Cyber Security in the Board Room: What's there to Focus?
January 2014. Yet another unassuming day in Minneapolis! However, in the board room of Target, the temperature was at an all-time high. Cyber attackers accessed the payment records of as many as 40 million shoppers, and 70 million customers’ personal data. It was a watershed moment for the retail giant, as its Q4 profit declined 46 percent from the year before. What followed was quite unusual! 4 months later, Gregg Steinhafel stepped down as Target’s CEO!
The resignation of Target’s CEO came as a concrete example for corporate officers and directors of how cyber threats can hit the bottom line, and of how they will be held accountable.
As cyber security draws attention from the very top, it becomes apparent that the concern isn’t just for security specialists anymore. The grounds behind this sudden board-level concern are not hard to comprehend. The losses that enterprises have had to cope with due to cyber breaches have been ghastly to say the least. The average annualized cost of cyber-crime to a sample of U.S. organizations has been estimated around $11.6 million per year. Not only monetary, but breaches have made organizations ebb their reputation also. Moreover, the higher management has understood that cyber security needs to be built in, not bolted on as an afterthought. So, what’s there for the board room to focus when it comes to cyber security?
Areas to Focus
The expectation from the senior management is to confront the cyber-risks by taking proactive steps but yet evidence suggests that there may be a gap that exists between the magnitude of the exposure presented by cyber-risks and the steps taken to address these risks. Boards do not undertake key oversight activities related to cyber-risks such as reviewing annual budgets for privacy and IT security programs, assigning roles and responsibilities for privacy and security, and receiving regular reports on breaches and IT risks. And even if they do, questions have been raised on the extent to which boards rely on the personnel who implement those measures. In light of these observations, directors should be asking themselves what they can, and should, be doing. What are the areas where they must focus to oversee cyber-risk management effectively?
- The Crown Jewels
It is highly improbable that the security measures would be able to protect everything, and thus it is obligatory to furnish special attention in protecting the organization’s most valued information or the Crown Jewels. The board must focus on identifying these mission critical resources and employ security measures to protect it.
- Work Force
Technology may help an organization in protecting assets by identifying threats and responding accordingly. But in the end, it all comes down to the work force deployed to handle these technical systems. If the work force of an organization is kept informed and trained in a proper manner, they can prove to be the best defense.
- Detective Measures
In order to enable the organization to react immediately and appropriately, the board member must focus on directing the CISO to employ measures for detection of attacks. Logs must be prepared and maintained to record all the aspects of an attack such as threat agent, vulnerability, risk, probability, and occurrence. Use of technical monitoring facilities can help organizations to detect and analyze poignant threats.
- Formulation of Crisis Plan
Unfortunately, it is only a question of when and how before an organization becomes a victim of a cyber incident. Instead of playing a helpless victim, an organization’s board must focus on preparing for a serious attack. An important part of this would constitute the formulation of a protocol to be used in communication during a cyber incident, and formation of recovery sites.
- Remaining Informed
To keep up-to-date and informed of the emerging threats must be the top priority of an organization’s board member. They must learn from the other victim organizations and formulate best measures to react to incidents. There are organizations at various levels whose aim is to help other organizations in this area: at national level (the National Cyber Security Centre in the UK for example); at sector level in various International Sharing and Analysis Centers (ISACs); and occasionally there are informal cooperative associations, such as a group of chief information security offices (CISOs) who work together to combat cyber security incidents within a particular industry.
Recommendations for implementing effective Cyber Security Governance
As aforementioned, board leaders clearly need to recognize that cyber-crime and data security breaches is creating a new and growing risk profile that is impacting the performance, reputation and profitability of their operations. Following are a recommended set of actions that senior business leaders can consider to focus on cyber risk readiness for their organizations:
- Strong Leadership
To drive effective execution of a cyber risk programme, the senior management needs to structure their cyber security leadership team. This team must drive the communication and implementation of the programme, and must have both the authority and expertise to do so. Visible support must be provided by the management team to this team so that the organization understands the importance of the mandate they have been given.
- Maintain Speed with the Existing Legislations
The legal landscape associated with Cyber Security is rapidly evolving. Board members must make sure that they maintain their speed with the Forthcoming European legislations such as GDPR and NISD in order to transform their operations.
- Take Advice from an Independent Perspective
Sometimes, it can be easier for an independent expert to tell you the difficult truths that you may not want to hear otherwise. Boards must make sure that they carry out an external audit of their security measures quarterly to evaluate their current position and plan for their future response.