In today’s evolving threat landscape, corporate directors are increasingly asking for security performance updates from Chief Information Security Officers, Chief Information Officers, Chief Risk Officers, and other executives. I recently sat down with James Lam, director at RiskLens and E*TRADE Financial Corp., to discuss Board members’ responsibility when it comes to information security and cyber risk.
The role of the Board is to provide risk governance, independent oversight, and credible challenge on security issues to management. It’s management’s job to measure and manage the risk on a daily basis. There’s a symbiosis to how these two functions should be interacting within an organization.
I generally break this down into five areas where you can drill down and ask relevant questions.
First, look at the cyber-risk landscape and how the organization is impacted by the external environment. What does that threat environment look like? What are the trends in terms of malware, ransomware, or cyber attack patterns? Knowing the trends in your organization’s industry or region is key when putting cyber risk into context.
Second, examine how the organization is doing relative to the threat environment in terms of security. It’s critical that you have independent risk assessments to evaluate your company’s security performance. This can be a security rating, an independent penetration test, or an assessment from your auditors or regulators. No matter what, your business needs an external and independent risk assessment to truly provide a comprehensive picture of your security program.
Third, it’s critical to understand the maturity and effectiveness of your cyber-risk program. Typically, you’ll get reports on this from your CIO or CISO. The maturity of your program can be measured against NIST (the National Institute of Standards and Technology) or another industry or regulatory framework. The effectiveness of your security program is comprised of a few things: time to detect a cyber incident, time to mitigate specific incidents, and how those metrics compare to industry averages (i.e., benchmarking). How does your BitSight Security Rating compare to your peers and industry average? You may also want to know the behavior of company employees and contractors—did they pass phishing tests (or other company security standards)? These are factors that will help you gain a real sense of cyber-risk maturity and effectiveness (both within your company and externally).
Fourth, it is also imperative to understand the organization’s cyber risk in economic terms: what is my company’s potential financial loss? Cyber risk is of top concern to the Board, but so is strategic risk, financial risk, legal/compliance risk, operational risk, and reputational risk. You, as a Board member, need to understand how cyber risk fits into the ERM (enterprise risk management) equation holistically. With cyber-risk quantification, a company can determine the appropriate security layers and cyber insurance coverage. I have seen the power of risk quantification in every other risk discipline; we are seeing that in cyber. Better measurement leads to better management.
Lastly, you need to understand the actions, strategies, and decisions that management needs to make around cybersecurity. Are they making the right security investments? How is the cyber-risk budget allocated in the areas of prevention, detection, and mitigation? Do we have the appropriate cyber insurance coverage? The Board needs to provide governance, oversight, and challenge to all of these management decisions.
There’s a set of metrics that correspond to each of the areas I’ve discussed previously. When you think about metrics and reporting, they can be broken down by:
The metrics discussed above (both internal metrics like spending as well as external metrics like security ratings or assessments) will give you a sense of your organization’s cyber-risk preparedness. To answer that question, it’s critical to not solely rely on qualitative indicators— like heat maps or assurance from internal IT teams or executives. You need quantitative, objective metrics to truly understand how effective your security program is. A mix of qualitative and quantitative metrics is essential when understanding your cyber-risk preparedness. Don’t rely on someone’s opinion. Rely on performance-based metrics.
Importantly, a cyber breach should be considered a question of when and not if. The Board should ensure a cyber incident response plan is developed, tested, and maintained. This plan should not only protect critical data and systems, but also focus on enhancing business resilience and protecting the customer experience.
NACD is a wealth of information, with a very strong cyber-risk oversight certification program. Outside of them, I would look at academia — Carnegie Mellon University has very robust CERT programs and research. Fair Institute has standards on cyber-risk quantification that are widely accepted. I think directors really need to educate themselves from multiple sources.
This blog post was originally published on the NACD BoardTalk blog.
