The risk landscape for corporations is constantly changing with new threats, regulations, and evolving cybersecurity vulnerabilities and attack methods. The recently disclosed Equifax data breach is the latest high-profile event that has stirred senior executives and corporate boards of directors all over the country to ask themselves, “Can this happen to us?” Sadly, the answer remains “yes,” as cybersecurity risk can never fully be removed. However, corporate boards can create a culture of security to mitigate risk and better protect their company’s critical infrastructure, data systems and reputation.
Recent cyber-attacks have caught the eye of many boards across the country because of their significant effect on corporate earnings in 2017. For example, FedEx reported a $300 million hit to earnings due to the Petya attack in June 2017. Mondelez, formerly known as Kraft and the world’s second largest confectionary company, reported a 5 percent drop in quarterly sales, blaming shipping and invoicing delays caused by the same June attack. Similarly, the shipping company Maersk reported that the Petya (variant) attack will result in losses totaling between $200 and $300 million. Lloyd’s of London has estimated that a global cyber-attack could trigger an average of $53 billion in economic losses, a figure on par with a catastrophic natural disaster such as Superstorm Sandy in 2012. Accordingly, the potential monetary and reputational losses from these cyber breaches are significant and increasing as they become more impactful and widespread.
Corporate boards can no longer be content in solely hearing about metrics, resources, and compliance when evaluating corporate success. They must also consider what an organization is doing to protect the business’ existence, including its information assets, the risk to those assets and their criticality to ongoing business operations. To increase board awareness in this area, Chief Information Security Officers (CISO) must proactively engage their boards on issues of data confidentiality, integrity, and availability.
Recent ransomware, denial of service, phishing and other malware attacks are calling for board members to ask the difficult questions about their company’s risk. What is the company’s risk appetite? Have threat and vulnerability assessments been conducted to evaluate company risk? Does the organization have the expertise and resources needed to reduce risk? Have mitigations (controls) and countermeasures been adequately deployed? What risk has the organization mitigated, removed, transferred, or accepted? Every business has risk. Whether you are generating electricity for the power grid or operating a neighborhood lemonade stand, calculating and mitigating risk is a key factor to an organization’s success and survival.
Risk can be defined as the combination of the probability of an event and its consequences. The probability of an event is the likelihood that a given threat will exploit an exposed vulnerability. If there are no consequences or impact, there is considered to be no risk. Conversely, the greater the consequences or impact, the greater the risk. Board members should assess cybersecurity risk on a regular or event driven basis, such as after any incident or security event, because any successful compromise is the result of either a lack of adequate controls or a control failure, which indicates risk was not assessed accurately and must be reassessed. These basic concepts on risk will allow board members to assess security vulnerabilities and better protect their company from potential losses. Today, corporate boards would be well served to have a fellow member with a security background to ensure security objectives, such as cyber risk assessment and mitigation, are aligned with business goals and objectives.
Once a board has defined its corporate risks and identified its security expectations, compliance with these expectations should be met at all levels of the enterprise. Penalties for non-compliance must also be defined, communicated and enforced from the board level down. Beyond these requirements, the board has an ongoing obligation to provide a level of oversight over information security activities. In addition, the board, in coordination with senior management, is responsible for ensuring that the appropriate organizational functions, resources and supporting infrastructure are available and properly utilized to fulfill a well-articulated security strategy for the enterprise. A review of the organization’s strategic business plan is likely to uncover information security opportunities that can directly reduce risk, financial losses and potential operational disruptions. These opportunities for risk mitigation should be included in a company’s information security strategy to provide a path forward in this area.
Without an information security strategy and a governance framework to implement it, an organization will continue to implement ad hoc tactical point solutions rather than a meaningful and integrated plan of action. Information security governance is a subset of corporate governance that provides strategic direction for security activities and ensures that cybersecurity objectives such as effective risk and resource management are achieved. To achieve information security governance, corporate boards must mandate the development and maintenance of an information security framework that supports and is intrinsically linked with business objectives.
An important and often misunderstood cybersecurity issue that surfaces again and again in corporate settings, regardless of which regulatory program we discuss, is the distinction between compliance and security. Compliance is a regulatory minimum that one must achieve, it could even be seen as a tool, but it is not a cybersecurity strategy. Boards of Directors should recognize that compliance is the minimum and that the minimum may not keep a company and its resources secure. Risk mitigation through security controls and countermeasures should drive risk down to acceptable levels. However, when was the last time a risk assessment or a business impact analysis was done to determine current and emerging threats? To tackle increasing data threats, companies need to put cybersecurity at the very heart of the business. In the modern age, information security should be woven into the fiduciary, oversight and risk management purview of the board.
As strategic leaders of the company, if you can promote a culture of security, it becomes an integral part of the way the organization functions. This is one of the best and most important protections that any organization can have, and it will push employees to understand and anticipate that when they engage the board on topics of customer data, infrastructure upgrades and business impacts, security will be discussed in detail. This is the new normal. After all, benign neglect, indifference or ignorance will not end well and could result in irreparable reputation and product damage.