27 Jul. 2015 | Comments (0)
By R. William “Bill” Ide III and Amanda Leech, Dentons Governance Center
With the ever-present reality of cybersecurity breaches, there has been a tendency in board governance literature to treat cybersecurity risks differently than other risks facing the organization. In practice, however, boards have long been tasked with protecting their company from significant risks.
While cybersecurity may appear to be a daunting new risk to many board members, the long-established “tried and true” board governance approach to risk oversight described herein works well and should be applied to cybersecurity risk. Board duties generally fall within six categories: (i) governance (ii) strategy, (iii) risk, (iv) talent, (v) compliance, and (vi) culture. With respect to cybersecurity, the board’s duties in each of these categories play a critical role in effective oversight of a company’s cybersecurity program.
Every director should have a general understanding of cybersecurity risk and what it means for oversight responsibilities of directors. While the basic business-judgment obligations of directors are the same for this emerging area of risk, cybersecurity itself is a dynamic and complex subject.
The purpose of this Guide is to provide a "plain English" review to help directors and senior managers carry out their cybersecurity oversight duties, including cyber strategy development and governance. Effective oversight in this area can be the difference between; (i) “learning the hard way" and incurring significant damages, or (ii) successfully mitigating the damages that frequently accompany a significant breach.
While this Guide is specific to boards of directors, the fiduciary principles of oversight apply to senior management, as well. Senior management also delegate and oversee, but at a more granular level than boards. In the end, senior managers should follow the principles of this Guide to ensure their proper oversight, while also ensuring sufficient processes and controls are in place for the board to be assured that cyber risks are identified and managed well.
Cybersecurity Oversight: Role of the Board For company management and boards of directors, Target, Sony and the record number of other incursions demonstrate that cybersecurity risk is as significant as other critical strategic, operational, financial and compliance risks under boards’ purview. Since the passage of the Sarbanes–Oxley Act of 2002, the Delaware Courts have repeatedly broadened proactive duties of oversight for independent directors in areas of material impact on shareholder value such as risk, compliance and executive compensation. Just as boards are charged with overseeing a company’s financial systems and controls, they also have a duty to oversee a company’s management of cybersecurity, including oversight of appropriate risk mitigation strategies, systems, processes and controls. Without effective oversight and accountability, an organization’s cyber security governance systems, policies and procedures can be rendered meaningless, leaving the enterprise vulnerable to attack. In today's world of continually reported material data breaches, boards cannot claim lack of awareness as a defense to allegations of oversight failures. Regulators and shareholders are increasingly demanding more evidence of director attentiveness to cyber risk. As the Target breach demonstrated, breaches can result in calls for director removal, and even if directors are re-elected, the board and the company will likely face numerous shareholder derivative and class action lawsuits.
Cybersecurity Governance The first question for the board is who owns management of the cyber security risk at the board level and management level?
Typically, boards delegate cybersecurity oversight to the audit committee — or to the risk committee if one is part of the board’s governance structure — for a more concentrated review, with periodic reports to the full board. Others approach cybersecurity as a matter to be overseen by the full board.
Company size, industry and existing board risk management structures will dictate the best approach. For the foreseeable future, cybersecurity will require considerable attention by boards working with management, internal audit, enterprise risk management (ERM) and cybersecurity experts as the threats continue to evolve and the total enterprise seeks to adjust. Process, systems and controls must remain fluid for the foreseeable future. At the management level, the CEO is ultimately accountable to the board for management of the cybersecurity risk. Often, a CEO looks to business information technology (IT) or, in larger organizations, a chief information security officer (CISO) to interface with the board and hold accountability for cybersecurity risk management.
This approach builds from a technology knowledge platform, but the major challenge is governance of the total enterprise requiring established management skills of communications, project management, behavioral science and command presence.
Technical solutions are one piece of managing the risk, but as the following chart shows, every function in the enterprise has a role to play and for success, the business units must own and embrace cybersecurity as a priority. Tension between a decentralized business model and cybersecurity’s desire for centralization requires high level management attention and if needed, to resolution of tension conflicts. Decentralization favors local decision making by the business but, on the other hand, cybersecurity must be centralized by its nature and at times must seek to override local business unit decisions. Accordingly, IT or if there is a CISO, the CISO should report to a senior management member who can oversee the enterprise's cybersecurity program decision making and to whom the board can look as accountable for cybersecurity. Cybersecurity Strategy & Risk Oversight Too often, IT presents boards with cybersecurity reports that are technical and without an enterprise wide strategic overlay. For effective oversight, boards should hold senior management accountable to ensure that a clear and concise cybersecurity strategy, understandable in nontechnical terms, is in place, along with systems and controls to monitor its implementation. This requires regular dialogue between the board and management, and sharing of accurate and useful information, including metrics to track performance and provide accountability.
Most importantly, a “plain English” concise high level cyber security strategic plan must be agreed to by the board and senior management. Risk Based Strategy From a castle-and-moat, “keep the bad guys out” prevention based approach, cybersecurity strategy has evolved to a risk-based approach. Because a perimeter defense cannot provide complete protection, the risk-based approach has evolved to focus instead on prioritizing and protecting identified “crown jewels” (third party information, intellectual property and critical process control networks are examples of “crown jewels”). Risk based defense includes detecting and responding before the additional protections around the “crown jewels “ can be compromised, while also stopping intruders before they inflict other forms of disruptive and reputational damages, as in the Sony breach. While perimeter defenses remain essential for deterring less sophisticated attacks, effective cyber strategies now allocate security resources around a company’s information and processes, with additional layers of protection around the most valuable assets. Tomorrow, new technologies and techniques may require shifts in strategies.
Boards should regularly seek independent third party reviews on strategic best practices for companies in similar industry, size and risk profile. Risk Prioritization This key part of strategy begins with identification and prioritization of cyber risks. Cybersecurity resources are finite, so the strategy should focus on the most material cyber risks, considering the likelihood of harm if risks were realized. To facilitate this prioritization, many companies maintain a risk register of material cyber risks — a central repository for all risks identified by the company, including data, locations, access points, security devices and other related information. The risk prioritization process should precede the budget and resource allocation process to assure alignment between resources and risks.
Ranking risks and determining which to accept, mitigate or transfer is a substantial undertaking, and its effectiveness depends on the quality of information and knowledge of individuals who make the recommendations. Board members must be assured that every function in the company has been solicited to contribute to the strategy’s development. In particular, those with responsibility for law, privacy, physical security and crisis management response will need to be an integral part of input into the strategy.
Many industries will have specific regulatory concerns that must be woven into the strategy. As part of the risk prioritization process, senior management should provide detailed recommendations about the plan to the board, including identification of risks to be accepted, mitigated or transferred (through cyber insurance). Strategy Best Practices and Standards Cyber risk has escalated so rapidly, and so publicly, that entities everywhere are scrambling to regain ground and keep up with the evolving cyber threat. Governments, regulators, industries, companies and thought leaders alike are looking for the right approach — or approaches — to address this complex and dynamic issue. So it’s no surprise that cybersecurity strategy best practices, standards and public policies are still very fluid and multiplying rapidly.
It is unclear today as to what standards will be viewed as the best practice and whether standards will vary by industry and company size. Boards and management should agree on the best approach for their company. For purposes of demonstration, let's assume that the NIST standards, defined below, are the right approach in the present discussion.
In February 2014, in response to Executive Order 13636, the National Institute of Standards and Technology (NIST) released its Framework for Improving Critical Infrastructure Cybersecurity, a set of industry standards and best practices for cybersecurity risk management. The NIST Cybersecurity Framework was developed as a voluntary framework to reduce cyber risks to critical infrastructure, and incorporates globally accepted technical standards, guidelines and practices, including ISO 27001, ISA 62443 and COBIT 5, among others. The Framework includes five functions that together can comprise the foundation of a cybersecurity risk strategy for any enterprise:
- Identify — Develop organizational understanding of the overall cyber risk context, including asset management (systems, data, hardware, devices, communication flows), business environment (prioritization of risks, objectives and activities) and governance ( every part of the enterprise must know its role and be accountable). In other words, what are the cyber activities that could be harmed and in what ways?
- Protect — Deploy safeguards to prevent intrusions, including access control, awareness and training, data security, information protection processes, maintenance and protective technology.
- Detect — Enable timely discovery of a cybersecurity breach to limit the harm from intrusions through surveillance, detection of anomalies and events; continuous security monitoring; and detection processes.
- Respond — Implement plans and activities to contain any damage resulting from a cybersecurity breach through comprehensive crisis management incident response planning and implementation of table top exercises.
- Recover — Develop plans and activities to resume normal operations following a cybersecurity event, including post-event mitigation and lessons learned.
As an initial matter, the company should develop a detailed plan highlighting gaps between current practices and best practices, in each of the above functions along with concrete steps for remediation. High priority should be given to implementing a robust Incident Response Plan to minimize damages from breaches. In addition to any required remediation, the board should monitor development of the complete cybersecurity strategy, beginning with risk prioritization, as well as the program’s effectiveness.
There are two major activities to monitor: (i) the build out and installation of the strategic plan and (ii) monitoring the effectiveness of the plan (is it working well?). The utilization of dashboards to monitor the installation and effectiveness of the strategic plans is essential for meaningful board oversight of cybersecurity strategy. Dashboards With respect to cybersecurity, effective dashboards should be carefully tailored to meet the needs of the company and its board.
As a result, creating a dashboard requires input from both management and the board. In general, the trend with respect to cybersecurity dashboards is a bifurcated approach, where maturity and overall effectiveness are monitored by separate dashboards. The maturity dashboard presents metrics that depict the maturity of the company’s cybersecurity program. At its most basic, this dashboard can simply be an assessment of the company’s cyber security strategy with respect to the five NIST designed functions, detailed above. NIST recommends that with respect to each function, the company determine the maturity of its program using the following terms: (i) partial, (ii) risk-informed, (iii) risk informed and repeatable or (iv) adaptive. For companies that have previously identified weaknesses and remediation efforts in its cybersecurity program, the maturity dashboard should also include metrics that allow the board to monitor the progress of the identified improvement efforts. Examples of maturity and effectiveness dashboards that can be modified to the particular dynamics of industries and size follow:
In contrast to the maturity dashboard, which is designed to present a comprehensive picture of the implementation of the company’s cybersecurity program, the effectiveness dashboard provides metrics that allow the board to ascertain how effective the program is. In that regard, the effectiveness dashboard generally focus on threat assessment, threat detections, remediation metrics, and recovery metrics. We note that some boards also request certain protection related metrics when the program is maturing; however, as protection efforts become consistent, these metrics have limited usefulness. The effectiveness dashboard is most useful when it provides numerical metrics rather than high-level conclusory determinations based on underlying numbers not provided to the board. An example of an end of quarter effectiveness dashboard that could be modified to industry and size follows:
While it is management’s responsibility to develop and implement the cybersecurity strategy, and boards should not micromanage, boards have an obligation to retain the prerogative to fully understand a company’s risk exposures. In the event that a board finds itself in need of additional information about a particular issue, it can engage in a deep dive. Similarly, if a board observes a large number of stakeholders providing input on the same cybersecurity concern — or if management faces delays in implementing a particular aspect of the strategy, the board can use a deep dive to assure proper management of the identified risk area. While boards should generally stay focused on the macro and defer to management on the micro, as noted above, there are times when they should be more deeply involved in the tactics and implementation of strategy (e.g., in the event of a material cyber incident). On these occasions, especially, good communication and leadership are critical for maintaining trust between management and the board.
Talent A major responsibility of a board is to ensure the company has the right talent to accomplish its goals. Selection, evaluation and compensation of the CEO is the major task. However, board ensuring that the right skills and experiences are brought to bear in managing a major risk such as cyber security is also important.
Following the departure of Target’s CEO, much was made of the fact that the company did not have a Chief Information Security Officer (CISO) or Chief Security Officer (CSO).
A key area of board oversight is ensuring that the company’s organizational structure is aligned behind its strategy, and that management has the skills and experience to execute the strategy. Historically, the business information technology function (IT) has been primarily a technology provider, charged with delivering top quality data, internet connectivity, hardware, software and other technologies to business units.
Many companies also allowed business units to use third party technologies. Following decades of the entities becoming totally dependent on IT for the flow of information, the cyber threat has now developed into something far more dangerous than previously anticipated. Nevertheless, many companies that relied on the IT function for cyber risk management continued to do so without considering that the threat had grown exponentially beyond just a question of technology.
As cyber threats have continued to escalate, it is increasingly unrealistic to expect that IT alone is able to provide adequate protection against cyber risks. Cyber risks should be managed through the lens of the entire enterprise. History demonstrates that “viewing data breaches as a ‘technical issue’ is a recipe for failure.” While IT will likely always have a major role in cyber risk mitigation, there are significant differences in the skills and goals of the IT and information security (IT Security) functions. More and more enterprises are appointing a CISO to lead cybersecurity.
While the CISO must honor and reinforce the business-support mission of IT, his/her highest responsibility is prioritizing security measures to mitigate cyber risk. Further, the CISO must have a national security outlook, including awareness of “tail risks” and “black swans”. It will be rare that a CISO will have the business operations, project management, communications and C Suite related skills to eliminate the need of a senior management member overseeing the CISO for the CEO and the board. Distinguishing responsibility between the delivery of IT and IT Security is an important governance step. Assuring cyber risks management throughout the full enterprise, beyond IT raises other governance dynamics.
The cyber threat involves information in the hands of suppliers and other third parties beyond the purview of IT where the procurement and law experts must be involved. Dealing with the significant insider risk and the pressures from business to compromise are also beyond the scope of IT.
Further, limiting oversight to IT can restrict the budget, influence and authority required to manage cyber risk effectively, which places the whole company at greater risk. The risk-reward considerations for cybersecurity management are so significant that senior management must be in charge of the process. In addition, “deferring responsibility to IT inhibits critical analysis and communication about security issues, and hampers the implementation of effective security strategies.”
In the end, senior management must lead cyber risk decisions so the appropriate cybersecurity strategy can be effectively implemented and monitored throughout the enterprise, with effective oversight by the board. In addition to management skills and experiences to address cyber risk, some advocate assuring such skills and experience at the board level. As noted previously, cyber security is primarily a governance challenge beyond IT. A CEO whose company manages cyber security well would bring to another board valuable insights and experiences. The right IT technologist could be a positive contribution to a board, but for most industries that would not be necessary.
Compliance In general, boards rely on the general counsel, internal audit and ERM, among other functions, to provide independent risk assessments and to confirm risk management processes are in place. For the foreseeable future, cyber risks are potentially more consequential than other enterprise- significant risks. It is important that the general counsel, internal audit and ERM give cyber security a high priority.
Boards should undertake regular, proactive discussions with these functions to ensure their leaders recognize that cyber risk is dynamic and requires continuous external screening for new forms of threat mitigation.
For example, internal audits can no longer focus solely on perimeter defense controls, without consideration of risk-based controls. Likewise, ERM should monitor and screen externally new forms of cyber risks, with awareness that some cyber risks are more qualitative and difficult to measure. Increasingly, cyber security is becoming more of a legal and regulatory area where the general counsel’s lead on assuring disclosures, full understanding of legal risks and adequate crisis management plans will be critical. For independent verification as to the status of the company’s cybersecurity program, the board should strongly consider authorization of an ethical hacking program.
Ethical hacking is designed to uncover vulnerabilities, and is conducted internally or by an external contractor. Few companies receive pristine reports from ethical hacking. While the greatest value from ethical hacking can be achieved by leveraging findings across the enterprise to remediate immediate security vulnerabilities, the activity also has important awareness-raising implications for internal audit, ERM and the board.
Finally, internal audit and the general counsel should periodically commission a third party cybersecurity strategy and governance review to assure that the company is keeping pace with best practices and that the picture presented to the board is verified as accurate.
Culture Cyber risks should be managed through the lens of the entire enterprise. Every employee has a role to play, and a top down-driven culture of cybersecurity is essential for containing and managing this evolving risk. Studies show that employee lapses are the major enablers of cyber intrusions.
A strong culture of inspiration and accountability is the best preventive for threats from misinformed, inattentive or malicious employees. Peter Drucker said, “Culture eats strategy for breakfast.” He might have added that it feeds on policies, systems and controls which are only as effective as the culture of the organization in which they exist. With regard to cybersecurity, the culture either supports and reinforces policies, systems and controls — or it overrides and undermines them. It is essential, that all employees — without exception — understand each of them have a role and obligation (of equal importance) in protecting the enterprise from cyber intrusions. They must feel empowered to so act.
Cybersecurity like all major risks, requires a culture of accountability, collaboration and continuous education and training, with all efforts geared toward supporting the strategy and mitigating cyber risks. Creating that culture drives individual awareness and acceptance of the strategy, shared commitment to its implementation — and, ultimately, cyber risk mitigation.
All of this starts with a “tone at the top” from the board and senior management. For values and behavior to permeate the organization, the highest levels of the enterprise must lead by example. If a board member or C Suite member is cavalier about passwords or phishing, that will soon be known throughout an organization. Cybersecurity requires all at the top to live in a glass house.
 Bill Ide and Amanda Leech are Members of the Dentons Governance Center and the Guide is based upon their working with and service on public company boards. Dentons Governance Center colleagues Joseph Blanco and Crystal Clark made substantial contributions to this Guide.
 The International Organization for Standardization’s ISO 27001 has been an international information security management standard since 2005. In 2011, the SEC issued interpretive guidance on companies’ disclosure obligations regarding cybersecurity risks and material breaches, and has prioritized information sharing about cybersecurity practices and incidents. In 2014, the FTC asserted itself as the Federal government’s principal cybersecurity regulator with a series of rules requiring employers to take “reasonable” cybersecurity measures. And in January 2015, the Obama Administration proposed new cybersecurity legislation to address online fraud and data breaches. Similar activities are taking place at the state level and in the Congress. While this is far from an exhaustive summary, as long as the cyber threat continues, it is reasonable to assume that legislators and regulators will continue to respond with new policy proposals.
 Brian Krebs, The Target Breach, By the Numbers, Krebs on Security, May 6, 2014, http://krebsonsecurity.com/2014/05/the-target-breach-by-the-numbers/
 Online Trust Alliance, 2014 Data Protection & Breach Readiness Guide 4 (2014).
 National Association of Corporate Directors, Cyber-Risk Oversight Handbook 7 (2014).
 Bill Aulet, Culture Eats Strategy For Breakfast, Techcrunch.com, April 12, 2014, http://techcrunch.com/2014/04/12/culture-eats-strategy-for-breakfast/