April 9, 2020
April 9, 2020
As the world responds to the global Coronavirus Disease 2019 (COVID-19) pandemic, many boards may be experiencing what is usually familiar to every chief information security officer (CISO)—the impact of being under threat day in and day out.
Managing vulnerability has suddenly taken on a whole new meaning. Leaders are focused on protecting their people, serving their customers, and stabilizing their business continuity. Being cyber-savvy is one way to do that—but it has its own challenges and implications.
In conducting research for the third annual State of Cyber Resilience report, Accenture found that many organizations face unsustainable cybersecurity costs and that security investments are often failing for the majority. Alongside dealing with low detection rates and slow recovery times, organizations are also finding that cyber criminals are constantly active, creative, and above all, persistent and patient.
As the risk environment changes, these criminals adapt. For instance, our research shows that 40 percent of security breaches at companies surveyed are from indirect attacks, as threat actors target weak links in the supply chain or business ecosystem. With many organizations adopting remote working policies and relying on third parties to connect their teams due to COVID-19, patterns of behavior among company employees and third parties could become even more complex. In short, what works today will not necessarily work tomorrow.
Corporate directors need to consider the four communications stages between the board and CISO that can not only drive the clarity and insight needed to reduce the risk of their cybersecurity efforts but also place cybersecurity front and center as a strategic issue in the boardroom.
Cyber-risk communications between the board and the CISO are a critical part of governing and managing significant business risk. But communications must be relevant, timely, and fit for purpose. Next-generation CISOs must be both business-adept and tech-savvy, equally at home in the boardroom as in the security operations center, speaking the language of the business, to the business.
Indeed, as the MIT Center for Information Systems Research (CISR) recently found, some organizations are adding digital- and cybersecurity-competent directors to their boards or creating a technology and cybersecurity committee to improve the board’s governance of these complex issues. As one of the directors interviewed for the MIT CISR research notes, “Digitally savvy directors change the risk conversation from evaluating the project risk of particular initiatives to the business model risk of not doing something new.”
And communication is not only important inside the organization. Regulators are focusing on boards and leadership to hold them to higher levels of accountability around cybersecurity risk, while litigation is also turning up the heat on communication, documentation, and the board’s approach and performance when the inevitable breach occurs.
Here are four steps that can help boards oversee any cybersecurity risk communications plan during the COVID-19 pandemic and beyond:
Tactical. One essential element of reporting is to think tactically, with regular quarterly reports from CISOs to boards that focus on the key operational metrics of cybersecurity risk management. This can include analytics about threats detected, dwell times, and employee training, which are useful and necessary—but for the boardroom, they must be delivered against a richer context around creating and protecting value.
Action for the Board: Dynamic, timely communications, supported by cybersecurity management programs and metrics, can help to secure operational effectiveness, confidence, and understanding.
Operational. Many cybersecurity risk communications approaches stop at the tactical phase, which makes them largely ineffective at helping the board truly understand cybersecurity risk and its impact on the business. Operational communications can help the board see how cybersecurity affects business value—and give insights into the longer-term effect on business strategy and growth.
Action for the Board: With transparency, the board can fully evaluate cybersecurity risk within the context of the business and make informed decisions based on the organization’s risk appetite. Cyber value assessment and analysis can bring transparency to how cybersecurity risk management is supporting business objectives.
War Games. War game-level communications focus on preparedness. This is an opportunity for the board to walk through an actual market development alongside a mock incident response exercise.
Action for the Board: Using a real data breach incident that occurred within the organization as a “test” with mock response exercises helps to summarize what is known about a breach or market development and how it could potentially impact the organization—so that the organization can be better prepared.
Live Fire. Live-fire communications focus on assessing how quickly an organization can recover from an attack. They use mock incident response exercises to illustrate how a comprehensive approach during a crisis can result in well-managed events.
Action for the Board: Initiate an incident response plan to determine the best way to achieve a swift recovery.
While every organization has a unique cybersecurity risk profile with different levels of maturity in its cybersecurity risk management practices, effective communications can be the best means to understand the whole picture—and make better decisions going forward.
To this end, corporate directors must:
Boards and CISOs should open the lines of communication and keep them open. As threats evolve and digital systems become more complex and fundamental within the business, a sound approach to communications is one way to protect business value.
Bob Kress is a managing director, cochief operating officer, and global quality and risk officer for Accenture Security.
NACD: Tools and resources to help guide you in unpredictable times.