Let’s Focus on ‘Right Information,’ Not Board Seats
I watched with interest as Senators Jack Reed (D-RI) and Susan Collins (R-ME) advanced bipartisan legislation that would require companies to disclose whether they have a director with cyber expertise on the board, and if not, why. Regardless of whether it passes, The Cybersecurity Disclosure Act of 2015 has apparently widened the door for shareholders and regulators to increase their pressure on boards and hold them more accountable for being proactive about understanding the company’s cybersecurity risk.
As someone who has witnessed the global cybersecurity battlefield at close range for over 14 years, I wholeheartedly agree that boards should increase their knowledge of cyber related risks and engage more proactively with the company’s strategy for mitigating them. Yet for boards to rise to Sen. Reed’s challenge that companies “have the capacity to protect investors and customers from cyber-related attacks,” it’s important to solve for the problem and not just the perception. Electing a cyber-expert to the board could certainly be helpful for companies. However, it may not be practical at this time. Nor does it solve for capacity.
No matter what risks they oversee, from financial to geopolitical, board members have an obligation to avail themselves of the right information to make informed decisions that safeguard shareholder value. This is no less true of cybersecurity risk. In order to empower an effective security program, the board should seek the right information and expertise on which to base its decisions about tolerance, investment, policy, and practice. That information includes but is not limited to: a solid understanding of the threats, the results of a well-prepared cybersecurity risk assessment, a roadmap that articulates desired outcomes and metrics for monitoring effectiveness.
Companies are trying to answer the questions: “How do we know if we’re making a reasonable and appropriate effort to mitigate these risks?” and “How do we measure and rationalize our security investment in the context of corporate strategy and risk tolerance?” I believe boards and their committees should oversee the cyber risk similar to the way the audit process manages financial risk.
- Seek a balanced view of Information Technology (IT) security and IT enablement. Give both sides adequate time on the boardroom agenda at each meeting. You’ll gain insights on how strategic initiatives add risk so they are addressed earlier with less disruption, but you’ll also have the added benefit of exploring how security can enable those initiatives.
- Ask whether the cybersecurity program has early warning capabilities that reduce time-to-respond. And if not, ask when to expect them. The goal is resilience, not the elimination of risk. Defense is not the endgame. The goal is to reduce the time it takes to detect and respond to the threats targeting your company’s digital assets. Early response is the cornerstone of mitigating risk and damage. Boards should ask if there is a one to three year roadmap for achieving an early warning system that increases visibility and applies threat intelligence to existing solutions, at a minimum, for a more proactive security posture.
- Be sure that specific “point solutions” are not confused with the company’s cybersecurity strategy. New technology solutions may be necessary, but being resilient against the threats will depend on how those solutions are integrated, managed and governed as a whole. Ask your cybersecurity officer “what are the desired outcomes?” and “what is the roadmap for getting there?” It’s better to crawl-walk-run toward a well-integrated, manageable program than to jump at every new solution. It’s not about how many “boxes” are deployed to stop the adversary. It’s about how well you’re organized for the fight.
- Seek the right threat and risk monitoring dashboard. Security officers with a proactive security program in place should be able to answer: are there threat actors in our systems now? If the answer is no, how can we be sure? and “How do we know they’re there?” Another important metric to monitor is how well the company is improving its “time to respond” to incidents.
- And finally, seek third party input and intelligence to aid informed decision-making. Cybersecurity risk is asymmetric, so any security program that provides early warning is going to need threat insights beyond a company’s own experience to date. The right security expertise can help you identify your most likely threats based on global threat intelligence gathered from outside the company’s own limited experience. A third party can also help your security team assess the effectiveness of its current posture against those real-world threats by simulating the attacks. With capabilities in place to anticipate the real threats and prioritize effort, you can greatly expand the security program’s capacity and effectiveness.
It’s inevitable that more and more board members will come to the table with a working knowledge of IT enablement and IT security over time. But for now, boards can take a more proactive and knowledgeable stance by: seeking equal input from IT security and IT enablement leaders; leveraging third party threat intelligence and expertise; and monitoring the company’s progress toward a stronger security posture with “early warning” capabilities that mitigate risk with faster response. These measures go beyond the appearance of “prioritizing” cybersecurity. They add up to tangible improvements in risk mitigation on behalf of all the company’s stakeholders.
- Learn more about the sophistication of the underground hacking marketplace
- Examine leading practices in the oversight of cybersecurity risk and strategy
Mike Cote is CEO of SecureWorks, a global cybersecurity services firm that provides an early warning system for evolving cyber threats, enabling organizations to prevent, detect, rapidly respond to and predict cyberattacks. SecureWorks minimizes risk and delivers actionable, intelligence-driven security solutions for more than 4,200 clients in 59 countries.