In today’s evolving threat landscape, corporate directors are increasingly asking for security performance updates from Chief Information Security Officers, Chief Information Officers, Chief Risk Officers, and other executives. I recently sat down with James Lam, director at RiskLens and E*TRADE Financial Corp., to discuss Board members’ responsibility when it comes to information security and cyber risk.
As a director, what is my responsibility for cyber-risk oversight?
The role of the Board is to provide risk governance, independent oversight, and credible challenge on security issues to management. It’s management’s job to measure and manage the risk on a daily basis. There’s a symbiosis to how these two functions should be interacting within an organization.
What should I expect from my regular cybersecurity briefing or report?
I generally break this down into five areas where you can drill down and ask relevant questions.
First, look at the cyber-risk landscape and how the organization is impacted by the external environment. What does that threat environment look like? What are the trends in terms of malware, ransomware, or cyber attack patterns? Knowing the trends in your organization’s industry or region is key when putting cyber risk into context.
Second, examine how the organization is doing relative to the threat environment in terms of security. It’s critical that you have independent risk assessments to evaluate your company’s security performance. This can be a security rating, an independent penetration test, or an assessment from your auditors or regulators. No matter what, your business needs an external and independent risk assessment to truly provide a comprehensive picture of your security program.
Third, it’s critical to understand the maturity and effectiveness of your cyber-risk program. Typically, you’ll get reports on this from your CIO or CISO. The maturity of your program can be measured against NIST (the National Institute of Standards and Technology) or another industry or regulatory framework. The effectiveness of your security program is comprised of a few things: time to detect a cyber incident, time to mitigate specific incidents, and how those metrics compare to industry averages (i.e., benchmarking). How does your BitSight Security Rating compare to your peers and industry average? You may also want to know the behavior of company employees and contractors—did they pass phishing tests (or other company security standards)? These are factors that will help you gain a real sense of cyber-risk maturity and effectiveness (both within your company and externally).
Fourth, it is also imperative to understand the organization’s cyber risk in economic terms: what is my company’s potential financial loss? Cyber risk is of top concern to the Board, but so is strategic risk, financial risk, legal/compliance risk, operational risk, and reputational risk. You, as a Board member, need to understand how cyber risk fits into the ERM (enterprise risk management) equation holistically. With cyber-risk quantification, a company can determine the appropriate security layers and cyber insurance coverage. I have seen the power of risk quantification in every other risk discipline; we are seeing that in cyber. Better measurement leads to better management.
Lastly, you need to understand the actions, strategies, and decisions that management needs to make around cybersecurity. Are they making the right security investments? How is the cyber-risk budget allocated in the areas of prevention, detection, and mitigation? Do we have the appropriate cyber insurance coverage? The Board needs to provide governance, oversight, and challenge to all of these management decisions.
What metrics should I be looking for in my cybersecurity briefing?
There’s a set of metrics that correspond to each of the areas I’ve discussed previously. When you think about metrics and reporting, they can be broken down by:
- In terms of the cyber-risk landscape, you want to look at global cybersecurity trends, cybercrime costs, and reported attacks and breaches (broken down globally, by region, or by industry). You could also examine trends provided by the ISAC (Information Sharing and Analysis Center) that is related to your industry. If you have a security clearance, you can tap into the intelligence community’s chatter, as well as the dark web.
- With independent security assessments, you can look at security rating for your organization, the security rating of your critical third parties, and the results of penetration testing or other security assessments done by an independent party.
- To understand the maturity and effectiveness of your security program, you can benchmark this against the NIST framework. You can also look at basic hygiene metrics, critical systems downtime and recovery, and time to detect and mitigate cyber-incidents.
- For cyber-risk quantification (in economic terms), you can look at the value of your organization’s digital assets (i.e., crown jewels), the probability of breach, the potential loss in event of a breach, and cost of regulatory compliance (like with GDPR).
- For the oversight of business decisions, look at your overall cybersecurity budget, your percentage to information technology (IT) budget, the cost of cyber insurance, and the return on investment in terms of your new and existing cybersecurity controls.
How do I know if our business is “prepared”?
The metrics discussed above (both internal metrics like spending as well as external metrics like security ratings or assessments) will give you a sense of your organization’s cyber-risk preparedness. To answer that question, it’s critical to not solely rely on qualitative indicators— like heat maps or assurance from internal IT teams or executives. You need quantitative, objective metrics to truly understand how effective your security program is. A mix of qualitative and quantitative metrics is essential when understanding your cyber-risk preparedness. Don’t rely on someone’s opinion. Rely on performance-based metrics.
Importantly, a cyber breach should be considered a question of when and not if. The Board should ensure a cyber incident response plan is developed, tested, and maintained. This plan should not only protect critical data and systems, but also focus on enhancing business resilience and protecting the customer experience.
Are there other materials designed for Board members that I should be reading?
NACD is a wealth of information, with a very strong cyber-risk oversight certification program. Outside of them, I would look at academia — Carnegie Mellon University has very robust CERT programs and research. Fair Institute has standards on cyber-risk quantification that are widely accepted. I think directors really need to educate themselves from multiple sources.
This blog post was originally published on the NACD BoardTalk blog.
