Elevating Board Oversight of Cyber Risk
Cyber risk, which is among the top five risks for organizations across many industries, presents a moving target. As innovative information technology (IT) transformation initiatives expand the digital footprint, they outpace the security protections companies have in place. Security and privacy internal control structures that reduce risk to an acceptable level today will inevitably become inadequate in the future—and even sooner than many may realize.
As companies continue the battle to protect their resources, boards remain concerned with the security and availability of information systems and the protection of confidential, sensitive data. Many executives think their risk tolerance is low, yet act as though it is relatively high, thus necessitating board engagement with cybersecurity.
Our research indicates that board engagement in information security matters is improving. In the spirit of further improvement, following are eight business realities directors should consider as they oversee cybersecurity risk.
1. The organization must be prepared for success. Managing cybersecurity is not just about managing the risk of bad things happening—it’s also about handling the upside of a company’s successful digital initiatives. As companies harvest new sources of value through digitization and business model innovation, the wise course is to plan for incredible success. Directors should ensure that the organization’s cybersecurity systems are resilient enough to handle that success.
2. It is highly probable that the company is already breached and doesn’t know it. The old thinking of “it’s not a matter of if a cyber risk event might occur, but more a matter of when” is dated. It’s happening—now. Boards should be concerned about the duration of significant breaches before they are finally detected.
Our experience is that detective and monitoring controls remain immature across most industries, resulting in continued failure to detect breaches in a timely manner. Tabletop exercises alone are not sufficient to address the increasing sophistication of perpetrators. Simulations of likely attack activity should be performed periodically to ensure that defenses accurately detect breaches and that responses are timely. Boards should focus on the adequacy of the company’s playbook for responding, recovering, and resuming normal business operations after an incident. The playbook should also include responses to customers and employees to minimize reputation damage that could occur in a breach’s wake.
3. The board should focus on adverse business outcomes that must be managed. While most businesses know what their crown jewels are, they forget to focus on the business outcomes they are looking to manage when they assess security. Considering risk outcomes or scenarios leads to enterprise security solutions that are more comprehensive than those developed around specific assets and systems.
For example, if an application is deemed to be key for business processes and is exposed to sensitive data leakage, the security solution is often focused on the source application and implementation of generic security controls. But the risk of an adverse outcome extends beyond the technology perimeter. Employee users have access to data, regularly download it, and might even e-mail it, either ignoring or forgetting the business imperative to protect it. Therefore, controls over what happens to critical data assets once downloaded cannot be ignored. IT leaders must look at information security risks holistically and consider user leakage an integral part of the adverse outcomes to be managed.
4. Cyberthreats are constantly evolving. Because the nature and severity of threats in the cybersecurity environment change incessantly, protection measures must evolve to remain ahead of the threat profile. Boards should inquire as to how the organization’s existing threat management program proactively identifies and responds to new threats to cybersecurity, taking into consideration the company’s crown jewels, the business outcomes it wishes to avoid, the nature of its industry and business model, and its visibility as a potential target. Directors should also insist on an assessment of the related risks resulting from major systems changes.
5. Cybersecurity is like a game of chess, so play it that way. IT security organizations must be steps ahead of adversaries, waiting and ready with an arsenal of technology, people, processes, and prowess. The old game of sole reliance on technology to deliver an effective and sustainable security monitoring solution falls short when combating the ever-changing threats to businesses. Security functions need to change the way they deliver protective services and move far beyond initiatives to create enterprise-wide awareness of cyber risk. Accordingly, boards should expect:
– A clear articulation of the current cyber risks facing all aspects of the business;
– A summary of recent cybersecurity incidents, how they were handled, and lessons learned;
– A short-term and long-term road map outlining how the company will continue to evolve its cybersecurity capabilities to address new and expanded threats, including the related accountabilities in place to ensure progress; and
– Meaningful metrics that provide supporting key performance and risk indicators of successful management of top-priority cyber risks.
6. Cybersecurity must extend beyond the four walls. Notable gaps in knowledge of vendors’ data security management programs and procedures currently exist between top-performing organizations and other companies—particularly in areas that might stand between an organization’s crown jewels and cyberattackers. As companies look upstream to vendors and suppliers (including second tier and third tier), and downstream to channel partners and customers, they are likely to find sources of vulnerability. Directors should expect management to collaborate with third parties to address cyber risk in a cost-effective manner across the value chain. Attention should be paid to assessing insider risk because electronic connectivity and use of cloud-based storage and external data management obfuscates the notion of who constitutes an “insider.”
7. Cybersecurity issues cannot dominate the IT budget. Over the past decade, IT departments have been reducing operations and maintenance costs consistently, funneling those savings to fund other priorities like security. Taking into account other priorities, including compliance and system enhancements, Protiviti’s research indicates that mature businesses are left with only 13 percent of their IT budgets for innovation.
With a strained budget, it becomes critical for IT leaders to target protection investments on the business outcomes that can adversely impact the organization’s crown jewels, understand the changing threat landscape and risk tolerances, and prepare for the inevitable incidents. Without this discipline, cybersecurity will continue to consume larger portions of the IT budget. Innovation will then suffer, and the business could ultimately fail—not because a severe threat is realized, but because the spend on operational risk has distracted the business from the strategic risk of failing to mount a competitive response to new entrants and innovators. Therefore, as important as the imperative for sound cybersecurity practices is, directors should not allow it to stifle innovation.
8. Directors should gauge their confidence in the advice they’re receiving. While there is no one-size-fits-all solution, boards should periodically assess the sufficiency of the expertise they rely on for cybersecurity matters. There may be circumstances where the board should strongly consider adding individuals with technology experience either as members of the board or as advisers to the board.
Cyber risks are impossible to eliminate, resources are finite, risk profiles are ever-changing, and getting close to secure is elusive. Boards of directors need to ensure the organizations they serve are undertaking focused, targeted efforts to improve their cybersecurity capabilities continuously in the face of ever-changing threats.
Jim DeLoach is managing director of Protiviti.