Aligning with your company’s new chief information security officer (CISO) is a great opportunity to provide better protection for your organization, ensure regulatory compliance, and align previously siloed teams to gain clarity on how your business will respond in the event of a cybersecurity crisis. That’s why I urge board members to initiate early communication with those directly in charge of maintaining the enterprise’s vision for security by asking questions and collaborating on cybersecurity strategies.
According to a new study from the Enterprise Strategy Group and the Information Systems Security Association a lack of alignment between the security leader and the business can contribute to high CISO turnover. This is especially true if the CISO doesn’t feel welcome to participate in the boardroom meetings with executives.
This is a two-way street, of course. Board members often lack the knowledge they need to converse with information technology (IT) and cybersecurity professionals. They also tend to lack an understanding of how these groups contribute to effective enterprise risk management. Below we go through a few tips that will help put you on the right track and align these critical parties.
Understanding Your Company’s Risk Tolerance
First, in order for the board to understand the company’s cybersecurity posture, its members need to understand what level of risk is appropriate for your company. Each company’s individual strategy for growth, innovation, and safety should determine the extent to which it manages various types of risk, be it safety risks, operational risks, environmental risks, or technology risks (keeping in mind that technology plays a role in just about every category of risk).
Cybersecurity programs need to address an expansive and ever-changing threat landscape. They should include strategies to identify how vulnerable the organization is, determine whether or not they are compromised, and enhance operational efficiencies. During the first 90 days of his or her tenure, directors should be sure to get input from the new CISO on all of these areas, as well as a documented approach to how they will monitor the overall risk to the business based on these elements.
Understanding the risk tolerance of the business is the first step, but in order to properly determine this the CISO must be able to answer several questions. And knowing which questions to ask, and how these questions relate to managing risk within the company, will go a long way toward effective cyber risk management. To get a full understanding of your company’s cybersecurity posture, and ensure your security team is focused on the right things, ask your new CISO to answer the following questions in his or her first 90-day board report.
Does our security team have a full, well-informed view of our organization’s vulnerabilities? What are our top three cyber threats? How do we identify and deal with emerging threats?
What have we learned from past cybersecurity incidents?
Does management have a clear vision of the cyber risks to our organization? Can you provide any past examples of C-suite executives supporting the cybersecurity objectives of the company?
Are we managing cyber risks in alignment with the appropriate level of risk for our company and industry?
What steps are we taking to ensure compliance with all requirements for our industry? Do we follow any cybersecurity industry best practices such as the Center for Internet Security’s Critical Controls?
What is our cybersecurity incident response plan? Do we maintain an internal and external communications plan as a component of that? Has a tabletop exercise been completed to test the effectiveness of the plan?
How is our security team collaborating with our IT and development operations teams? Look for examples of a strong security operations (SecOps) practice, such as shared data and integrated processes, helping to make security inherent within all business operations and innovation.
How are we ensuring that our partners take appropriate security measures? For example, when engaging outside firms for services, are those other companies protecting sensitive information such as our marketing strategies and customer information? How is this being enforced? This could include signing agreements and performing regular assessments of vendor security practices.
How do you measure the effectiveness of our cybersecurity program and initiatives?
What investments can we make to further reduce our risk? What do we need and why?
Encourage your board as they review the information provided by the CISO to ask for relevant specific examples and documentation. While your fellow board members might not know the underpinnings of cybersecurity, they will have a fresh point of view around the resources and implementation of these processes. For instance, a comprehensive incident response plan should be thoroughly documented and readable for all involved parties so that they are aware of their role during a security incident.
By asking the CISO these probing questions, verifying the responses, having a knowledgeable senior executive or board member sponsors, and partnering with a trusted cybersecurity advisor, your organization will have a defined understanding of its cyber risks and will be prepared to make informed investment decisions.
Only 44 percent of cybersecurity professionals surveyed by the Enterprise Strategy Group and the Information Systems Security Association believe that CISO participation with executive management and boards of directors is at the right level. Clearly, more needs to be done to inform risk-based cybersecurity decision making as well as deeper integration of SecOps into core IT and development responsibilities. How can you buck that trend?
After the 90-day report from the CISO is a perfect time to discuss the answers to these questions. Follow up with your CISO to identify areas of concern and where more support from the board or executives might be needed for them to succeed. An ongoing dialog is critical, and will fine-tune cyber-risk management. It will also allow management to make informed technology investments, identify what training needs to happen, and provide ongoing cybersecurity governance aligned to risk tolerance and business goals.
The time is now for boards to improve the quality of dialogue with CISOs. Initial conversations and expectation-setting will minimize the possibility of overlooking cyber risk that could be detrimental to the corporation and its shareholders, while also making sure that everyone involved in the oversight of security gets on the same page.
Corey E. Thomas is CEO of Rapid7. Read more of his insights here.
From the recent botnet attack on home and small-office routers to renewed attention to cybersecurity at the U.S. Securities and Exchange Commission (SEC), directors of companies are tasked with understanding and overseeing a mounting range of information about cyber risks. Recognizing that directors need oversight-specific resources to guide their understanding of this critical risk, the National Association of Corporate Directors (NACD), Ridge Global, and the CERT Division of the Software Engineering Institute at Carnegie Mellon University (CMU) partnered to develop the Cyber-Risk Oversight Program.
The program is tailored specifically to the needs of the director and is updated periodically with webinars to provide context on the most recent developments in cybersecurity. Students who complete the course and pass a series of quizzes are awarded the CERT Certificate in Cybersecurity Oversight. They also join a group of their peers who are publicly acknowledged for having completed the program.
“Cyber-Risk Oversight: Boardroom Update” is the first installment in our Cyber-Risk Oversight webinar series. Completion of the program is not a requirement to view this webinar. Some chief insights from the webinar follow.
What’s New in the Threat Environment
According to the 2017 Cybercrime Report, published by Cybersecurity Ventures and the Herjavec Group, cybercrime will cost the global business market $6 trillion annually by 2021. Summer C. Fowler, a member of the CERT Institute faculty at CMU and an instructor in the Cyber-Risk Oversight Program, says that this considerable cost suggests that directors should pay closer attention to cyber-risk oversight, as cyber risks take a material toll on companies. Below is a summary of some of the more pressing threats discussed in the webinar.
Just under three quarters of cybersecurity breaches to companies’ systems come from an outside source, while 27 percent are from insiders. Fifty percent of the breaches are made by criminals acting with financial gain in mind.
Small businesses have become a primary target for cybercriminals because they oftentimes do not have sufficient resources to defend themselves. Directors of these types of companies and nonprofits should ask questions of the organization’s executives to understand how data is being protected.
The average time to discover a breach is six months, which is down from seven months from 2017. This number is alarming, as cybercriminals are still spending significant time in systems without being detected.
Members of boards of directors are very often the targets of whaling attempts, which are phishing attempts in which an e-mail is received that looks like a critical, legitimate request. For example, an e-mail may be drafted to appear as though it has come through the chain of command. There will often be multiple people targeted at once through these attempts, to increase the appearance of legitimacy. Whaling can be extremely convincing, and directors should receive training on how to avoid falling victim to these attacks.
Cybersecurity and the SEC
In recent years the corporate approach to cybersecurity has shifted from a reactive to a proactive mindset. These shifts have also been significant from a legal perspective, as ensuring cybersecurity and data protection becomes the responsibility of many people, rather than one single person. Cybersecurity also has become a priority for the SEC. In 2011, the SEC’s Division of Corporate Finance issued guidance on how companies should approach disclosure of a breach to investors. While the chief regulator of public companies has not since made any specific rules on reporting of cybersecurity incidences, it restated its guidance on what it expects companies to do to be transparent to shareholders about breaches. In February, the SEC released guidance for companies to consider when evaluating cybersecurity risks for disclosure. The SEC suggests that the board needs to think about more than the concrete costs of recovering after a cyber breach.
The factors that a board should consider in cybersecurity disclosure are:
occurrence, frequency, and severity of prior cybersecurity incidents;
probability and potential magnitude of cybersecurity incidents;
adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs;
aspects of the company’s business and operations that give rise to material cybersecurity risk;
costs associated with maintaining cybersecurity protections;
potential for reputational harm;
existing or pending laws and regulations that may affect the cyber requirements; and
litigation, regulatory investigation, and remediation costs associated with cybersecurity incidents.
Are you interested in earning a respected credential in cyber-risk oversight at your own pace? NACD members and those who are not yet members are encouraged to watch the webinar embedded above to preview the course’s offerings and to register for the course.
If you’ve ever seen a television ad for a prescription drug, chances are you heard a soothing voice urging you to “talk to your doctor” about the treatment in question.
Now, I may not have a silky voice fit for TV, but I do have a similar message for the distinguished readers of the NACD Board Leaders’ Blog: Talk to your auditors about cybersecurity.
The Importance of Communicating About Cybersecurity
Unlike a blockbuster pharmaceutical, there is no magic pill that can solve the big, complex, and evolving issue of cybersecurity. In recent years, however, the key elements of a sound approach to cybersecurity have become clearer, and one of those elements is communication.
Regulators certainly recognize the importance of communication from businesses to investors. In September 2017, Securities and Exchange Commission (SEC) Chair Jay Clayton stated, “I recognize that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face. That stark reality makes adequate disclosure no less important.”
Accordingly, the SEC remains strongly focused on ensuring the adequacy of public company disclosures of cybersecurity risks and how those risks are managed. Likewise, investor groups, such as the Council of Institutional Investors, have also asked company boards to strive for transparency in reporting efforts around cyber threats.
At companies, communication is no less critical between and among boards of directors, company management, external auditors, and internal auditors. Each group has a role to play, and each must have a grasp of the others’ roles. Ongoing dialogue fosters this understanding.
CPA Firms and Cybersecurity: Bringing Expertise and Values
Before jumping into a dialogue with external auditors, a board member might wonder, “Why talk to an accounting firm about cybersecurity?” It’s a fair question, with two simple answers.
Deep expertise. Not only do certified public accounting (CPA) firms provide independent assurance services in both the financial statement audit and a variety of other subject matters, they have played a role in assisting companies with information security for decades. In fact, four of the leading 13 information security and cybersecurity consultants are public accounting firms.
Strong values: CPAs bring to bear strong values that have defined and guided the profession for over a century. Foremost among these values are independence, objectivity, and skepticism.
Key Topics to Discuss with Your Auditor
So, having established that a conversation with a CPA firm about cybersecurity is a good idea, what is there to talk about with your auditors? The Center for Audit Quality (CAQ) has recently released a cybersecurity tool for board members to guide these conversations. The tool, which leverages resources from NACD and others, covers areas including the following important topics.
How the Financial Statement Auditor Considers Cybersecurity Risk
An essential starting point in the dialogue is to get clarity on the current roles and responsibilities of the financial statement auditor when it comes to cybersecurity. This conversation may include, if applicable, the audit of the effectiveness of a company’s internal control over financial reporting (ICFR).
A talk with the external auditor might involve the following questions.
How does the financial statement auditor’s approach include the consideration of cybersecurity risks when identifying and assessing risks of material misstatement for the financial statement and ICFR audits?
If, as part of understanding how the company uses information technology in the context of its financial statements and ICFR, the financial statement auditor identifies a cybersecurity risk, how does that risk get addressed in the audit process?
Why don’t the financial statement auditor’s procedures on an ICFR audit address all of the company’s enterprise-wide cybersecurity risks and controls?
What impact does a cybersecurity breach have on the financial statement auditor’s assessment of ICFR?
In the event of a cybersecurity breach that results in a potential need for a contingent liability that could be material, what is the audit response of the financial statement auditor?
How CPA Firms Can Assist Boards in Cyber-Risk Oversight
Although cybersecurity risk management practices are typically beyond the scope of a typical financial statement audit, the CPA profession’s commitment to continuous improvement, public service, and increased investor confidence has resulted in a greater focus on this area.
One example is the cybersecurity risk management reporting framework developed by the American Institute of CPAs (AICPA). The voluntary framework, known as SOC for Cybersecurity, enables CPAs to examine and report on management-prepared cybersecurity information, thereby boosting the confidence that stakeholders place on a company’s initiatives.
Here are seven questions to ask CPA firms about these initiatives.
How can the AICPA framework be used as a self-assessment tool to help management or the auditor (via a readiness engagement) identify opportunities for improvement in the company’s cybersecurity risk management program?
How is the AICPA’s cybersecurity risk reporting framework used by auditors as part of an attestation service to evaluate management’s description of its cybersecurity risk management program? How does it determine whether controls within the program were effective at achieving the company’s cybersecurity objectives?
What technical expertise do CPA firms possess that qualify them to perform a readiness engagement or an examination to validate effectiveness of controls specific to a company’s cybersecurity risk management program?
The SOC for Cybersecurity examination cannot prevent or detect a cybersecurity threat or breach. Accordingly, what is the goal of the cybersecurity examination?
What factors should be considered by the company and the CPA firm prior to engaging its financial statement auditors to perform the readiness assessment or examination for entities subject to SEC independence rules?
What is the audit profession doing to help address cybersecurity risks from third party vendors or service providers?
What other types of engagements are available to help board members with cybersecurity risk oversight?
These questions, of course, are just a starting point. I urge you to read the CAQ tool for more ideas on how you can—and here I switch to my smoothest TV-announcer voice—talk to your auditors about cybersecurity.
Cindy Fornelli is a securities lawyer and has served as the Executive Director of the Center for Audit Quality since its establishment in 2007.