Do boards of directors really care about the growing threat of cyber attacks? If so, what are they thinking and how are they responding to the apparent increase in threats and attacks?
In the nearly 30 years of working in finance and accounting I have spent almost my entire career in or consulting with publicly traded companies and much of it directly working with boards of directors.
Reflecting on this experience my hunch would be that most of these boards would have had an interest in cyber threats, but much of their attention directed to required disclosures in public filings and less on what management is actively doing to proactively defend the company from attacks.
However, based upon my attendance at a recent National Association of Corporate Directors (NACD) and KPMG conference I found that my hunch was incorrect.
If you have ever attended similar events, you may have found the conversation between the panel of experts and the participants as one way; the presenters presenting and the participants quietly listening and looking at their watches wondering when the meeting would end.
The NACD and KPMG event titled Cyber Threat Intelligence and The Lessons from Law Enforcement was very different. The focus of the discussion was centered on what was the board’s oversight responsibility with regard to these threats and included a panel of experts in cybersecurity, public accounting and legal experts specializing in both board oversight as well as cybersecurity risks.
The following are three of the more significant takeaways from the conference:
Today Cyber Threats and Cyber Security Have the Attention of Boards of Directors
As I mentioned above, this seminar was very well attended by a broad and diverse number of directors from both from public and private boards. Many in attendance acknowledged they use to only have a casual interest in cyber risk and were mainly driven by the need to comply with with SEC and other regulatory requirements.
However, more recently many of the directors’ interests have changed and are more interested from what it means personally to them, to the company and what would happen if a major attack occurred or already has occurred at the company they represent.
Based on the questions between the panel and the participants, many of the directors wanted to understand what is the standard of due care that they will be judged by if a breach occurred. The theme from both the public accounting professionals and legal experts was that directors need to have regular communications with management and ensure that management is addressing the risk appropriately and in a timely manner.
Said another way, a director cannot simply be reactive to what management brings to them, but instead they need to inquire into the cyber risks at hand and what controls are either in place or are being implemented to protect valuable corporate assets from being lost.
Information Technology Continues to be a Foreign Language to Boards of Directors
Again, reflecting on the questions asked by the participants it was obvious most board members, like company executives, don’t understand the IT jargon, let alone the technical solutions proposed. But it was also clear form the panel that board members are not free from understanding the situation.
The question came up from one participant on whether they needed to go to specific technical training to properly assess and understand the risks and threats. The answer was no, but boards are required to work with management to develop processes, communication mediums and tools to enable proper oversight.
I came away with the conclusion that if boards aren’t going to learn the technical jargon and solutions, then its incumbent on both executive management and IT and Security professionals to learn to speak “the language of business”.
The Use of a Risk-Based Business Approach to Cyber Threat Mitigation
The use of a risk-based business approach to cyber threat mitigation is familiar to board members and is also necessary to establish a basis that meets the good standards of due care definition.
As mentioned earlier, boards are measured by something called a “reasonable standard of due care”. These five words are not new and are time tested, but what exactly do those words mean? The panel kept referring to the performance of a “risk assessment” by management was necessary.
By the way, most every company today uses risk assessments (formal or informal) to grow and protect its business and assets. These risk assessments are foundational to speaking the language of business. There are many tools and processes available, just do a Google search and you find many that work in most environments.
The key is to develop and use a systematic approach to diagnose risks and prioritize areas in need of the greatest protection, then manage against that assessment and mitigate where it matters most. Further, the regular update of the assessment and quantification of risks along with documented communications to boards is necessary to build a foundation of for a board to show it is using due care.
Reflecting on my experience related to other business risks, assessments should be updated at least annually, but maybe even more often in the dynamic work of cyber threats. Board communications should happen at least semi-annually, depending a lot on the maturity of the security program.
I’ve also found that the communication mediums and tools often evolve over a series of meetings, but in time the process enables efficient and clear commutations between both the board and management.
In summary, I was both pleasantly surprised and pleased to see board members interested in cyber threats beyond simple compliance to a regulatory requirement. Active engagement between management and board members is essential to building trust, appreciation and mitigation plans for a very complex and challenging business risk that hardly existed ten years ago.
- Whose Responsibility is CEO “Tech Literacy?”
- Communicating Risk More Effectively
- Using the Top 20 Critical Security Controls to Get your CFO’s Attention
- The Role of Security in Creating a Standard of Due Care
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Definitive Guide to Attack Surface Analytics
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
Title image courtesy of ShutterStock