It’s just a matter of time until hostile actors figure out how to circumvent any new technology developed by cybersecurity specialists. As we go into the next level of safeguarding our organizations, will require new leadership techniques. This demands the development of innovative methods for Boards of Directors (BODs) to carry out their fiduciary responsibilities to shareholders, as well as supervisory responsibility for controlling company risk. Directors may no longer easily defer cybersecurity supervision to operations managers. They must be competent leaders who emphasize cybersecurity and show personal commitment. Many directors are aware of this, but they continue to seek guidance on how to proceed.
Five things directors need to know about cybersecurity.
1. Cybersecurity is about more than protecting data.
In the “good old days,” defending enterprises from cyber events was largely viewed as a matter of data protection. Personal information was leaked, client lists were taken, and credit cards were used illegally, according to company executives. These are still problems, but cybersecurity is about more than simply data protection. As we’ve digitized our processes and operations, linked our industrial complexes to control systems that allow remote monitoring of huge equipment, and linked our supply chains to automated ordering and fulfillment procedures, cybersecurity has taken on a far larger role in our threat picture. Inadequate monitoring can result in more than just paying fines because data was not properly safeguarded. Directors must have a clear understanding of the cyber-physical and cyber-digital dangers that their firms confront.
2. The BODs must be knowledgeable participants in cybersecurity oversight.
It is the BOD’s responsibility to ensure that the company has a strategy and is as prepared as possible. The plan is not the duty of the board. There are several frameworks available to assist organizations with their cybersecurity strategy. The NIST Cybersecurity Framework, for example, was created by the United States National Institute of Standards and Technology (NIST). It is straightforward and provides executives and directors with a strong framework for considering critical areas of cybersecurity. Yet, it has several degrees of detail that cyber experts may utilize to implement controls, processes, and procedures. NIST implementation that is effective can prepare an organization for a cyberattack and prevent the harmful aftereffects of an assault.
The NIST framework has 5 areas: identify, protect, detect, respond, and recover. Organizations that are well-prepared for a cyber incident have documented plans for each of these areas of the NIST framework, have shared those plans with leaders, and practiced the actions to be taken to build muscle memory for use in a breach situation.
3. Boards must focus on risk, reputation, and business continuity.
The primary triangle of aims for cyber workers when developing policies and procedures is to protect the confidentiality, integrity, and availability of both systems and data (the “CIA” of cybersecurity). It is necessary, but the conversation would be considerably different from one concerning the BOD’s primary concerns of risk, reputation, and business continuity.
While the board tends to strategize about ways to manage business risks, cybersecurity professionals concentrate their efforts at the technical, organizational, and operational levels. The languages used to manage the business and manage cybersecurity are different, and this might obscure both the understanding of the real risk and the best approach to address the risk. Perhaps because cybersecurity is a rather complex, technical field, the board might not be fully aware of cyber risks and the necessary protective measures that need to be taken. But there are actionable approaches to address this.
Directors are not required to be cyber specialists (although having one on the board is a good idea). The gap between the BOD position and the cybersecurity specialists’ job may be bridged by concentrating on shared goals such as organizational safety and operational stability. The first stage is to establish clear, consistent communication in order to exchange relevant and objective measurements for information, system controls, and human behaviors. Another activity to identify areas of need and areas of strength in the company is to compare it to current best practices and procedures for cybersecurity risk management. A third approach to bridge the gap is for directors to ask meaningful questions of their cybersecurity executives.
4. The prevailing approach to cybersecurity is defense-in-depth.
A series of layered protective measures can safeguard valuable information and sensitive data because a failure in one of the defensive mechanisms can be backed up by another, potentially impeding the attack and addressing different attack vectors. This multi-layered approach is commonly referred to as the “castle approach” because it mirrors the layered defenses of a medieval castle to avoid external attacks.
Layers of defense often include technology, controls, policy, and organization mechanisms. For example, firewalls (and many companies have multiple firewalls), identity and access management tools, encryption, penetration testing, and many others are all technological defenses that provide barriers to, or detection of, breaches. Artificial intelligence technologies promise to strengthen these barriers as new and persistent threats arise. But technology alone cannot keep us safe enough. Security Operations Centers (SOCs) provide oversight and human involvement to notice things the technologies miss, as was the case in the SolarWinds breach, where an astute associate noticed something unusual and investigated. But even SOCs can’t keep the organization 100% safe.
Policies and procedures are necessary to meet control requirements and those are set up by management. And, frankly, in today’s world, we need every single person in our organizations to provide some level of defense. At a minimum, everyone must be aware of scams and social engineering attempts to avoid falling victim. By the way, that includes directors, who are also targets and must know enough to not be caught by fallacious emails or notices.
5. Cybersecurity is an organizational problem, not just a technical problem.
Many cybersecurity problems occur because of human error. A study from Stanford University revealed that 88% of data breach incidents were caused by employee mistakes. Aligning all employees, not just the cybersecurity team, around practices and processes to keep the organization safe is not a technical problem — it’s an organizational one. Cybersecurity requires awareness and action from all members of the organization to recognize anomalies, alert leaders, and ultimately mitigate risks.
We can define a “cybersecurity culture” as an environment infused with the attitudes, beliefs, and values which motivate cybersecurity behaviors. Employees not only follow their job descriptions but also consistently act to protect the organization’s assets. This does not mean that every employee becomes a cybersecurity expert; it means that each employee is held accountable for overseeing and behaving as if he or she was a “security champion.” This adds a human layer of protection to avoid, detect, and report any behavior that can be exploited by a malicious actor.
Leaders set the tone for prioritizing this kind of culture, but they also reinforce and personify the values and beliefs for action. The BOD has a role in this, too. Simply by asking questions about cybersecurity, directors imply that it is an important topic for them, and that sends the message that it needs to be a priority for corporate executives.