Sharpening the Board’s Cybersecurity Acumen

Much has been written, and important insights shared, on cybersecurity. The threat landscape continues to evolve, and the topic remains significant in the boardroom.

To gain fresh perspectives on this important area, Protiviti met with 20 active directors during a dinner roundtable at a December 2018 NACD event to discuss their experiences. Here are some key takeaways from that discussion:

Don’t let overinvesting in protection and detection lead to underinvesting in response and recovery. The National Institute of Standards and Technology (NIST) framework identifies five pillars of effective cybersecurity: protection, detection, identification, response, and recovery. A global study sponsored by Protiviti asked executives to rate their company’s progress on these pillars, finding most companies score highest on protection and detection and lowest on identification, response, and recovery. As most cybersecurity investments address the protection pillar, the participating directors agreed their organizations need a balanced program to detect and respond to the inevitable cyberattacks. However, most board members report they only see an overall cybersecurity budget; the company’s investments across the five NIST domains are not transparent to them.

Overall, it is important for organizations to move beyond the protection pillar when it comes to cybersecurity. One board member spoke of a maturity assessment using the NIST framework and of monitoring progress across the five domains to improve them to the desired maturity levels. The board should work with management to regularly assess and monitor the organization’s ability to identify, detect, respond to, and recover from a cyber breach, as well as ensure that appropriate investment is supporting each pillar.

Understand the paradox in breach detections between cyber “leaders” and “beginners.” Protiviti’s research finds that digital leaders report more cyberattacks than beginners. The roundtable discussion revealed several reasons, including the likelihood that digital leaders are better at monitoring security activity and have stronger detection measures. Also, they are more likely to have an expanded attack surface due to the new technologies and digitization capabilities they employ. Organizations need to stay focused and keep cybersecurity a critical priority as they advance their digital maturity. To minimize risks, companies should build cybersecurity into each step along their digital transformation process.

Manage the “cyber squeeze” on innovation funding. How does the board effectively address cyber risk without throttling innovation? This important question is a double-edged sword, as innovating creates more cyber risk because it almost always involves embracing new digital technologies. The roundtable discussion emphasized that innovation is about business strategy and should not be an information technology (IT) or “innovation” budget item. Innovation should be part of an overall budget for the enterprise’s growth strategy. Also, risk and cybersecurity should be embedded into the design and developmental approaches—including the Agile and DevOps methods—that innovation teams use so that innovation is undertaken securely.

Mind the enemy within. According to Protiviti’s research, nearly all firms (87%) see untrained general staff as the greatest cyber risk to their business because they may provide a conduit for outside attackers. As noted by several directors, there are solutions to help combat internal threats, but the board is typically not aware of how effective they are. Exposure to attacks by nation-states and sophisticated external attackers is compounded in that these groups often exploit untrained insiders.

The directors agreed that boards need to turn up the volume on their inquiries of cyber management as to what is being done about insider risk, including exposure to third parties. One tried-and-true, not to mention low-cost, cybersecurity measure—at least for insiders—remains employee training and communication.

Quantify cyber risk to put a value on the crown jewels. Quantification will help management and the board significantly as they work to understand the different types of data and information systems assets the organization maintains. More importantly, it will help them understand what needs to be protected most and oversee how asset protection is being prioritized. The FAIR methodology can assist with this analysis, as it employs risk quantification software to analyze risk using techniques such as the Monte Carlo method, which simulates risk scenarios. Conducting a quantitative risk analysis forces IT and security teams to set risk appetite thresholds, which enhances cybersecurity communications with the board.

Increase the board’s confidence in its cybersecurity oversight. Cyber threats represent a legitimate concern. A company reputation established and nurtured for 100 years can suffer severe and lasting damage following just one high-profile cyberattack. As a result, it can be difficult for boards to feel fully confident in how they are monitoring cybersecurity risk, both within the organization and among third parties. The roundtable discussion participants noted that while directors must rely on management for this information, they should be proactive in refreshing the board’s oversight capabilities: asking appropriate questions, receiving independent assurances, monitoring focused dashboards, and setting clear expectations regarding the need to preserve reputation and brand image.

Take stock of a changing landscape. Throughout the roundtable discussion, numerous comments were made regarding the changing cyber-threat landscape and the importance of staying informed as it evolves (e.g., ransomware, expanding the value of data beyond credit cards, unapproved mobile devices, third-party threats, and state-sponsored cyberattacks). The complexity of the evolving threat landscape is prompting a need for increased cooperation and information-sharing between the private and public sectors, an objective that remains elusive due to concerns over disclosing confidential and other sensitive information.

The game has now changed. Virtually any organization is susceptible to cyberattack, even if it does not harbor customers’ personal data or credit card information. Continue to monitor your company’s cybersecurity maturity using these and other steps and resources to ensure management has mitigated risks appropriately.

For a more complete look at the NACD roundtable, including key takeaways, read Protiviti’s full summary of the event.