Equifax, WannaCry, and Petya are recent reminders of the importance of effective cybersecurity risk management. Equifax alone spent upwards of $4 billion on its 2017 data breach. The costly and dynamic nature of cybersecurity threats makes them a top risk for many businesses; board directors and management, however, often struggle with understanding and responding to the scope of this rapidly changing risk.
For most boards, cybersecurity is far from a core competency. Many C-suite executives, board directors, and IT leaders are not well-versed in security measures and would be unable to effectively guard against and mitigate an attack. This lack of fluency can contribute to indecision or avoidance when dealing with cybersecurity, and in the worst cases, a resigned acceptance that attacks are unavoidable.
Closing the Knowledge Gap
The following guidelines can help strengthen businesses’ security programs by identifying core cybersecurity competencies and delegating each to the appropriate level of management. Consider including these cybersecurity fundamentals in your advisory arsenal.
Management-led; overseen and directed by boards.
Governance: This critical component identifies the parameters necessary for companies to remain secure and compliant. Governance parameters should be clear, consistent, measurable, well-prioritized and aim to guard what the company identifies as its most sensitive assets. Management should define parameters to be reviewed and approved by the board.
Measurement: Managers should clearly define a successful risk-management model to establish consistent security priorities and goals, and periodically ensure company alignment with this model. Performance results should be shared appropriately among key stakeholders, management, and the board.
Response: The board is responsible for ensuring that management is capable of successfully carrying out proposed security plans, and should recommend any adjustments necessary to make plans executable.
Creating a Security-Conscious Organization
Culture: A security-driven culture is critical to enforcing cybersecurity over time. Boards should ensure that CEOs are exemplifying and encouraging this culture; company leaders should set a precedent that permeates throughout the organization.
Further, boards should clarify and promote the incentives of cybersecurity compliance, including growing top-line revenue, lowering operations costs, improving quality of service, entering new markets, and recruiting and retaining high-performing employees.
People: The CEO and technical staff play vital cybersecurity roles; boards should feel confident in their abilities to implement and uphold the company’s cybersecurity values. Incentive, training and professional development programs should be strong enough to retain valuable employees. Boards should periodically evaluate these employees and incentive programs, making necessary changes to support the company’s security goals.
Shared responsibility between management and board.
Policy: Cybersecurity is a critical concern driving major regulatory and legislative shifts in the U.S. and worldwide. Management, boards, and companies as a whole should continuously track and prepare for upcoming policy changes.
A business caught unaware of new regulations can incur considerable costs. The European Union’s General Data Protection Regulations (GDPR), for example, will become enforceable in May 2018 and will alter compliance costs and require new data security measures.
Foresight: The best security programs anticipate and plan for potential incidents. Understanding likely threats, as well as recognizing vulnerabilities and unknown factors, is critical to developing an effective cybersecurity plan. Management, boards and other key players are responsible for anticipating future threats and assessing the company’s ability to guard against potential attacks. When appropriate, trusted third parties can be a helpful tool to assess, audit and provide an outside view of a company’s cybersecurity efforts.
Bringing Cybersecurity to the Boardroom
Introduce cybersecurity conversations and recommendations to boards by keeping them relevant, risk-focused and role-based. Directors respond well to case studies – when advising, contextualize issues with relevant news stories, and tie them to directors’ focus areas: risk management, value creation, and metrics. Use the above guidelines to clearly define management and board responsibilities, providing the basis for a stronger, security-centric board.
To learn more about the Chertoff Group’s approach to cybersecurity, please download the SAFETY Act Report.
About the Author
The Chertoff Group is a premier global advisory firm focused on security and risk management. Founded in 2009, The Chertoff Group helps clients accelerate growth and secure their enterprise by offering strategic business consulting, mergers and acquisitions advisory services, and risk management security services.