risk fit into discussions about risk appetite?

Cyber Dialogue

Here are some highlights from that conversation.

Judy Warner: For directors, I think one of the greatest challenges around the issue of cyber is how to engage in an informed conversation with management. And how do they become informed about their oversight roles as they relate to cyber?

Zan Vautrinot: One of the things that was absolutely clear about the private sector and corporate leadership is that they understood how to have a discussion about risks and strategy. The only thing different with cyber is that some of the technology and some of the solution sets are slightly different, but the conversation is the same. It is a discussion about a particular kind of risk and how it relates to the kind of business you are [in].

Warner: Mary Ann, from your perspective, how does that conversation take place, or start to take place, at the board level? And is it a conversation for the full board or a specific committee?

Mary Ann Cloyd: I guess I always say it depends. I never want to be so prescriptive as to tell somebody what they need to do because every board and every committee is different. However, I do think that, given the magnitude of how this affects so many businesses, it’s not a technology issue. It’s a business issue. So, with that, where would you oversee any other business issue at your board? And I’m guessing that a lot of it would belong at the full board, with parts of it delegated down to a committee.

Warner: The NACD recently published a handbook on cyber-risk oversight, and one of the discussions is around risk appetite and where does cyber fit into that equation today. And I know, Mary Ann, you have said we need to think of cyber as any other risk.

Cloyd: I think you bring up two interesting things. [I]n fact, we did a small publication [at PwC’s Board Leadership Center] earlier this year, and we called it “Defining Risk Appetite in Plain English.” What prompted it was I had a director come to me and he said, “Mary, we’re doing our off-site strategy session and we always talk about risk appetite. Do you have a good pre-read that I could give to the board so that they can understand what risk appetite means?” So we did this to really put in plain English, in four pages or less, what the dialog is between management and the board, and how you develop and define your risk appetite. And, to me now—as you have so beautifully put this, Suzanne—cyber is just another part of that risk discussion and how it fits into your overall strategy.

Vautrinot: Right. And if you have already had a discussion about your strategy and those things that are most important to you as a corporate entity, is it the data that is unique that you’ve collected—the information and the access to that information—that makes your corporation unique? Is it the technology or your research and development? Is it your insight into financial transaction or merger and acquisition? Is it [about] manufacturing processes or distribution processes?

Every board and every management team knows what is most important to them being successful as a corporation. It is likely that those things are the areas that [the board] would want to focus on with assessing cyber risk. If you look at that area and say this is what is most important to us as a corporation, and this is the technology that we depend on to do that activity, now I can say that is sufficient or it is insufficient relative to the amount of risk I am willing to accept in that area. There may be other areas that aren’t core to the business, and so you are willing to accept a different amount of risk or put different systems in place that kind of sandbox it—[systems] that put a fence around, or that separate or provide different controls to allow [the lower-risk] activity to run more openly, whereas [higher-risk areas are] much more controlled and much more precious.

Additional NACD resources

NACD’s Director’s Handbook Series: Cyber-Risk Oversight

NACD—Building a Relationship With the CISO

NACD—Assessing the Board’s Cybersecurity Culture

NACD—Cybersecurity Risk Oversight and Breach Response

Cyber Experts Offer Six Tips for Director Oversight

October 16th, 2015 | By

“Putting a Boardroom Lens on Cyber,” one of the final panels of the 2015 Global Board Leaders’ Summit, continued themes heard throughout Summit sessions. The panel focused on how to ask management the right questions about the state of their enterprise’s cyber security and how to assess the strength of their preparedness to manage this risk.

Cyber Panel

The panel was packed with leading technology experts: Nicholas M. Donofrio, director of NACD, Advanced Micro Devices, BNY Mellon, Delphi Automotive and Liberty Mutual, and former executive vice president of innovation and technology, IBM; Alfred Grasso, president and CEO, The MITRE Corp.; Christopher Hetner, cybersecurity lead, Technology Controls Program, Office of Compliance Inspections and Examinations, U. S. Securities and Exchange Commission; and Kimberley S. Stevenson, director, Cloudera Inc.,and CIO, Intel Corp. Bill E. McCracken, director of NACD and MDU Resources Group and former CEO of CA Technologies, moderated the discussion.

Below is a summary of the high points from that discussion.

  1. Recognize that cyber criminals are constantly changing methods and targets. When it comes to security breaches, “The bad people are getting better, faster, and you have to assume, therefore, that you have to move quicker,” Donofrio said. For example, cyber criminals increasingly exploit human error by using social engineering—especially with “spear phishing” emails. These emails look like legitimate business from trusted sources, yet contain dangerous malware. One employee opening such an email could compromise an entire network’s security.
  2. Scrutinize whether management really knows where key data assets reside. It’s essential to gain the confidence that management knows the location and how “crown jewel” data assets in often highly distributed IT environments are being protected. Management needs to also demonstrate an understanding of the rationale for access rights of both employees and contractors. The fine print in third-party contracts could jeopardize data security, as cloud storage companies sometimes have “quality control” clauses granting access to your data.
  3. Ensure that general management is held accountable for effective cyber-risk management. Cybersecurity is no longer an IT issue, but a significant business risk as technology is now a critical component of most business processes. As a result, general managers must share formal accountability with IT for the strength of cybersecurity. They must foster a risk-aware culture. If, for instance, the IT department sends dummy malicious emails to test open or click rates in the network, a problem would be detected if the rate goes up. “We track the number of employees who click on malicious emails,” Grasso said. “It’s less than two percent, but if it rises, we’ll move quickly and change our training policies.”
  4. Make sure your leadership is tapping into information-sharing initiatives. Many new initiatives have emerged to increase transparency about cyber-risks, including the sharing of information about specific incidents with law enforcement aimed to better prepare organizations for new threats. From industry-to-industry resources such as the Financial Services Information Sharing and Analysis Center and cross-sector initiatives like New England’s Advanced Cyber Security Center to government-supported groups including the National Cybersecurity Center of Excellence, resources abound and panelists urged full use.
  5. Demand that technology leadership avoid jargon and communicate complex concepts in easy-to-grasp language. “We have our own vocabulary as IT professionals, and we have a hard time translating that into everyday language,” Stevenson said. Technology leadership must be careful to clearly communicate concepts to board members whose first imperative is to understand risks. Technology management should craft language that non-expert directors can readily grasp.
  6. Beware the consequences of your own oversight approach. Directors must carefully craft the questions they ask management when examining cyber risks. Donofrio recommended that board members focus carefully on the questions they ask of the C-suite to avoid sending the wrong message: for example, boards that focus exclusively on the costs associated with cybersecurity could undermine much-needed investments by management in better defenses.We as board members can mess this thing up,” Donofrio said. Continued technological literacy is integral to asking the right questions, understanding experts’ briefings, and appreciating the full impact of cyber-risks across the organization.

Dig deeper into leading practices by reviewing the Director’s Handbook Series on Cyber Risk Oversight and watching the panel’s full discussion.

A Former White House CIO Discusses Data Hygiene and Cybersecurity Strategies

October 15th, 2015 | By

Consumers in the digital marketplace rarely think twice about allowing companies access to their personal information, and the companies that are amassing this data are enjoying the unprecedented business opportunities that such access entails. This exchange of information does, however, come with substantial liability risks; that information can easily fall into the wrong hands. This feature of the e-commerce landscape is causing both consumers and companies to ask: Is privacy dead in the Information Age? To explore this question, NACD Directorship Editor in Chief Judy Warner sat down with former White House Chief Information Officer and founder of consulting company Fortalice Theresa Payton during a Monday evening session at the 2015 NACD Global Board Leaders’ Summit.

Theresa Payton at 2015 Global Board Leaders' Summit

In short, privacy isn’t dead, but our concept of privacy is undergoing a transformation. Payton said that as business leaders and consumers, we need to have serious conversations about what the new—and correct—lines of privacy are. “We own some responsibilities as business leaders and government officials,” she said. “Data is hackable and breaches are inevitable. Don’t aid and abet hackers.”

It turns out that companies are inadvertently aiding and abetting hackers. First, some organizations fall victim to their own, outdated view of building cyber defenses: Set up as big a firewall as you can around the company’s data assets; install anti-malware and antivirus software—done. This is a losing defensive strategy; it fails to take into account the mechanics of how and why these major breaches continue to happen.

According to Payton, companies with poor data hygiene are the most susceptible to cyberattacks. When companies kept analog files, they would shred records when storage space was exhausted or when data reached a certain age. In a digital environment, storage space is cheap and seemingly limitless, meaning that data could—and probably will—live on servers for years. As time goes on and a company reorganizes, data is forgotten, creating prime points of entry for hackers. Adopting a data-“shredding” strategy is imperative.

In addition, the tools needed to hack into a system have become both affordable and readily available. Now anyone can be a hacker—and those who have chosen this path grow more adept at their craft every day. Taken altogether, this is a recipe for potential disaster.

Payton outlined best practices for maintaining optimal data hygiene:

  • Don’t keep all of your data in one place. For data you need to retain, “segment it to save it.” In other words, divide that information among multiple digital locations so that if one location is compromised, a hacker hasn’t gained access to the entirety of the data the company holds.
  • Create rules around when you no longer need data and set a schedule for “shredding” it.
  • “Shred” any data that you don’t need. Keep only data related to the attributes of consumer behaviors and get rid of the specifics (e.g., names and social security numbers). Doing so will reduce your risk of being held accountable when a breach happens.

Furthermore, she stressed that directors should be sure to ask certain questions as they work with management to hone the company’s cybersecurity strategies:

  • Have we identified our top critical assets—those that if held for ransom, lost, or divulged, would destroy us as a company?
  • Who has access to those assets? How do we grant access?
  • Have we drilled for a cyber breach disaster?
  • Do we have a liability plan that will cover the board should critical assets be breached?