This year, Gartner – the world’s leading IT research company – came out with a prediction that upon inspection says a lot about how the highest level of corporate management views cybersecurity risk. It wasn’t that this has become the second-highest source of risk for the enterprise, and could become the riskiest of all. This sentiment already abounds. Rather, it was that a Gartner survey discovered that 40% of American boards of directors will have a dedicated cybersecurity committee overseen by a qualified board member by 2025.
The number today is less than 10%. So yes, this is progress.
But it really isn’t particularly impressive, and that is the real point. Just look at what is going on. More than 80% of U.S. companies have been successfully hacked, according to Duke University. Only a few months into 2021, cyber breaches have already buffeted the likes of Facebook, Instagram, LinkedIn, Microsoft, U.S. Cellular, Kroger, Hobby Lobby, Cancer Treatment Centers of America, and the California Department of Motor Vehicles.
While a number of useful countermeasures are being taken across the board, progress remains relatively slow in the face of borderline existential threats.
Not so long ago, companies thought of cybersecurity as a technology problem to be overseen by the chief security officer (CSO) or the chief information officer (CIO), or as a compliance issue to be managed with audit functions. Today, thankfully, a more holistic, proactive and analytical approach is generally taken. There is more security training and better hygiene and most boards now count a seasoned chief information security officer (CISO) as one of their directors.
Nonetheless, recent surveys underscore that cybersecurity still isn’t where it needs to be in the boardroom. In its 2020 annual corporate director’s survey, for instance, PricewaterhouseCoopers found that less than a third of nearly 700 respondents said they understood their company’s cyber vulnerabilities particularly well.
In a similar vein, a study by Trend Micro, security software provider, found that only 23% of organizations polled said they aligned security with key business initiatives, typically a priority among corporations with the highest-regarded cybersecurity programs. In addition, 44% of respondents said that their board of directors had only limited involvement in many critical cybersecurity operations, suggesting that many boards are only prepared to fund the minimum amount necessary.
Perhaps corporations can do only so much given the belief that many hacks can be contained but not totally eradicated. The attack surface, after all, is gargantuan. A typical enterprise has a huge and diverse array of assets to be protected, including applications, managed and unmanaged endpoints, and IoTs and cloud services. And each Internet-facing element can be attacked in scores of ways. Then, too, there are an enormous number of weak passwords and almost never-ending software vulnerabilities.
Still, the fight must go on, and this sometimes means that the adoption of seemingly promising measures need to be re-evaluated.
In recent years, for example, we have seen an explosion of cyber-risk measurements, which have their place but may be overrated. What is needed now is not merely statistical scores based on third-party evaluations but more holistic assessments that also embrace technical analysis, governance, company culture and the financial impact of adverse cyber events. All this helps top executives and board members better understand their organization’s exposure to the most serious technological vulnerabilities.
Too often, it is the technical side that gets all the attention. These efforts, usually conducted by CISOs, commonly focus on the number of previous attacks, their impact and how quickly they were addressed. While of value, they are largely backward-looking and plagued by chronic change. Also needed are broader views, such as risk orientation, which is important in many facets of corporate strategy, not just cyber. This helps board directors and executives determine how much to invest in cyber defenses instead of other areas in the business.
Here are other ways that boards of directors can improve the cybersecurity posture of their enterprises:
- Always remember that organizational communications is essential. The board plays a crucial role here in supporting the executive team. Especially during a breach, there needs to be a single version of the truth so that everybody within and beyond the organization understands how a tense incident is being handled. A cyberattack tends to exacerbate inherent tensions. Establishing trust during a crisis can be extremely difficult when people are unaccustomed to working together.
- Initiate boardroom conversations that cut through the noise. Insist on details about how the company is decreasing the risk of attack and managing any risks that occur. Remember the business adage: “What gets measured gets managed.” Seek ways to monitor metrics, including the number, nature and extent of vulnerabilities, and then establish benchmarks.
- Don’t be one of those boards that cannot interpret a jargon-laden cyber report. Insist that management reports to boards in ways that are understandable and provide continuous feedback on cybersecurity effectiveness. Boards need ongoing insight, as well as the basic facts.
- Work to avoid group-think. Instead, learn to think creatively about cybersecurity by trying to put yourselves in hackers’ shoes, i.e., bad actors trying to make systems fail. Understanding their methods may help you avert the next attack.
- Along with executives, practice exercises in cyberattack response. Experience in defensive procedures matters.
- Plan ahead for security incidents. Accept that your company will probably be breached despite your best efforts. Therefore, board members need to keep abreast of their company’s incident response plan, ensuring it’s current and that contingencies exist for extreme scenarios and multiple incidents.
Remember two key principals in big-picture cybersecurity management. One is “kaizen” – the continuous improvement of manufacturing and other business activities. This mindset is imperative in cybersecurity. Also bear in mind that board members should never just leave cybersecurity issues in the hands of the chief information officer. Directors need to lead by managing tensions that crop up and by challenging suppositions. All hands, including the top hands, are needed on deck.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.