The Internet was invented in a government laboratory and later commercialized in the private sector. The hardware, software, and networks were originally designed for open communication. From Chuck Brooks, Vice President of Government Relations & Marketing for Sutherland Government Solutions.
Cybersecurity initially was not a major consideration. That mindset has surely changed due to the explosion of connectivity and commerce on the Internet. And also from the threats. A recent McAffee study disclosed that there was one new cyber-threat every three seconds in the fourth quarter of 2016. Corporate board director roles have been traditionally reserved for those with expertise and leadership experience in management and best practices. Cybersecurity expertise historically has not been a primary concern for Directors. but it has become an evolving requirement for accountability in the era of digital connectivity. The bottom line is that almost every type of business, large and small, touches aspects of cybersecurity whether it involves finance, transportation, retail, communications, entertainment, healthcare, or energy. Cyber-threats are ubiquitous. The frequency and maliciousness (including Ransomware and Distributed Denial of Service attacks to networks) of cyber-attacks has become alarming. There are growing cyber-threats to corporate operations, reputation, and theft of IP that not only can affect stock prices, but the viability of a company.
The growing threat of data breaches from hackers has made cybersecurity a global urgency. According to IBM, the cost of an average data breach has now risen to about $4 million. According to Gartner, spending on cybersecurity to try to ameliorate data breaches is expected to reach $90 billion in 2017. Dr. Chris Brauer, Director of Innovation in the Institute of Management Studies, sums up the state of cybersecurity for board members succinctly: “overcoming the threat boils down to two things: accepting that you will be breached (awareness) and the ability to do something (readiness).”
Targets of the increasing incidence of phishing and other types of social engineering breaches include many corporate giants, such as Target, Anthem, and Yahoo. Even the federal government has been targeted, most notably the breach at the Office of Personnel Management where 22 million personnel records were taken.
In spite of this, there is still a lack of awareness and specialized knowledge on most corporate boards. For example, according to a National Association of Corporate Directors (NACD) survey, only 14 percent of the board members queried expressed a deep knowledge of cybersecurity topics.
The cybersecurity landscape is complex, and it is extremely difficult to encapsulate all the various aspects that may confront a corporate board. Suzanne Vautrinot, President of Kilovolt Consulting and Major General and Commander, United States Air Force (retired), does provide a very good framework for addressing the landscape: “The board’s role is to apply the principles of risk oversight, to advise on strategy and help push to overcome challenges—in this case, cybersecurity gaps and challenges.”
Following that strong lead from General Vautrinot, I developed a condensed “cheat sheet” with themes to hopefully provide boards with insights and impetus to address the cybersecurity threat at the C-Suite level. The four themes include: risk management, responsibility, communication, and expertise.
The Cheat Sheet:
At its very core, the practice of cybersecurity is risk management. It requires being vigilant and encompasses educating employees, identifying gaps, assessing vulnerabilities, mitigating threats, and having updated resilience plans to respond to incidents. Board directors should have a working understanding of risk management (and risk exposure) and have context on the different array of threats and threat actors. They should also be knowledgeable on the guiding axiom of the National Institute of Standards and Technology (NIST) Framework: Identify, Protect, Detect, Respond, Recover.
Cybersecurity is a responsibility. Elements of cybersecurity include policies, processes, and technologies. Every company is unique in culture, mission and capabilities, but in terms of cybersecurity, the management (including board members) and employees are accountable for overseeing those elements. A requirement for every board member should be that cybersecurity must be treated as a company priority.
Cybersecurity’s backbone is effective communication. The CISO, CTO, CIO, and executive management must align strategies, collaborate, and regularly assess their information security programs, controls, and safety of networks. Communication enables readiness by the sharing intelligence on threats and new security innovations. Security awareness training is also an important mandate for everyone at any company, especially the board.
Cybersecurity requires expertise. Ideally, a corporate board should include a blend of internal and outside subject matter experts. It is always useful for executive management to get perspectives and ideas from experts on the outside. It helps avoid complacency. Areas of special knowledge should incorporate: legal compliance, cybersecurity technology solutions and services, training, liability insurance, governance, and policy. Information security management should include people with an ISO 27001 standard expertise and a knowledge of best practices.. Prudent policy advice necessitates that companies develop strong relationships with government. The recent passage of The Cybersecurity Information Sharing Act promotes public/private cooperation on data threat sharing, especially with the Department of Homeland Security.
Of course my cheat sheet is just a starting point. There is certainly room for more items and description. I highly recommend a new book written by Paul A. Ferrillo of the Weil Gotshal law firm and Christophe Veltsos of Minnesota State University, Mankato, entitled “Take Back Control of Your Cybersecurity Now: Game Changing Concepts on AI and Cyber Governance Solutions for Executives” for an in depth analysis of cybersecurity and corporate board issues. With the backdrop of the startling NACD survey that found 80 percent of boards’ members lack deep cybersecurity expertise, hopefully the issue of the lack of board cybersecurity competency will get more of the attention that is needed.
About High Performance Counsel: High Performance Counsel is a leading trade publication in the legal and compliance sector. We highlight the individuals, organizations, strategies & technology solutions driving the next decade of leadership & advancement in law & legal services. It’s a great place to share thoughts, learn from others – and navigate the future of law with confidence. We created High Performance Counsel to be a sounding board for change and a leader-board for those who are taking the industry to new heights. We keep a close eye on the emerging field of legal technology and the players in it.
HPC Legal WIRE: Most recently we have launched the HPC Legal WIRE – a ground-breaking newswire and media communications platform focused on the legal industry – allowing participants to share and gather information on the many participants in, and activities of, the sector on a daily basis. It is the most powerful digital platform of its kind – allowing pan-industry news, media sharing and following of key news and key participants. The HPC Legal WIRE is where the legal industry gets – and shares – its news within the sector and with the broader business community.