“Putting a Boardroom Lens on Cyber,” one of the final panels of the 2015 Global Board Leaders’ Summit, continued themes heard throughout Summit sessions. The panel focused on how to ask management the right questions about the state of their enterprise’s cyber security and how to assess the strength of their preparedness to manage this risk.
The panel was packed with leading technology experts: Nicholas M. Donofrio, director of NACD, Advanced Micro Devices, BNY Mellon, Delphi Automotive and Liberty Mutual, and former executive vice president of innovation and technology, IBM; Alfred Grasso, president and CEO, The MITRE Corp.; Christopher Hetner, cybersecurity lead, Technology Controls Program, Office of Compliance Inspections and Examinations, U. S. Securities and Exchange Commission; and Kimberley S. Stevenson, director, Cloudera Inc.,and CIO, Intel Corp. Bill E. McCracken, director of NACD and MDU Resources Group and former CEO of CA Technologies, moderated the discussion.
Below is a summary of the high points from that discussion.
Recognize that cyber criminals are constantly changing methods and targets. When it comes to security breaches, “The bad people are getting better, faster, and you have to assume, therefore, that you have to move quicker,” Donofrio said. For example, cyber criminals increasingly exploit human error by using social engineering—especially with “spear phishing” emails. These emails look like legitimate business from trusted sources, yet contain dangerous malware. One employee opening such an email could compromise an entire network’s security.
Scrutinize whether management really knows where key data assets reside. It’s essential to gain the confidence that management knows the location and how “crown jewel” data assets in often highly distributed IT environments are being protected. Management needs to also demonstrate an understanding of the rationale for access rights of both employees and contractors. The fine print in third-party contracts could jeopardize data security, as cloud storage companies sometimes have “quality control” clauses granting access to your data.
Ensure that general management is held accountable for effective cyber-risk management. Cybersecurity is no longer an IT issue, but a significant business risk as technology is now a critical component of most business processes. As a result, general managers must share formal accountability with IT for the strength of cybersecurity. They must foster a risk-aware culture. If, for instance, the IT department sends dummy malicious emails to test open or click rates in the network, a problem would be detected if the rate goes up. “We track the number of employees who click on malicious emails,” Grasso said. “It’s less than two percent, but if it rises, we’ll move quickly and change our training policies.”
Make sure your leadership is tapping into information-sharing initiatives. Many new initiatives have emerged to increase transparency about cyber-risks, including the sharing of information about specific incidents with law enforcement aimed to better prepare organizations for new threats. From industry-to-industry resources such as the Financial Services Information Sharing and Analysis Center and cross-sector initiatives like New England’s Advanced Cyber Security Center to government-supported groups including the National Cybersecurity Center of Excellence, resources abound and panelists urged full use.
Demand that technology leadership avoid jargon and communicate complex concepts in easy-to-grasp language. “We have our own vocabulary as IT professionals, and we have a hard time translating that into everyday language,” Stevenson said. Technology leadership must be careful to clearly communicate concepts to board members whose first imperative is to understand risks. Technology management should craft language that non-expert directors can readily grasp.
Beware the consequences of your own oversight approach. Directors must carefully craft the questions they ask management when examining cyber risks. Donofrio recommended that board members focus carefully on the questions they ask of the C-suite to avoid sending the wrong message: for example, boards that focus exclusively on the costs associated with cybersecurity could undermine much-needed investments by management in better defenses. “We as board members can mess this thing up,” Donofrio said. Continued technological literacy is integral to asking the right questions, understanding experts’ briefings, and appreciating the full impact of cyber-risks across the organization.
Don,
As an I.T. professional with more than 50 years in many areas of computing, I beg to differ with the assumptions / conclusions in your posted comments.
1. Cyber Security is NOT an intractable problem. I believe it can be achieved at sufficient levels to adequately protect most any enterprise. Those within the enterprise, however need to understand that there is NO SILVER BULLET and any and all solutions that need to be implemented require time and resources, including capital.
2. ANY successful Cyber Security plan to be implemented MUST have the endorsement of ALL the board members, C-Level executives and the cooperation of ALL the employees, or it is doomed to failure.
3. Depending on the Attack Vectors to be addressed by the plan, defined levels of security can be attained. Sadly most companies don’t even have a Cyber Security Incident Response Plan or Committee.
You are correct in that too many companies have too much HVT (High Value Target) data with direct or indirect access via the Internet. This scenario is an “Accident looking for a place to happen”.
Your network can be protected, but there must be an understanding that with technology today, everything is in flux (changing). There must be an effort to keep ahead of the “bad guys”.
The typical mindset of a Network-Centric security model must be augmented to include a Data-Centric security model.
Limiting access to HVT data (separating it into ‘Communities of Interest’), Validating the IDentities of those with access to these Communities and an adequate Data Loss Prevention (DLP) plan are a good start. Then Encryption of your HVT data with a SOLID tool is highly recommended.
These are all good procedures which can be implemented today. All of the above need to be preceded by a Standardized Configuration program & procedures in addition to a Vulnerability Assessment & Remediation Validation Life-cycle. (Basics)
There are also other more advanced steps that can be taken.
Description
Let’s start at the top with those at the top… corporate board members! Cyber Security is an intractable problem without a known, provably correct solution. This presents an irreconcilable dilemma for board members who have a responsibility to safeguard the enterprise.
In a quandary and caught in a paradox between an incomplete Cyber Security theory and practice and the more complete and well specified fiduciary duties and risk oversight responsibilities, no amount of compliance monitoring or Cyber insurance can fully protect the enterprise. Just how to thread the needle of this legal quandary! How can board member failure be avoided when the organization insists on trusting data and information it cannot afford to lose to an Internet which cannot be protected? Corporate board members who find themselves overseeing overcommitted Internet dependencies are looking for a way to pull back.
Prudent board members seeking to resolve this dilemma should engage in Operation Cyber Pull Back where the organization strikes a prudent balance in Internet usage by eliminating from the Internet corporate data and information it cannot afford to lose and trusting the Internet only with operations data and information it can afford to lose and recover from in the event it is lost, thereby, fulfilling a board member’s fiduciary duty and risk oversight responsibility. Since Cyber Security is both below the pay grade and above the education level of board members, board members should seek the advice and counsel of a Cyber Intelligent Middleman in executing Operation Cyber Pull Back.
Don,
As an I.T. professional with more than 50 years in many areas of computing, I beg to differ with the assumptions / conclusions in your posted comments.
1. Cyber Security is NOT an intractable problem. I believe it can be achieved at sufficient levels to adequately protect most any enterprise. Those within the enterprise, however need to understand that there is NO SILVER BULLET and any and all solutions that need to be implemented require time and resources, including capital.
2. ANY successful Cyber Security plan to be implemented MUST have the endorsement of ALL the board members, C-Level executives and the cooperation of ALL the employees, or it is doomed to failure.
3. Depending on the Attack Vectors to be addressed by the plan, defined levels of security can be attained. Sadly most companies don’t even have a Cyber Security Incident Response Plan or Committee.
You are correct in that too many companies have too much HVT (High Value Target) data with direct or indirect access via the Internet. This scenario is an “Accident looking for a place to happen”.
Your network can be protected, but there must be an understanding that with technology today, everything is in flux (changing). There must be an effort to keep ahead of the “bad guys”.
The typical mindset of a Network-Centric security model must be augmented to include a Data-Centric security model.
Limiting access to HVT data (separating it into ‘Communities of Interest’), Validating the IDentities of those with access to these Communities and an adequate Data Loss Prevention (DLP) plan are a good start. Then Encryption of your HVT data with a SOLID tool is highly recommended.
These are all good procedures which can be implemented today. All of the above need to be preceded by a Standardized Configuration program & procedures in addition to a Vulnerability Assessment & Remediation Validation Life-cycle. (Basics)
There are also other more advanced steps that can be taken.