The Board’s Role in Cybersecurity
This post was originally published Equilar Inc. at the following URL: http://www.equilar.com/blogs/271-exclusive-interview-the-board-role-in-cybersecurity.html
There’s no question that cybersecurity is on the mind of every director. From data breaches at well-known consumer brands to allegations of tampering with the U.S. presidential elections, cyber crime has catapulted into the public consciousness and is now top of mind for any public company. The question is—with technology moving so quickly, how should boards structure and educate themselves in order to be prepared for a cyber attack that may be imminent?
Equilar: What’s changed the most during your time in the cybersecurity industry? How have boardroom roles changed around the fact that cyber has become, in varying degrees, critical at almost every public company?
Simone Petrella: Cybersecurity has become a mainstream issue. When I first got into this field, it was exclusively in the Department of Defense and military sectors, and to see that transition over the last 15 years from a national security issue—which of course it still is—into an economic, private enterprise and commercial issue, is probably the biggest change that we’ve seen.
There’s probably no data point I could provide that more appropriately highlights this than the 2016 election. We’ve reached a juncture where it doesn’t just impact corporations and individuals, cybersecurity is affecting our nation and its voters.
Equilar: We do hear that pretty much every board has to be concerned with this, and that’s obviously true, but are there certain industry sectors that you think are more susceptible than others? Where is there a concentration of cyber issues right now?
Petrella: That’s actually a difficult one to answer because there are industries that are particularly vulnerable because of the sensitive nature of what they do. Finance obviously comes to the top of the list. Critical infrastructure as well, because of the sheer nature of the services they provide an the privatized structure we operate things like our utilities and electric grid.
But that being said, no industry as a whole is immune, and that’s for a couple reasons. A lot of times, especially when you look at cyber criminal activity, there are typically targets of opportunities. And there is no way to predict whether you get stuck in the net of a wide-scale phishing attack. They’re not necessarily looking at you because you’re a retailer or because you’re in healthcare.
On the other hand, you also have to look at the industries that are advancing or doing the most to embrace technology to improve their services. So, whether that’s healthcare or hospitality and gaming, the more we use technology to enable and create more efficient services, increase collaboration and do all the wonderful things that having those digital records can do, it also increases the risk of what you’re holding because you have more to lose.
Equilar: I think that’s a nice segue into looking at the boardroom and how they should approach this. What are the major things boards should be looking at, and also the major things they’re missing right now?
Petrella: Boards and management need to decide on the most critical aspects that make their business successful—that’s both the most important thing to consider and the major thing they’re missing right now. Even the most advanced and sophisticated organizations and companies tend to rely on their security leadership to tell them what are the things they need to protect. In reality, the only people that really and truly possess that knowledge in the context of the entire business are the CEO, C-suite level management and the board.
For example, an acquisition strategy, divestiture plans or a strategic outlook are discussed at the highest levels of the company, but wouldn’t necessarily be top of mind if you asked the IT or security leaders to define the most important things to protect.
Equilar: When it comes to recruiting directors, is it a good idea to have a specific cyber guru on your board?
Petrella: I think there are truly pros and cons, and it does depend on the current board composition, the company’s industry, what they’re looking to achieve, and frankly the perspective and biases, both good and bad, of the existing board members that are there.
If a board does have a cyber expert, my caveat is that one individual cannot be the point of failure for all cybersecurity risk issues. Because ultimately, what makes cyber security risk unique is that it is actually not its own risk category. It’s something that can impact and influence other areas of risk. A cyber event in and of itself doesn’t do anything—the implications of what that ultimately affects are the problem you have to deal with. It’s no different than a hurricane blowing away your building—it’s not about whether you were prepared for the hurricane, it’s the fact that you’ve now upset your operations, you’ve maybe lost revenue, and all those other things that boards are very familiar with thinking through in the risk management process. So to delegate that to one individual can be short-sighted, but if the construct and the organization of the board is set up to really leverage one person’s expertise to be a persistent voice that is heard by the rest of the board, I can see where it has its benefits.
Equilar: What educational resources should boards as a whole—not just individual directors—seek out as a matter of course when it comes to learning more about cybersecurity and recognizing the risks?
Petrella: The most important thing that they can do is gain a level of awareness and a level of comfort with the topic of cybersecurity so that they can deal with it appropriately. That really does have a downstream effect that you cannot achieve by just starting at middle management or at a grassroots level within the entirety of each staff member or employee of an organization. Board members are extremely good at asking very tough and probing questions and knowing when to dig a little deeper on an issue. So they need to understand the right questions to ask the management team, their CIOs, and CISOs in evaluating and ensuring that there is a cybersecurity strategy within the company and that it is being implemented in a rational and robust way.
Another thing I think is very important to remember when boards approach education is that we’re not here to scare you. We often talk about in our programming from the very get-go that cybersecurity in your organization is akin to having brakes on your car. The brakes on your car aren’t there to make the car go slower—they’re there to help you go faster. But it’s a safety gap, it’s a stopgap measure, and you would never want to accelerate to the point where you no longer have that safety net. It’s all about managing upside and downside risk.
Equilar: Right, you hear all the time that boards or companies in general have to go in with the attitude that it’s not about if you’ll have a cyber breach but when. It’s recognizing that it’s an imminent risk for pretty much any company or any person. When I use my credit card online, I know that my identity can be stolen at anytime. And so I take reasonable precautions, but I fully expect it to happen someday. It’s just one of those things.
Petrella: It has to be the new norm, and I think it’s around normalizing expectations. The reality is that this is a new topic to a lot of traditional board members, so it’s very easy to relate to how it’s a scary and sometimes seemingly incomprehensible topic. But then you think about it in the course of other risks that they are familiar with, and hopefully the goal is to make that a little bit more relatable.
Equilar: Are there times when a board should consider forming a dedicated cybersecurity committee?
Petrella: Here, I also will hesitate to say there’s a one-size-fits-all approach, because I do think regardless of where you put it in a committee, there is still an obligation at the full board level to at least have annually some level of awareness of where the organization is in relation to cybersecurity risk management. And I don’t think that strategic discussion can just stay in a committee, even if it’s cybersecurity or audit.
Generally speaking, I’ve seen a lot of cybersecurity risk responsibilities tend to fall to the audit committee. I understand why that is the first reaction, and I don’t think that’s the wrong call, but I do think that it often falls on an already pretty overworked committee.
Where I have seen cybersecurity-specific committees work well is in critical infrastructure, in particular because so much of their survivability is contingent on those businesses being available at all times. So, when you look at the threat of what a cyber attack can do, taking down any period of availability could be detrimental and also lead to loss of life, which obviously puts it into a whole other echelon.
Otherwise, it’s less clear, and a lot of the organizational structure in the committee sense is contingent on how the board does business. Is it a really active board? Is it a fairly standoffish board? How do they define their own oversight roles?
Equilar: Is there anything else that you wanted mention that you think are absolutely critical here?
Petrella: The last thing I will say, because I think that it’s a strategic imperative for any board and certainly the C-suite, is that cybersecurity is about brand protection. When you think of cybersecurity incidents, the first reaction is to manage the technical details of the crisis, which is extremely important, but there’s also the entire brand protection component. Especially for companies where their brand is so much of the value of the product that they’re selling, whether it’s a service or a product, that will be off to the side. What sometimes starts out as a seemingly small issue could be come a huge brand reputation issue. And the board’s role in advising and working through those crises when there is a cyber incident is really critical.
Please contact Dan Marcec, Director of Content & Communications at [email protected] for more information on Equilar research and data analysis. Cydney Myers, associate editor, contributed to this post. This post was originally published Equilar Inc. at the following URL: http://www.equilar.com/blogs/271-exclusive-interview-the-board-role-in-cybersecurity.html