Though cybersecurity can seem impregnable to many corporate directors because of the lingo and the technology slant put on discussions, like everything else it often boils down to good management practices, regular risk assessment and oversight leadership by the board.
A recent talk by PWC, given at a governance short course I attended, exemplified this fact. It highlighted the top 10 mistakes found in companies that were victims of cyber criminals. When I analysed the source of those errors from a board risk oversight perspective, I concluded that there are two initiatives that a board can take to have safer cyber environments: making certain that IT is not working in silos on cybersecurity and ensuring that the right procedures are in place and respected to mitigate risks.
Making certain that IT is not working in silos
The board can take steps to make certain that business and technology personnel are working together in cybersecurity planning. Business strategy and cybersecurity strategy need to be linked. IT personnel are often not aware of what IT systems have more impact on the business, what consequences new strategies will have on the infrastructure, or which data assets are more essential to business success and should be better protected.
There are steps that can be taken by the board to break those silos. Boards can meet with the Chief Information Officer regularly to discuss strategies and ask what his concerns are related to cyber attacks. They can ask for regular reports on emerging cyber threats in the industry and what plans are in place to counter those threats. They can request a report on how business systems and software and data assets are mapped over the IT infrastructure with the most critical systems for the business highlighted.
Ensuring the proper procedures are in place and respected to mitigate risk
The source of mistakes leading to poor cybersecurity is often related to the right procedures not being in place or not being respected. Frequent faults are: not having regular external testing and audits of the IT infrastructure; not having standard basic processes in place like quickly updating security patches; spending too much time on prevention and not enough on detection; not doing proper due diligence before using third parties, cloud based servers for example; not having efficient plans in place if a cyber attack is successful; and not reacting immediately to new known deficiencies.
These procedures look simple enough that you would feel most businesses have them in place. There are numerous recent examples that prove otherwise. After hackers infiltrated systems at NRC the whole online side of the NRC services was shut down for a number of weeks and companies had to submit claims on paper— an possible example of a missing proper what-if plan. The recent email from the president fraud where an email appears like it came from a senior executive asking for a transfer of funds is an example where the systems where hacked to find relevant information to perform fraud and the business was not aware of the breach.
Boards can play a role to ensure that proper processes and procedures are in place and respected. They should ask for a presentation on key cyber safety processes and procedures. They can ask what processes are followed to perform third party risk assessment; shared assessment being an example of a solid independent process. They can review how new threat information is disseminated inside the company to people that can be impacted or implicated in those threats. They can ask management to develop a set of indicators related to cybersecurity that can be followed by the board.
Cybersecurity and cyber risks are on the top 10 list of topics for many public company boards in 2015. Just the fact that boards raise the topic of cybersecurity at their meetings will positively impact cyber risk mitigation. Boards should not be shy about asking questions and demanding clear answers as cybersecurity is not so different from other risk management topics.
To comment, go to LinkedIn - published May 10, 2015