Cybersecurity is no longer strictly an IT issue or even a risk management issue, it’s a strategic issue that runs across the enterprise, and boards need to oversee it accordingly. That was the message from a panel of board governance experts at the 2020 FAIR Conference, hosted by the FAIR Institute, the professional organization dedicated to advancing the discipline of measuring and managing information risk.
Watch the video of the session, Helping the Board Exercise Proper Cyber Risk Oversight with panelists:
- Larry Clinton, President of the Internet Security Alliance, and collaborator with the National Association of Corporate Directors on the NACD Cyber-Risk Oversight Handbook.
- Daniel Dobrygowski, Head of Governance & Policy, Cybersecurity Legal Counsel, World Economic Forum
- Shelley Leibowitz, Board Member E*TRADE, MassMutual
- Lou DeSorbo, Chief Security Risk Officer, Centene
Some of the action items for board members to take away from this panel discussion:
1. Broaden your focus from cyber risk to business resiliency
“Business resiliency is provided through, many times, cyber resilience,” Lou DeSorbo said. “That’s how we try to talk about cyber and how it enables the business.” His case in point: Organizations that adapted swiftly to the work-at-home environment have strengthened their position during the pandemic. Resiliency will also increasingly be tested by cyber attacks posing material risks, even existential risks, to organizations – crippling ransomware attacks against business were up 40% in 2020 YOY.
2. Think in terms of offense and defense
Cybersecurity isn’t simply about protecting IT systems, it’s also makes possible “digital transformation,” advancing into new markets or new relationships with existing customers through technology while maintaining security as the “attack surface” expands. “Smart boards understand this is about offense and defense,” said Shelley Leibowitz. Boards need to give direction on balancing the two, for instance, by approving a clear risk appetite in financial terms. An important corollary: “Security needs to be embedded in everything you do,” Leibowitz said. Don’t make it an afterthought that belatedly calls a halt to projects.
3. Demand cybersecurity management with standard frameworks and quantitative reporting
Your management should be able to show that cybersecurity defenses are following best practices and maturing over time, for instance through implementation of controls and processes recommended by frameworks such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), ISO 27001 or HITRUST CSF. But checking off lists of best practices don’t tell the organization the size or direction of its risk load in the dollar terms that support strategic decision-making. Top off those frameworks by quantifying cyber risk in financial terms with Factor Analysis of Information Risk (FAIR). “That’s where economic value comes in,” said Daniel Dobrygowski.
4. Ensure cybersecurity is a part of culture and governance
DeSorbo said that Centene “separated the security team oversight function from the IT organization” to focus it on enabling innovative corporate objectives while keeping an eye on risk management. Many organizations have turned to FAIR, with its business friendly, quantitative approach to cyber risk, as a culture-changer that bridges the business and technical sides of the house. Another recommendation from the panel: Direct the leaders of operational management to school themselves with the NACD Cyber-Risk Oversight Handbook to understand what the board wants to hear in cyber risk management reporting.
Watch the video of the session, Helping the Board Exercise Proper Cyber Risk Oversight