Boards Must Manage Cyber Risks and Expectations

Data breaches in the enterprise are no longer just a minor irritant. They have become a fact of life — a situation that brings renewed focus to the role that boards of directors should play in a company’s cybersecurity strategy.

But the challenges facing corporate boards are also tough, because the reality of today’s cybersecurity world is that building a secure perimeter around information technology infrastructure simply doesn’t work anymore. Intruders are going to get through, so it becomes more a strategy of risk mitigation, prepared to handle breaches when they occur. This is the kind of message that chief information security officers are bringing to their boards.

Study Shows Board Knowledge Gap

The Chertoff Group recently conducted a study based on interviews with more than 100 senior executives. The study showed that large, public U.S. companies in the critical infrastructure sectors (finance, healthcare and telecommunications) were well-versed in cybersecurity practices. “It’s been discussed; it’s part of a risk management program,” Pflaging said.

But directors for companies outside of those critical sectors self-reported that they were not where they should be on cybersecurity education. And their companies, more often than not, did not have the kind of robust plans and knowledge to deal with the rising threat landscape.

“I really sympathize with small and medium enterprises which simply don’t have the money to invest in terms of building up a whole standalone security system,” said Chertoff, who described alternatives such as outsourcing security functions to managed intelligence and information services. “Even if their heart is in the right place, they just don’t have the scale to do what a major bank can do in terms of an operations center.”

This dilemma will force corporate boards to examine security options in much the same way that a patient manages his or her own health. “You don’t go to doctor and say, ‘I want you to guarantee I’ll never get sick,’” Chertoff explained. “The doctor would throw you out of the office, or they’d have you committed.”

Instead, the focus should be on how to build a healthy immune system to repel and eliminate attacks. “If the board wants to understand what are the most important parts of our corporate body we have to protect and how to build layers of defense to keep us healthy, then I think you can have an intelligent discussion about how much investment is enough,” said the former DHS Secretary.

That level of investment has become a key focus of board-level cybersecurity discussions and is leading many executives to talk openly about the correlation between IT spending and reducing business risk. Boards know they must protect the company, but they need guidance from the CEO or CISO on where to make the best investment in technology.

Private Sector Focus On Data Privacy

The challenges of enterprise security management also involve data privacy protection. Technology platforms such as personal voice-activated assistants like Amazon’s Alexa or connected devices in cars and home appliances are raising concern that a company could increasingly end up knowing more about a particular user than anticipated.

“As we hurtle into [Internet of Things] and driverless cars that are generating massive amounts of information, more and more we are going to want to do business with people that are good stewards of the information that they collect,” Pflaging said.

The growing data lake of personal information, gathered and then stored out of sight from the contributors, has put additional pressure on businesses to also implement privacy and security policies that consumers can trust. “Although individual items collected may seem fairly benign, the ability to aggregate and store all the amount of data is huge,” Chertoff said. “I do think we’re on the cusp of having some serious conversation about this.”

Ongoing dialogue around corporate security practices and board responsibility has caught the attention of Congress as well. During The Chertoff Group event, one of the advisory’s firm’s executives pointed out that there are currently 127 pieces of legislation dealing with cyber security pending action in the House and Senate. One of those is Senate Bill 536, the “Cybersecurity Disclosure Act of 2017,” that would require publicly traded companies to disclose whether any board member has cyber security expertise and would require action by the company if not.

This kind of activity underscores initiatives led by The Chertoff Group and others to open new channels of dialogue between government officials and the technology community. Last fall, The Chertoff Group produced a whitepaper post-election on “Prioritizing Security in the Digital Economy,” summarizing discussions with corporate executives and government officials on dealing with cyber threats.

“The government has tended over the years to develop a very rigid system of procuring, or interacting with, the private sector, and out here in Silicon Valley and other tech centers there’s a lot of focus on being innovative and nimble,” Chertoff stated. “Sometimes those two cultures need to be bridged.”

Source: SiliconAngle -27 August 2017. Written by Mark Albertson