You can't read a corporate governance publication or blog today without getting advice about the board of directors' role in incident response planning. It's an expected reaction as corporate officers and directors come to terms with the idea that a breach is possible – maybe even probable.
November 19, 2015 | By: Mike Cote
Many of us in the cybersecurity industry applaud this engagement as a component of the reactive part of the strategy, but we also share a concern — are boards and C- suite leaders underestimating their role in the organization's strategy for day-to-day resiliency against the threats?
The timeline of a breach can be long. Weeks, months or even years go by before a large scale exfiltration or destruction of assets occurs. The point at which you discover a breach has a big impact on whether the damage is significant or not. Yet while many corporate leaders seem to be addressing the “crisis” part of a breach timeline – when revenue and reputation are severely at risk – they seem to be leaving oversight of the ongoing risk mitigation strategy in the hands of management. Frankly, if board oversight is limited to the crisis stage, we've failed on behalf of our shareholders and stakeholders.
In October I joined a panel of information security executives from American Express, the American Gas Association and Liberty Ventures Group at the U.S. Chamber of Commerce's Cybersecurity Summit to discuss this concern and suggest a course of action. As I shared then, it's time for boards to embrace their role in the mitigation of cybersecurity risk and ask their executive suites the following questions: Is our strategy focused on preventing cyber-attacks where possible, anticipating and detecting threat activity early in the timeline, and do we have the right capabilities to deal with that activity before it becomes a material loss?
A responsible and effective cybersecurity strategy is predicated on the concept of resiliency against a breach, and that means having the capabilities for early warning and early intervention to reduce the impact. What does a resiliency model look like from a board or C-suite perspective?
– Know what you're protecting, where it's located and who might want it. Otherwise you can't manage the risk or put the right capabilities in place. It's far too common for companies to layer more and more technologies aimed at the "latest" threat concern, with none of them pointed at the actual threats and vulnerabilities for that company's specific assets or environment.
– Insist on capabilities for dealing with a chronic problem. Defense is not the endgame in resilience. The company's cybersecurity program must have four key capabilities to handle a cycle of recurring engagement:
- Prevent where possible
- Detect what you can't prevent
- Respond quickly
- Predict what will happen next
– You need to apply threat intelligence to have those capabilities. Threat actors can develop new tactics and weapons with ease in the digital world, quickly outsmarting technologies. Applying real-time threat intelligence will help companies quickly recognize and predict threat activity both on the network and on endpoints such as mobile devices.
– Ensure that you have the right people with the right skill sets following the right processes and procedures. Hackers are watching carefully for break-downs either from understaffing or procedural failure. They will take the path of least resistance which is often human error.
– Set a tone at the top. In a resiliency model, corporate leaders manage the risk at an enterprise level, in the context of corporate strategy and risk tolerance. They hear equally from IT and security leaders for a balanced view of enablement and risk mitigation. The whole business is engaged in and accountable for the prevention of hacking. Employee training programs are in place—from boardroom to mailroom – and security requirements are enforced across business lines and with partners and affiliates.
Anticipate and Mitigate the Risk
Even if a breach does result in significant compromise, the early warning strategy outlined above will make it easier to get the facts sooner and more accurately. You need those facts to quantify the loss, determine disclosure requirements and manage reputation and revenue risk. As our rapid incident response teams have seen time and time again, the ultimate cost of a breach depends as much on what you did before the breach as what you do after it.
Yes, the current legal interpretation of director duties for cybersecurity risk oversight is still somewhat nebulous. But as a fellow presenter at the Chamber was quick to point out: if we don't figure out how to define reasonable oversight, shareholders will be happy to leverage their proxy access tools and regulatory influences to figure it out for us. I, for one, hope the definition of "reasonable" places an emphasis on anticipating and mitigating the risk, not just "managing it well" after the damage is done.