Cyber Risk - Why Corporate Governance Matters

In the high-pitched, relentless battle against cyberattacks, much of the attention and energy has been focused on technical solutions, regulatory compliance, and balancing risks with opportunities.

What about corporate governance? What role does executive and board-level oversight play in ensuring robust cybersecurity … and what role should it play?

When most of us think of corporate governance, we tend to associate it with such business functions as financial integrity, hiring practices, legal and regulatory assurance, and corporate strategy. But the increasingly critical and complex issues presented by cybersecurity now have risen to the point where it must be a core component of an overarching corporate governance framework.

And that is happening not a moment too soon. 

For instance, there is increasing evidence that boards are playing catch-up when it comes to prioritizing cybersecurity as a vital governance issue. A 2018 global study of more than 1,000 board members conducted by McKinsey indicated that cybersecurity was a “potential business disruption” topic on the agendas of only 37% of boards. The good news is that figure represents a nearly 50% increase in just the past two years; the bad news is that cybersecurity remains a dangerously weak area of understanding for boards in assessing its potential impact on business operations. In fact, only 9% of board-member respondents said their boards had a “very good” understanding of cybersecurity’s potential for impacting business operations.¹

Let me give you a real-world example of this disconnect. A large, Asia-based supply chain company asked our firm to do a thorough penetration test of their networks as part of what they assumed would be a routine due diligence exercise. But we discovered that an expensive monitoring solution was not achieving its intended goals and was not being properly managed. It quickly became clear that an attacker could have gained full control of the network, including full access to the CEO’s system and had the potential to badly damage business partners’ systems. Leadership was shocked to learn this, prompting an urgent rethinking of how to restructure cyber governance and remove reliance on the internal IT team to solve security problems.

This is why leadership, both among C-level executives and in the boardroom, has to step up in making cybersecurity a more prominent element in corporate governance. But how?

I believe there are four major areas where corporate governance needs to evolve when it comes to cybersecurity:

• Inverting the cybersecurity leadership responsibilities.
• Adopting and “living” the right cybersecurity framework.
• Addressing the organizational structure.
• Getting smarter so business leaders can ask the right questions.

Inverting the Cybersecurity Leadership Responsibilities

One of the biggest problems is that cybersecurity has traditionally been designed with a bottom-up approach. In that model, individuals tasked with securing IT systems identified technical solutions to protect the infrastructure, applications, and data. Organizations spent untold billions of dollars on technology, only to find that it wasn’t enough to stem the impact of expanded threats, increased vulnerabilities, and innovative attackers.

This brings to mind a popular adage: When every problem looks like a nail, every solution must be a hammer.

This bottom-up mindset brought about cybersecurity defense, detection, and response policies that were developed around technical tools, without considering the business needs or operational implications. Metrics were developed that told the CSO how many attacks were blocked and from what sources, while the real focus needed to be “Which attacks weren’t blocked; which parts of the business were impacted; and what were the financial, legal, regulatory, and reputational costs?”

Instead, the cybersecurity governance model needs to be inverted to a top-down approach. This is the essential definition of organizational leadership:

• Understand and identify the challenges and opportunities.
• Establish priorities.
• Promote collaboration and innovation around solutions.
• Lead by example.

Leadership needs a full, transparent, and real-time understanding of the risks faced and the measures in place to protect the organization. If that information is not being clearly communicated to the C suite and the board, then leadership needs to find ways to ensure the right information is provided, typically by the CISO or CIO in today’s corporate frameworks—or find someone else who will.

If implemented correctly, a topdown governance framework will eliminate most threats and provide a mature, defensible, and flexible structure for protecting sensitive data. It will also help to ensure compliance, establish good legal protections, and encourage good cybersecurity hygiene among employees, partners, and suppliers.

Adopting and “Living” the Right Security Framework

Security frameworks are important because they embrace the full set of issues necessary for good cybersecurity: business operations, legal, regulatory, risk management, and technical processes.

While there are numerous good frameworks available for leadership to evaluate—and keep in mind that all frameworks should be adapted to each organization’s unique business conditions, operating procedures, and priorities— the most relevant and actionable one comes from the U.S. National Institute of Standards and Technology (NIST). This voluntary framework is the most broadly accepted and most widely implemented around the world, and has its foundation in five pillars:

• Identify the assets to be protected.
• Protect those assets with the proper safeguards.
• Detect incidents quickly, reliably, and comprehensively.
• Respond to incidents in a way that minimizes their impact.
• Recover from incidents and restore business operations as soon and as completely as possible.

There are plenty of actionable steps and best practices organizations can and should deploy in their cybersecurity governance model, such as assuring that appropriate security patches have been applied, end-of-life systems have been deactivated, and strong encryption and access control tools have been put in place and are being used. Still, those are technical solutions, most typically handled by the security and IT organizations.

The real power of the NIST model from a governance standpoint is that it creates an opportunity—or, depending on your sense of urgency—it provides a flexible framework for executives and board members to internally mandate and be used to hold business units accountable. The importance of the NIST Framework as a tool of self-assessment is that it places cybersecurity objectives in the context of the organization’s overall business objectives. The framework’s inherent flexibility guides business leaders and the technical management responsible for cybersecurityto focus on actions that will best position their organizations to manage their unique cyber risk, and to direct resourcesto areas where they can be most impactful to the business.

Addressing the Organizational Structure

It has often been said that you can learn a lot about any organization’s priorities by looking at their org chart. This is becoming more and more true every day in the realm of cybersecurity governance.

Increasingly, corporate leaders are driving change by rethinking and realigning who is responsible for cybersecurity and how the role is positioned within the enterprise. For instance, the idea that physical security, internal investigations, and cybersecurity should be merged into a single organization reporting directly to the board is gaining in popularity, and has many advantages. Independence is an important motivation for this approach, of course, but it also facilitates a more complete approach to security that takes into account people, business functions, priorities, and technical factors.

There is little question that announcements of changes in reporting structures make people sit up and take notice. Some of that is office politics, but much of it centers on the notion of what—and who—is gaining importance within the organization.

In edition 2 of this book, there were some excellent recommendations on how to identify and hire the best possible CSO in order to keep with a vigilant governance model for cybersecurity that ties business and technical requirements. In the chapter from executive search firm Heidrick & Struggles, the authors offered some clear-headed advice:

“Boards need to exercise even more diligence than ever when determining who to hire, how to structure their roles and responsibilities, where to look to recruit them, and which tradeoffs are appropriate to make in order to land the best possible candidate.”

And then Adobe CSO Brad Arkin offered helpful advice to boards and C-suite executives: Listen closely to how your cybersecurity leader talks about problems and solutions. His pragmatic takeaway: If you’re getting a lot of technical jargon instead of framing the discussion around business goals, you’re talking to the wrong person.

Getting Smarter So Business Leaders Can Ask the Right Questions

As has been emphasized repeatedly throughout this book, security is a business issue, not a technical one. While we need the right technology tools to identify threats, protect against them, and remediate their impact, cybersecurity practices and policies must be planned, measured, and governed against business benchmarks.

Doing that requires strong, vocal, visible, and constant support from business leaders and the board. But it also necessitates that top management and board members put more energy and resources against expanding their own knowledge about cybersecurity’s impact on their business.

Remember: You can’t get the right answers if you ask the wrong questions. Or, in the context of this chapter, you can’t govern if you don’t know what you’re supposed to be governing.

Now, no one is suggesting that the CFO or the head of marketing go back to school to get an advanced degree in cybersecurity, or that every board member have to pass a Security+ certification test. But the days of leaving cybersecurity responsibility to the technical people are long past. Regulations and legislation have changed the accountability quotient, and as we’ve seen too many times, an organization’s very reputation—which has been carefully honed and crafted over decades with untold sums of money—can unravel after a cybersecurity glitch.

Some people have gone as far as to recommend that every board should have at least one member with extensive cybersecurity expertise in order to “keep the CSO honest.” That concept may have some merit, but it still involves most board members and executive leaders turning to the “one wise man or woman in the room.”

Business leaders and board members don’t simply default to the CFO when a financial crisis hits, and they don’t just assume the chief legal officer or outside counsel has everything covered when an embarrassing lawsuit pops up. In those and other scenarios, executives and board members jump in with both feet because, among other reasons, corporate governance demands that they do.

The same is now true with cybersecurity. One of the important ways business leaders can get smarter and ask better questions is to have a commonly used prism of business issues through which cybersecurity issues can be analyzed, discussed, and acted on. For instance, discussions with the CSO on topics such as distributed denial-of-service attacks should be centered on how the business was impacted in areas such as downtime, lost productivity, revenue, and profit impact, and whether cybersecurity investment priorities should be re-examined.

Of course, this is a two-way street. Not only do board members and business leaders need to take steps to better educate them on cyber issues, but CSOs and other technical leaders need to re-imagine and re-engineer how and what they present to the business side. Things that have often been taken for granted, such as how a CSO’s PowerPoint presentations look or why an organization is changing its policy for using public cloud services, must always be framed in a business perspective—ideally one that aligns with the organization’s core values and business priorities.

What Boards Should Do Now

What should boards be doing in order to receive regular, appropriate security metrics around monitoring and detection?

First, the board needs to understand what cyber threats exist inside their organizations. A good starting point would be to obtain a report on current cyber threats impacting their industry and some recommended safeguards. Importantly, a search of any data on the Dark Web— passwords, personal data, confidential documents, or financial documents— that have already been exposed should be conducted by a reliable third party, and mitigation controls put in place.

Second, keep in mind that employees are almost always targeted for attacks. Board members need to receive regular updates on the level of staff security awareness through steps like controlled phishing exercises. The board also must ask if management is fully committed to this kind of organizational cyber hygiene in order to emphasize the importance of good security habits.

Third, internal and external resources should be deployed to regularly hunt for threats already on the networks but undetected, rather than simply relying on metrics around detected security events. Experience has shown us that attackers are often already inside networks for many months before real damage takes place. These hunts should be based on actionable intelligence and real-world knowledge of current threats.

Conclusion

Corporate governance has changed a lot in recent years, driven by such issues as increased regulatory oversight, more active and involved board members, and a need to apply healthy doses of both skepticism and support in an increasingly complex business environment.

And cybersecurity may be the single biggest thing to reshape corporate governance in decades.

Unfortunately, we still don’t have enough clarity for actionable advice that corporate leaders can implement from the word go to help ensure the security of their organization and its data. But taking a more business-centric, inclusive, top-down approach to cybersecurity corporate governance will take us a long way toward achieving our respective organizations’ goals. When cybersecurity is considered as a business issue, rather than isolated as a technical problem that has to be solved by technical people using technical tools, we will have a much greater chance for success.

This excerpt from Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers, Third Edition © 2020 Palo Alto Networks, Inc. was reprinted with permission from Palo Alto Networks. To request the complete e-book, please visit: paloaltonetworks

Sources
¹ “A time for boards to act,” McKinsey, March 2018.