Cybersecurity - what are the boardroom implications?
Boards should ensure they have sufficient cybersecurity information and expertise to ask the right questions of management, writes Dan Swanson.
Safeguarding assets has been an important objective of all organisations for centuries. In today’s digital age, however, what does safeguarding your assets really mean? Who is responsible for it? And how is ‘protection’ actually achieved? Just as important, what threats, risks, and challenges does cybersecurity add to the organisation’s already many responsibilities?
‘Although the risks presented by technology are not new to the corporate arena, the dynamic nature of cybersecurity presents a unique challenge to companies and boards. The increasingly fast pace of technological changes creates many targets, and makes defense systems more complex and more difficult to manage and control.’ (Cybersecurity: Boardroom Implications – a 2014 NACD paper).
Who is responsible for information asset protection?
While chief information security officers and chief financial officers are important players regarding information asset protection and security, they are not the true ‘guardians’ of the organisation’s critical informational assets. For example, in hospitals, CFOs are not responsible for safeguarding patient records; at insurance companies, they are not the guardians of policyholder records. In the pharmaceutical or technology sectors, the company’s crown jewels (its intellectual property) are not the direct responsibility of the CFO or the CISO.
All of these forms of data have associated expenses and are used to generate revenues (billings, annual fees, royalties), for which the CISO has ultimate security oversight. The CISO in turn must ensure the integrity of the chain of custody by enforcing rules applicable to key managers and other authorised personnel in their roles as the day-to-day ‘guardians’. In short, internal control is affected by people at every level of an organisation. In fact, many managers are more directly responsible for day-to-day asset protection than the CISO or CFO.
What are the implications?
Addressing the following questions will help determine key implications of how to protect your digital assets, ensure cybersecurity is appropriately considered, and what actions to take:
- will an organisation’s information security management system become critical to the safeguarding of the CFO’s financial records? Will those systems emerge as the main means of safeguarding an organisation’s assets?
- will CFOs and finance staff need to understand and implement informational asset protection measures to be effective in their roles of supporting the guardians of the organisation’s assets?
- will we need more guidance on the definition, classification, and protection of information assets?
- will CISOs need to work more closely with and educate the finance function (and all operating departments, really) about how to best implement a sustainable information protection and security programme?
- should the organisation establish a data management function and data governance policy, standards, and procedures? Both the function and governance could be headed by a senior manager reporting to the chief operating officer or chief executive officer. What role(s) should the chief information officer take in information protection?
- will the board and CEO need to provide more in the way of expectations?
- will internal audit and external audit spend more resources on evaluating the protection of all of an organisation’s assets, physical and digital? The internal audit function in particular needs to think more strategically about enterprise-wide security and ensure that enterprise-wide risk management is a guiding theme for prioritising the organisation’s efforts.
The bottom-line: top management must implement an information security management programme that truly safeguards all assets of the organisation, and also addresses the many risks, threats and challenges involved with cybersecurity.
Cyber Risk Oversight, a publication of the National Association of Corporate Directors (NACD), in collaboration with AIG and the Internet Security Alliance, takes the position that directors should ask questions. (The executive summary is free, but the detailed questions are in appendices that are only free to members).
The publication presents five key principles to consider:
- directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue
- directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances
- boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda
- directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget
- board management discussion of cyber-risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
Are all your organisation’s assets appropriately protected in the digital age? I recommend making this a regular topic of discussion at your management committee meetings, and also put it on the board agenda on a regular basis. An effective tone at the top starts with top management and the board taking action to implement appropriate security controls.
Finally, the board should ensure it has sufficient information and expertise to ask the right questions of management at regularly scheduled board meetings. They should demand both internal audit and risk management assistance in assessing cyber-risk and the adequacy of management’s programmes for managing it. The CEO should ensure the executive management team provides appropriate and ongoing attention to this critically important subject.
Dan Swanson – president, Dan Swanson and Associates