Tag Archive: international risk

Experts Comment on International Regulations, Cybersecurity Risks

Published by

Overseeing risk is no small task for boards as a company’s footprint is no longer confined to local or even national boundaries. The globalization of business—spurred in large part by the Internet—has simultaneously expanded business opportunities while also introducing new worlds of risk that an organization must contend with.

The National Association of Corporate Directors (NACD) invited Joan Meyer, a partner at Baker McKenzie LLP, and SecureWorks Chief Threat Intelligence Officer Barry Hensley to offer their insights on these issues as part of a larger panel discussion at the Leading Minds of Governance–Southwest event.

Highlights from their conversation with NACD Directorship Publisher Christopher Y. Clark follow.

What is your outlook on the complexities of being an international company?

Joan-MeyerJoan Meyer: It’s becoming extremely complex because there is increasing enforcement from other jurisdictions. Five or six years ago, the U.S. was the predominant regulator and multinationals only had to deal with certain European countries in addition to the United States. Now, we are seeing emerging markets that are getting extremely aggressive. They are also putting in more restrictive laws and data privacy rules about the transfer of data. It’s a real conundrum for companies because they not only have to comply with U.S. law but the more robust law of various regimes, which create conflicts. Some of that risk may be theoretical because certain jurisdictions have not begun enforcing these laws —but it’s out there.

If you are disclosing information to a U.S. enforcement authority but you can’t get information out of a foreign jurisdiction, a U.S. regulator might not care— they just want the information. In this situation, not only is executive management caught in a bind, but the board will be asked: “What do we do?”

The U.S. Department of Justice is also pursuing individual prosecutions of mid-level managers and the C-suite, and there is increasing pressure on companies dealing with U.S. authorities to get cooperation credit by identifying individuals who are culpable for the misconduct. And it’s not only in the U.S. where that’s happening. Because the government wants real-time cooperation in pursuing individuals, it’s frustrating for companies because they are being pushed to provide investigatory conclusions to the government which they may not have completed. On a global basis—whether it’s Saudi Arabia, China, Russia, or Brazil—individuals are being actively pursued. The problem is compounded if they are expatriates who are working in these foreign countries for a limited period of time, don’t understand the culture, and are suddenly being subjected to detention or prosecution. This puts managers working outside countries with an established legal system at real risk because they may be pursued by authorities simply for a perceived failure to exercise their supervisory responsibilities in the right way.

What questions should a board chair ask the chief information security officer [CISO]?

Barry-HensleyBarry Hensley: First: What are our top five risks? Only by thinking like the enemy can the CISO begin to itemize and categorize the company’s security risks. Consider the following ways you may be attractive to cyber threats: your brand and how you’re perceived on the world stage; your digital capital, such as intellectual property, electronic currency, and personal data and how it’s secured; and your internet-exposed vulnerabilities.

Second: Does our security program have the visibility to detect an advanced adversary whose work eludes security controls? The threat does not remain static nor does the network. While some tactics and tradecraft are well known, the adversary is innovating, always seeking opportunities to bypass traditional protections. For example, while implementing multi-factor authentication is important, bad actors are finding ways to impersonate users and hijack credentials. Does your risk assessment learn from the headlines and adapt? It’s important to keep risk assessments current and update your mitigation strategies and budgets against these threats.

Third: Does your staff collectively understand the term “breach” and the conditions that trigger a formal response? Are you prepared with a meaningful, rehearsed, cross-disciplinary crisis response plan? While no company wants to dwell on the potential for serious incidents and breaches, preparation is still essential. This requires a real understanding of what constitutes an addressable incident, what triggers it, the steps that must occur to resolve the incident, and the people involved. Key tenets should be established, such as: knowing who’s in charge, how the board contacts the key players, and what the measurable actions we take to address the incident are.

Fourth: Is security training tailored to ensure appropriate audiences are aware of threat actors and their tactics? Different segments of the workforce present different risks, and the CISO must make sure each segment is aware of the tactics being used to exploit all avenues of compromise. Boards need to ask: Do employees understand how phishing works? Do administrators know the value of frequently changed passwords and vulnerability scans? Do web designers understand the importance of secure coding practices? Do executives and financial managers recognize that they are extremely lucrative targets for social engineering? And remember: there is no such thing as one-size-fits-all security training.

Want more? A panel of Fortune 500 company directors and subject matter experts will offer their insights on issues ranging from cyber resilience to the latest regulatory trends at Leading Minds of Governance–Southeast. Join us on March 16 in New Orleans, LA. Space is limited—register today.

Click here to read addition coverage of the Leading Minds of Governance–Southwest event with highlights from a discussion on the board’s role in overseeing talent and tone.

In Conversation with James Jones

Published by

As the business world is continuously reshaped through advances in technology, growth of new markets, and changing political landscapes, the issues that arise in both the public and private sectors have become increasingly complex. The international crises that dominate news headlines today–the emergence of the Islamic State, the ongoing war in Syria, and the crisis in Ukraine–will play a part in redefining global markets and impact how companies operate in the future. In a conversation with NACD Senior Advisor Jeffrey M. Cunningham, Gen. James L. Jones, USMC (Ret.), former national security advisor to President Barack Obama, Supreme Allied Commander Europe and Commander of the U.S. European Command, and 32nd Commandant of the Marine Corps, shared his perspectives on international policy and global competitiveness.

Gen. James Jones (Ret.) NACD Conference

We are living in dangerous times. Terrorist groups are the common enemy, but unlike the uniformed antagonists this country faced in the conflicts of the 20th century, these insurgents are asymmetric, omnipresent, and far from an easily contained problem. “We need leadership,” Jones said. “And leadership has got to have moral courage and the dedication to do the right thing at the right time. If you wait too long it’s hard to put things back together.” The new challenge of American leadership is, however, forming coalitions to effectively address these problems on the battlefield, as well as in the boardroom.

Looking at the trajectory of the United States in the 21st century, Jones looked to the past. By 1950, the United States had evolved into a global power with considerable presence on the international stage. That standing, however, is currently in flux, namely because this is a century of competition. “We have economic challenges coming from China, the European Union, Brazil, India, a whole host of areas. And how we compete with those areas is going to dictate where we will be in 2050.”

To enjoy the level of success in 2050 that we enjoyed in 1950, Jones said that the public and private sectors need to work more closely together. “All of our competitors are joined at the hip between public and private interests, and we don’t do that very well,” he said. “The pillars of governance and rule of law need to play a large role in that.” To that end, he added: “I think we talk too much. Before you talk about tactics, you need to make sure you have a strategy.”

Jones also emphasized the need for leaders to foster constructive relationships. Reflecting on his time as national security advisor, he remarked on President Obama’s inclusiveness during cabinet meetings. Jones shared that regardless of politics, President Obama sought out the perspectives of everyone at the table and ensured that anyone who had equity in the issue at hand was heard. And on a global scale, Jones observed that personal relations between heads of state drive the relations between nations.

When asked for his perspective on Edward Snowden, a figure who is as revered as he is reviled, Jones commented: “I don’t have a lot of respect for people who take the coward’s way out. There’s a way to work within the system and taking a lesser traveled road [to say what you need to say] is, in my way of thinking, not honorable and not good for the country. I completely stand behind the leadership aspect of moral responsibility. Leaders are responsible for everything their units do or don’t do. And I think that’s true of the private sector, as well as the public sector. It’s a matter of standing up for the right thing.” He also emphasized the need for leaders to understand the meaning and the impact that their privileged positions carry. “It’s easy to stand up and take a bow, but there are times when you need to stand up and take a hit and you need to be willing to do that.”