Beauty (and security) is in the eye of the beholder. Every organization has a set of expectations (explicit or implied) about the risk appetite and degree of prudence that the security team, executives and Board of Directors should exercise over security matters.
These expectations vary by industry, organizational culture and products/services you offer.
I had the opportunity to converse with two executives of Tripwire, Ambyr O’Donnell, VP, General Counsel & Corporate Secretary and Kelly Lang, Chief Financial Officer to obtain their perspectives about the role of security in creating a standard of due care.
“Because there is no firmly established standard of due care in security, you have the option of waiting for regulators to dictate what you should do, or be more proactive about how to properly protect your organization,” says Lang.
So what does good security hygiene looks like? What should the role of security be in risk management and creating an organizational standard of due care?
When lawyers talk about due care, it is often in the context of liability for negligence claims. In layman’s terms, ‘due care’ can be thought of as the amount of attention that an ordinary and reasonable person would have exercised in order to prevent a foreseeable bad thing from happening.
In addition, part of directors’ and officers’ fiduciary duties includes a duty of care. The duty of care requires that directors and officers act prudently in overseeing the business, in light of reasonably available information.
O’Donnell comments that security, like all risk management, is fundamentally a corporate governance concern. Directors and officers must appropriately inform themselves before making corporate decisions.
In today’s business and legal environment, it is appropriate for corporate leadership to have in-depth discussions about how security considerations factor into assessing operational risk, corporate performance, compliance and brand protection.
In addition, public companies have certain disclosure obligations related to cyber security risks, as affirmed in the US Securities and Exchange Commission guidelines in 2011.
“Cybersecurity is nebulous for many, so it’s hard to put your finger on it,” says Lang.
So given this obscurity, what are the most important aspects in creating a standard of due care? O’Donnell and Lang came up with five factors to consider when developing your cybersecurity preparedness plans:
Protect your Brand with Due Care
Contrary to common belief, there is such a thing as bad PR. Both interviewees agree that keeping your brand untarnished is a top priority when setting security goals. Companies in all industries want to do business with trusted partners. A company’s value cannot be optimized unless the market views the company as secure and trustworthy.
Foster a Culture of Security
Risk appetite differs from organization to organization. Having both the appropriate tone from the top and consistently conveying that tone through the ranks creates a more security-aware culture.
As Lang comments: “If my boss cares about security, I better start focusing on it as well.” It is important not only to understand the threats and vulnerabilities to the corporate environment, but also the costs required to mitigate those potential risks.
Know your Crown Jewels: What and Where
A few months ago I interviewed security executives to ask for tips to improve information security risk management practice. There was a consensus that assessing the importance of your assets was key, as Eric Cowperthwaite, former CISO commented, “If I don’t know what it is that I need to protect on behalf of my organization, I can’t possibly be successful in going beyond foundational due diligence security.:
However, as Erin Jacobs, former CSO for UCB commented, “What’s important to the Board is not necessarily what’s important to the business units. And what’s important to the business units might be different to what’s important to security teams.”
Lang and O’Donnell agreed that identifying key assets and critical infrastructure is fundamental to any security program.
Create/Update your Incident Response Plans
Having an incident response plan is extremely important. Even if you personally respond well in a crisis without a plan, the level of coordination required to respond to security incidents calls for a well thought-out plan and cross-functional training.
As described in full detail on this post dissecting the 20 Critical Security Controls: Control 18 – Incident Response, if you don’t have a plan in place, start small as it will create a roadmap and likely help accelerate a more effective response plan.
Also, you might reach out to your peers for examples or consult counsel with security expertise as a starting point. You don’t need to reinvent the wheel, but you will need to carefully assess whether your plan is right for your organization.
As we know, there are two kinds of companies: those who have been breached and those who don’t know they’ve been breached. Whichever you are, be prepared.
Communicate Security to the Business
A few months ago we talked about how to communicate risk more effectively, so in this section I decided to get the legal and financial perspective of the conversation. O’Donnell, whose legal background provides an interest perspective affirms that in-house lawyers need to be thinking about security, just as we are thinking about and anticipating other potential risks to the business.
“We should be asking the organization about how security threats and vulnerabilities could affect our business, what policies look like and how well we adhere and whether we have incident response plans in place,” O’Donnell said. “In-house counsel should consider partnering with the key stakeholders in the organization who will champion security and keep the organization on the right track.”
From the perspective of a financial executive, Lang would like to understand the general business risks of the company. He notes that directors and officers are wise to include security aspects in their risk assessments as well.
“In a public company you’re forced to be deliberate, but you should be proactive, especially if it’s not mandated,” Lang said. You can read more about Lang’s perspective on this article on Using the Top 20 Critical Security Controls to Get Your CFO’s Attention.
In summary, security plays a pivotal role in creating a culture of due care in an organization. Security professionals cannot do this effectively if working in isolation. As O’Donnell points out, “You don’t want your first conversation with the Board of Directors to be at the time of a breach.”
We would welcome your suggestions as to how you’re creating a culture of due care in your organization.
Tripwire has also compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
This publication is designed to assist executives by providing guidance for implementing broad baseline technical controls that are required to ensure a robust network security posture.
The author, a security and compliance architect, examined each of the Controls and has distilled key takeaways and areas of improvement. At the end of each section in the e-book, you’ll find a link to the fully annotated complete text of the Control.
Download your free copy of The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities today.