This is the part of every blog post where the author lists the latest breach or published vulnerability to get your attention and then ominously intones in a serious voice that there is more coming. Yeah, we get it. But, who is the audience?
It’s not a question of them not understanding or not caring, it’s just not the most critical risk to business operations. For example, if you work in manufacturing, then access to a steady, quality supply of materials could be more important than ransomware affecting manufacturing.
The Government is coming! The US Government has officially waded into this breach reporting and response world as well. For the most part, it’s still primarily around data collection. The U.S. Congress passed a law that requires critical infrastructure entities to report material cybersecurity incidents within 72 hours and ransomware payments within 24 hours to the Cybersecurity and Infrastructure Security Agency (CISA). TSA has gone a little further with prescriptive mitigations in a classified directive. Beyond critical infrastructure, the FTC has highlighted their role via the Federal Trade Commission Act and the Gramm Leach Bliley Act that organizations have a duty to take reasonable steps to mitigate known vulnerabilities. They issued a statement urging companies to act or face FTC legal action(1). And the SEC has proposed a rule for companies that is open to a period of comment which would require disclosure within 4 business days after a company has determined that it has experienced a material cybersecurity incident (2).
The Board. A company’s board of directors (Board) is where priorities are set. The Board’s key purpose "is to ensure the company's prosperity by collectively directing theBoard’s key purpose "is to ensure the company's prosperity by collectively directing the company's affairs, while meeting the appropriate interests of its shareholders and relevant stakeholders"(3). The macro-environment, beyond the above noted government involvement, has increased the prominence of cybersecurity in company risk planning already and potentially it could become the fourth part of ESG (Environment, Social, and Governance) as digital and the real world continue to converge. In 2020, 9% of Boards had a dedicated committee for cybersecurity (Gartner projects this will quadruple by 2025)(4).
That can seem like a lot, but dedicated Board committees don’t have to be a permanent component. A company could create a dedicated committee on cybersecurity risk for a finite time or on a project basis. Leveraging temporary resources could be a way for an organization to respond to the increased cyber regulations for example. A temporary committee can provide the Board with a focused approach to educate themselves on the issues and potential risks to the organization including the current portfolio: the people, process, and technology investments in their cybersecurity posture.
The Board is ultimately responsible for risk management within the organization. Yes, hopefully, you have a CISO (and if not, there is still a default contact for security), but they’re the execution level and you may be surprised what challenges they face. Risk, it’s management and tolerance, lies with the Board.
The key to risk is being able to appropriately put it in the proper business context to prioritize mitigation. While this sounds simple, it starts with understanding how organizational assets are used to support business processes and identifying the relationships between multiple assets. Security typically depends on the IT function to maintain an accurate Configuration Management Database, but who is providing the relational value? The business struggles to explain it because the technology can be complicated or abstracted to them while the tech side of the house can only guess at what it means. This is where the Board-level committee steps in, working with the CISO (or similarly situated company contacts) to distill this information, place it within the appropriate risk context, and direct the mitigation priorities. Articulating a breach risk and response direction is no longer just a priority for meeting the Board’s responsibilities to shareholders, it’s quickly becoming a regulatory requirement as well.
Through reality and regulation, I believe there will be more attention on cybersecurity risk at the Board level. The days of throwing money at the black box of IT are over. With this attention (and resources) will come an increase in demand for transparency, and proof that investments in security are prioritized according to the company’s unique risk profile.
(3) Standards for the Board, Institute of Directors