The topic of cybersecurity is coming up more and more frequently in my discussions with other fellow corporate directors. It is an indication of the increased concerns with regards to cyber-risk, and of the realisation that directors must play a more active role in cybersecurity oversight. With the growth of damaging cyber incidents, corporate directors understand it is not enough to rely on internal corporate expertise and that they themselves must be better prepared to ask the right questions, be able to understand and to challenge the answers they get on cyber-risks, and contribute significantly to improve its oversight. Staying informed on cybersecurity is a challenge, and an absolute necessity. To that end, I suggest reading two key publications to gain a deeper understanding of current practices in cybersecurity, to learn how to assess the state of a company’s cyber and IT security approaches and to participate in increasing the state of preparedness of companies. I am also sharing with you a tool I developed. It can be found in the tools section of my website at http://www.joseemorin.ca/en-tools/
The framework is a very detailed document targeting readers with some cyber-security understanding. Directors with a less technical background should concentrate on the Framework Core which consists of five concurrent and continuous functions relating to cyber-security practices—Identify, Protect, Detect, Respond, Recover. These 5 functions are the foundation upon which cyber-security policies and procedures should be built. Depending on the risk profile and maturity of the business, all 5 functions or just a few, can be present. Table 2, found in Appendix A of the framework, presents a series of common activities for managing cyber-risks that are found in organisations with a more sophisticated security approach. Directors can use this list of activities to rate the current state of their company’s cyber-security approach. They will find this state to be either at (Tier 1) Partial risk oversight, or (Tier 2) Risk informed, or (Tier 3) Repeatable oversight, or (Tier 4) Adaptive oversight. Appendix A can also be used to by directors to develop relevant questions to ask management, to evaluate their own understanding of security practices and to devise a self-training plan.
This recent handbook is an excellent read from NACD for directors that are concerned with cyber-risk oversight, including directors of small and medium private companies. It does not require as much technical understanding as the NIST Framework. It demonstrates that greater connectivity leads to greater risks for all sizes of business. Malicious organisations are actively looking for different types of information, including employee and customer information, and can use even small and medium business as an entry point into the network of larger business partners. Boards must be aware that no organisation is immune to cyber-criminality. The example of the Chinese menu hack demonstrates the inventiveness and perseverance of criminal minds. The handbook proposes five steps that boards can follow to enhance cyber-security oversight:
- Understand cyber-risks and approach them as enterprise-wide risks
- Understand the legal implications of cyber-risks
- Ensure access to adequate time and expertise to discuss cyber-risks at board meetings
- Set the expectation that management will adopt a framework with appropriate resources and budget
- Make certain to include discussions on which risks to avoid, to accept, to mitigate or to transfer.
I have assisted organisations to improve cyber and IT risk management and lower exposure. As a first step, I have used both publications to develop a list of basic questions I want to see discussed by management in a formal board presentation to gain a common understanding of the state of cybersecurity, to develop a common vision and set priorities. It is a tool adapted to organisation in the early stage of cyber-risk management, and I am happy to share this tool with you. It can be found in the tools section of my website at http://www.joseemorin.ca/en-tools/