.jpg)
12 November, 2016
Today, business leaders have to tackle cybersecurity, an existential risk that is unlike any other trend that I’ve seen on the boards’ agendas. Throughout my career I’ve seen many trends and topics cycle in and out of the boardroom. Whether it’s been the nuances of operating in a new market like China, or changing regulations like Sarbanes-Oxley, every few years there’s a shift that inevitably leads to calls to expand the board to include a specialist. But this one is different.
Digitization has resulted in all aspects of a business being literally connected. Cyber risk is pervasive and impacts the entire enterprise – no one person or department is immune from vulnerabilities. An employee may receive spear phishing emails that can expose sensitive data or load malware into the organization’s system. An advanced persistent threat may lurk in your system undetected, quietly stealing trade secrets and other types of intellectual property (IP). Malvertising can hit any employee connected to the internet leaving behind malicious code. And executives can be targeted through sophisticated social engineering schemes to enable fraudulent wire transfers. Criminals aren’t solely pursuing sensitive customer data to sell on the black market, they are attempting invasions and heists that can deeply disable organizations.
As technology advances, so does the threat landscape and regulatory scrutiny. Recent estimates suggest the cost of cybercrime to the global economy will be $445 billion2 this year, and it shows no sign of waning. While the average cost of a cyber breach is estimated to be $4 million3, it can be higher if you factor in potential regulatory fines, business disruption costs including spending to respond to a breach, as well as loss of business, customers, or assets resulting from the breach. Many forces can disrupt business and impact profit. TalkTalk, for instance, lost over 100,000 customers due to its 2015 breach, and its pretax profits declined partially compared with the prior year4.
CONSIDER CODAN1
An Australian communications, metal detection, and mining technology rm. A breach led to the theft of its metal detector designs resulting in the market being ooded with counterfeit versions of its product. This forced them to slash prices in half and they experienced a net pro t loss as a consequence.
Effective cybersecurity governance requires specialized expertise to enable board members to properly advise an organization and decide whether a business has a process in place to protect itself. You can’t completely outsource cyber expertise any more than you can outsource any other function that needs capable oversight. Boards need to make informed business decisions on risk with knowledge and understanding, and cybersecurity requires boards’ input. It’s part of an organization’s duciary responsibility to protect the assets of their companies, shareholders, and clients. There is also a clear nancial incentive to do so – the Ponemon Institute estimates that board involvement in cybersecurity reduces the per capita cost of a breach5.
HERE ARE FOUR THINGS BOARDS SHOULD CONSIDER TO HELP ITS ORGANIZATION REMAIN RESILIENT:
1 – Hire a Chief Information Secutiry Officer (CISO) who is aligned with business Priorities
Effective CISOs are a hot commodity in the world of information technology and having a chief information o cer (CIO) alone is not su cient. This CISO should not report to the CIO, since a CIO’s main focus is about having the right technology, whereas a CISO’s job is to think about everything that relates to information security across your entire business, including its impact on your business processes and the risk to your enterprise. You want the oversight and expertise of a technical person on your security team who can assess and communicate the impact of cyber risk on the company as a whole. If your organization has trouble nding someone to ll this position, or can’t create this position, contract externally until you can.
2 – Consider integratiing Cyber into, and if necessary, establishing a risk commitee
Many have relegated cybersecurity issues to an audit committee, but these issues require too much domain expertise and this complex topic often does not get the proper understanding and attention it needs. A risk committee should have a charter that mandates cyber education for its board. If your organization doesn’t have a risk committee—and might be contemplating starting one— this should be your push.
3 – Your board should hear often, and directly, from your cybersecurity experts.
The rapidly moving cyber landscape means that the threat report you heard just six months ago will soon be out of date. Do not apply traditional board reporting approaches to a non-traditional risk issue. Make sure whomever is responsible for cybersecurity reports directly to your risk committee at every meeting and also reports directly to the full board. Just as adversaries rapidly evolve their techniques to nd and expose vulnerabilities, an organization’s approach to cybersecurity must follow a similar pattern of continuous improvement to stay ahead of the next threat. There is no beginning or end to an organization’s cybersecurity resilience plan.
4 – Recruit a board director with cybersecurity expertise the same way you seek others with management experience.
Yes, time changes, and risk evolves, but innovation isn’t going anywhere and neither is this threat. You can outsource the day-to-day management and response to this risk, but if you don’t have anyone on the board that knows enough to ask the right questions, then you have a problem. You don’t need to hire someone who’s been in the day-to-day trenches of running security operations centers, but you should select someone who has governed this domain responsibly, who can identify the root causes of the information technology security issues at hand, as well as understand the impact that the root cause has from a business and overall enterprise risk perspective.
The Committee of Sponsoring Organizations (COSO) released an updated enterprise risk management framework, and while there was no mention of cybersecurity explicitly, it did emphasize the importance of engaging in a probing dialogue and asking a variety of questions. Ask yourself if your current organization’s board composition is equipped enough in their knowledge of cybersecurity to do so in a meaningful way. If your answer is no, you should pick up the phone and call an executive search rm.
The tone needs to be set at the top when it comes to managing cybersecurity risks and that same risk management approach needs to be injected into the culture of the organization to ensure its part of the enterprise’s DNA. This can start in the boardroom. Business has been enabled by technology, innovation, and connectivity. But these changes have also ushered in more security challenges that cut across the entire enterprise and requires a new approach to risk management.
It’s just as important to have the right people in your organization managing your cybersecurity risk as it is providing that person with the ability to properly communicate to the most senior executive team, including the board. This means having a CISOs that not just speaks directly to the board, but having a board with enough of an understanding of an issue to enable a productive conversation. If you aren’t sure this makeup exists at your current organization, the rst call should be to your CEO to make your case and determine an action plan. The second should be to your cybersecurity recruiter.
1. Cyber Criminals Prize Your Customer Data and IP (https://www.forrester.com/report/The+Cybercriminals+Prize+Your+
Customer+Data+And+Intellectual+Property/-/E-RES61544)
2. World Economic Forum 206 Global Risks Report (http://www3.weforum.org/docs/Media/TheGlobalRisksReport2016
.pdf)
3. Ponemon Institute Cost of a Breach 2016 (http:// www-01.ibm.com/common/ssi/cgi-bin/ssialias?html d=SEL03094WWEN)
4. Protect Your Intellectual Property And Customer Data From Theft And Abuse (https://www.forrester.com/report/Protect+Your+Intellectual+Property
+And+Customer+Data+From+Theft+And+Abuse/-/E-RES61476)
5. Ponemon Institute Cost of a Breach 2016 (http://www-01.ibm.com/ common/ssi/cgi-bin/ssialias?html d=SEL03094WWEN)
For further information, please contact:
Paul Jackson, Managing Director, Stroz Friedberg
pjackson@strozfriedberg.com
