I watched with interest as Senators Jack Reed (D-RI) and Susan Collins (R-ME) advanced bipartisan legislation that would require companies to disclose whether they have a director with cyber expertise on the board, and if not, why. Regardless of whether it passes, The Cybersecurity Disclosure Act of 2015 has apparently widened the door for shareholders and regulators to increase their pressure on boards and hold them more accountable for being proactive about understanding the company’s cybersecurity risk.
As someone who has witnessed the global cybersecurity battlefield at close range for over 14 years, I wholeheartedly agree that boards should increase their knowledge of cyber related risks and engage more proactively with the company’s strategy for mitigating them. Yet for boards to rise to Sen. Reed’s challenge that companies “have the capacity to protect investors and customers from cyber-related attacks,” it’s important to solve for the problem and not just the perception. Electing a cyber-expert to the board could certainly be helpful for companies. However, it may not be practical at this time. Nor does it solve for capacity.
No matter what risks they oversee, from financial to geopolitical, board members have an obligation to avail themselves of the right information to make informed decisions that safeguard shareholder value. This is no less true of cybersecurity risk. In order to empower an effective security program, the board should seek the right information and expertise on which to base its decisions about tolerance, investment, policy, and practice. That information includes but is not limited to: a solid understanding of the threats, the results of a well-prepared cybersecurity risk assessment, a roadmap that articulates desired outcomes and metrics for monitoring effectiveness.
Companies are trying to answer the questions: “How do we know if we’re making a reasonable and appropriate effort to mitigate these risks?” and “How do we measure and rationalize our security investment in the context of corporate strategy and risk tolerance?” I believe boards and their committees should oversee the cyber risk similar to the way the audit process manages financial risk.
Seek a balanced view of Information Technology (IT) security and IT enablement. Give both sides adequate time on the boardroom agenda at each meeting. You’ll gain insights on how strategic initiatives add risk so they are addressed earlier with less disruption, but you’ll also have the added benefit of exploring how security can enable those initiatives.
Ask whether the cybersecurity program has early warning capabilities that reduce time-to-respond. And if not, ask when to expect them. The goal is resilience, not the elimination of risk. Defense is not the endgame. The goal is to reduce the time it takes to detect and respond to the threats targeting your company’s digital assets. Early response is the cornerstone of mitigating risk and damage. Boards should ask if there is a one to three year roadmap for achieving an early warning system that increases visibility and applies threat intelligence to existing solutions, at a minimum, for a more proactive security posture.
Be sure that specific “point solutions” are not confused with the company’s cybersecurity strategy. New technology solutions may be necessary, but being resilient against the threats will depend on how those solutions are integrated, managed and governed as a whole. Ask your cybersecurity officer “what are the desired outcomes?” and “what is the roadmap for getting there?” It’s better to crawl-walk-run toward a well-integrated, manageable program than to jump at every new solution. It’s not about how many “boxes” are deployed to stop the adversary. It’s about how well you’re organized for the fight.
Seek the right threat and risk monitoring dashboard. Security officers with a proactive security program in place should be able to answer: are there threat actors in our systems now? If the answer is no, how can we be sure? and “How do we know they’re there?” Another important metric to monitor is how well the company is improving its “time to respond” to incidents.
And finally, seek third party input and intelligence to aid informed decision-making. Cybersecurity risk is asymmetric, so any security program that provides early warning is going to need threat insights beyond a company’s own experience to date. The right security expertise can help you identify your most likely threats based on global threat intelligence gathered from outside the company’s own limited experience. A third party can also help your security team assess the effectiveness of its current posture against those real-world threats by simulating the attacks. With capabilities in place to anticipate the real threats and prioritize effort, you can greatly expand the security program’s capacity and effectiveness.
It’s inevitable that more and more board members will come to the table with a working knowledge of IT enablement and IT security over time. But for now, boards can take a more proactive and knowledgeable stance by: seeking equal input from IT security and IT enablement leaders; leveraging third party threat intelligence and expertise; and monitoring the company’s progress toward a stronger security posture with “early warning” capabilities that mitigate risk with faster response. These measures go beyond the appearance of “prioritizing” cybersecurity. They add up to tangible improvements in risk mitigation on behalf of all the company’s stakeholders.
Mike Cote is CEO of SecureWorks, a global cybersecurity services firm that provides an early warning system for evolving cyber threats, enabling organizations to prevent, detect, rapidly respond to and predict cyberattacks. SecureWorks minimizes risk and delivers actionable, intelligence-driven security solutions for more than 4,200 clients in 59 countries.
Speaking at NACD was a highlight of my year, as the audience was forward-thinking, eager to learn, and willing to grapple with tough questions in order to reach good answers. The discussions after my talk were almost as much fun as the talk itself, and there was significant appetite for a reference sheet to some of the bigger ideas I’d outlined. I hope that the summary pulled together here will prove helpful, and I welcome remarks, insights, or questions about any of it!
Disruptive trends in technology, culture, and business are converging. That convergence is an opportunity for businesses that recognize how to proceed.
Code: Technology is cheaper, faster, and better than ever before.
From software toolkits to education outlets, cloud computing to open-source big-data structures, there have never been so many ways for a motivated player to exert so much leverage so rapidly. Competitive advantages and resources that once belonged exclusively to large companies are increasingly not just accessible but freely available. In many cases, these platforms even invert such advantages—meaning that individuals who are part of porous, open groups are able to deploy better solutions faster than corporate counterparts by leveraging their communities. And all at low to no cost.
President Obama’s first campaign for the White House is a prime example of this phenomenon: he hired data specialists who used a simple method to computationally test different versions of his website in order to see which ones were generating more donations. Using this approach, he exceeded his projections by an additional 4 million e-mail addresses, a click-through rate of 140 percent, and $75 million more than was expected.
Culture: Transparency, meritocracy, and a willingness to disrupt anything characterize the new technology (and business) marketplace.
The age of playing by the rules—any rules—has largely gone by the wayside. When it’s possible to conduct corporate inversion online in under 20 minutes using a digital toolkit provided by a foreign nation state, it’s clear the playing field has changed. This is exactly what Estonia’s new “E-Estonia” initiative—which grants corporations a type of citizenship supported by cryptographically backed authentication—has been accused of enabling.
The people developing new solutions and creating new technologies take for granted an entirely different set of social (and moral) norms, which have no respect for the way your business is currently structured.
Competition: An exploding black market and a global tipping point that will occur when the remaining two-thirds of the planet come online over the next five years herald an incipient tidal wave of strange new competitors.
If you think the Internet has been disruptive during the past 20 years, you haven’t seen anything yet. The motivations and expectations of people completely new to technology differ from those of people who have already internalized it. Much like the toddler who doesn’t know what to do with a computer mouse and thinks a computer screen is broken when he can’t swipe it, new users of innovative technologies will have different expectations for what your company should provide. When you mix in a booming black market and a surging cascade of disruptive technologies—everything from drones to 3-D printing to dial-your-own genomics—you have a strange new world indeed…and one coming at you very, very quickly.
ACTION ITEMS: There’s good news in all this. You can compete just as well—if not better—by recognizing that the game has changed and adapting to the new rules.
1) Experiment, experiment, experiment.
It’s faster, cheaper, and easier than ever before to invent, test, and iterate. It’s what your competitors (and they are legion) are doing—especially the outlier startups that you so fear will flip your market as Uber did the medallion cab industry’s. The good news? You can do exactly the same thing. Even better, once you do, you already have a supply chain, established market, and deep resources to drive these new industries ahead of smaller first-time players.
What to ask your senior management: How are you implementing more agile and iterative development methodologies, and why?
2) Systematize culture change.
Empower your employees to act on your behalf. Legitimize risk. Reward insight. While this strategy looks good on paper, it is nearly impossible to execute, especially in highly efficient, competitive, and well-established organizations. Do it anyway, and you will find yourself at the helm of one of the most powerful entities in today’s market: A company that effectively innovates as a matter of course and knows how to build businesses and deploy products accordingly.
What to ask your senior management: How are we empowering our employees, at every level, to change the way our company operates? What evidence are we measuring that indicates this strategy is working?
3) Risk everything.
All business is about risk. But many companies have lost sight of the fact that this means not just mitigating risk but also embracing it. The emergence of new technology is confronting every industry with massive shifts that entail plenty of risk in the most negative sense. But the opposite is equally true, and it’s only by seizing the opportunities this time of change represents that you’ll emerge victorious. And who knows…you might even make the world a better place while you’re doing it.
What to ask your senior management: If you had to increase revenue by 25 percent this quarter, what would you try? Why aren’t we trying that?
I live every day in the future, metabolizing the new technologies that are slipping over our event horizon and into daily life. It’s a scary place to be, but it’s also one that offers boundless hope. Times of change are enormous opportunities for advancement. Those of us who experiment voraciously, learn quickly, and adapt effectively will chart the course for how human commerce unfolds over the next two decades. Our way will become the “new normal” and possibly set standards that will shape lives for generations to come. It’s not a time without risk, but it’s also a chance to change the world. What more could you want?
Josh Klein advises, writes, and hacks systems. He wants to know what you think.
“Putting a Boardroom Lens on Cyber,” one of the final panels of the 2015 Global Board Leaders’ Summit, continued themes heard throughout Summit sessions. The panel focused on how to ask management the right questions about the state of their enterprise’s cyber security and how to assess the strength of their preparedness to manage this risk.
The panel was packed with leading technology experts: Nicholas M. Donofrio, director of NACD, Advanced Micro Devices, BNY Mellon, Delphi Automotive and Liberty Mutual, and former executive vice president of innovation and technology, IBM; Alfred Grasso, president and CEO, The MITRE Corp.; Christopher Hetner, cybersecurity lead, Technology Controls Program, Office of Compliance Inspections and Examinations, U. S. Securities and Exchange Commission; and Kimberley S. Stevenson, director, Cloudera Inc.,and CIO, Intel Corp. Bill E. McCracken, director of NACD and MDU Resources Group and former CEO of CA Technologies, moderated the discussion.
Below is a summary of the high points from that discussion.
Recognize that cyber criminals are constantly changing methods and targets. When it comes to security breaches, “The bad people are getting better, faster, and you have to assume, therefore, that you have to move quicker,” Donofrio said. For example, cyber criminals increasingly exploit human error by using social engineering—especially with “spear phishing” emails. These emails look like legitimate business from trusted sources, yet contain dangerous malware. One employee opening such an email could compromise an entire network’s security.
Scrutinize whether management really knows where key data assets reside. It’s essential to gain the confidence that management knows the location and how “crown jewel” data assets in often highly distributed IT environments are being protected. Management needs to also demonstrate an understanding of the rationale for access rights of both employees and contractors. The fine print in third-party contracts could jeopardize data security, as cloud storage companies sometimes have “quality control” clauses granting access to your data.
Ensure that general management is held accountable for effective cyber-risk management. Cybersecurity is no longer an IT issue, but a significant business risk as technology is now a critical component of most business processes. As a result, general managers must share formal accountability with IT for the strength of cybersecurity. They must foster a risk-aware culture. If, for instance, the IT department sends dummy malicious emails to test open or click rates in the network, a problem would be detected if the rate goes up. “We track the number of employees who click on malicious emails,” Grasso said. “It’s less than two percent, but if it rises, we’ll move quickly and change our training policies.”
Demand that technology leadership avoid jargon and communicate complex concepts in easy-to-grasp language. “We have our own vocabulary as IT professionals, and we have a hard time translating that into everyday language,” Stevenson said. Technology leadership must be careful to clearly communicate concepts to board members whose first imperative is to understand risks. Technology management should craft language that non-expert directors can readily grasp.
Beware the consequences of your own oversight approach. Directors must carefully craft the questions they ask management when examining cyber risks. Donofrio recommended that board members focus carefully on the questions they ask of the C-suite to avoid sending the wrong message: for example, boards that focus exclusively on the costs associated with cybersecurity could undermine much-needed investments by management in better defenses. “We as board members can mess this thing up,” Donofrio said. Continued technological literacy is integral to asking the right questions, understanding experts’ briefings, and appreciating the full impact of cyber-risks across the organization.