​Board Oversight of Cyberrisk​​

Comments Views

A must-read has been published by the National Association of Corporate Directors (NACD), in collaboration with AIG and the Internet Security Alliance. Cyber Risk Oversight is an excellent product, relevant not only to members of the board, but to information security, risk, and assuranc​e professionals around the world.

The authors have five principles, with which I agree.

  1. Directors need to understand and approach cybersecurity as an enterprisewide risk management issue, not just an IT issue.
  2. Directors should understand the legal implications of cyberrisks as they relate to their company's specific circumstances.
  3. Boards should have adequate access to cybersecurity expertise, and discussions about cyberrisk management should be given regular and adequate time on the board meeting agenda.
  4. Directors should set the expectation that management will establish an enterprisewide cyberrisk management framework with adequate staffing and budget.
  5. Board-management discussion of cyberrisk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.

The first one is brilliant! It's not about "IT risk;" it's about risk to the business! The paper expands on this point later, including these passages:

Boards should ensure that management is assessing cybersecurity not only as it relates to the firm's own networks, but also with regard to the larger ecosystem in which the company operates. Progressive boards will engage management in a discussion of the varying levels of risk that exist in the company's ecosphere and take them into consideration as they calculate the appropriate cyberrisk posture and tolerance for their own corporation. They should also understand what "crown jewels" the company most needs to protect and ensure that management has a protection strategy that builds from those high-value targets outward. The board should instruct management to consider not only the highest-probability attacks and defenses, but also low-probability, high-impact attacks that would be catastrophic.

Total cybersecurity is an unrealistic goal. As with other areas of risk, a company's cyberrisk tolerance must be consistent with its strategy and, in turn, its resource allocation.

Here are some other key excerpts:

Today, corporations are subject to attackers who are part of ultra-sophisticated teams that deploy increasingly targeted malware against systems and individuals in multi-staged, stealthy attacks.

One of the defining characteristics of these attacks is that they can penetrate virtually all of a company's perimeter defense systems, such as firewalls or intrusion detection systems: Intruders look at multiple avenues to exploit all layers of security vulnerabilities until they achieve their goal. In other words, if a sophisticated attacker targets a company's systems, they will almost certainly breach them.

Moreover, although many smaller and medium-size companies have historically believed that they were too insignificant to be a target, that perception is wrong. In fact, the majority of cyberattacks are levied against smaller organizations that have fewer security resources. In addition to being targets in their own right, smaller firms are often an attack pathway into larger organizations via customer, supplier, or joint venture relationships, making vendor and partner management a critical function for all interconnected entities.

There is general consensus in the cybersecurity field that attackers are well ahead of the corporations that have to defend themselves.

According to some estimates, less than 1 percent of cyberattackers are successfully prosecuted.

Four basic security controls were effective in preventing 85 percent of cyber intrusions:

  • Restricting user installation of applications (called "whitelisting").
  • Ensuring that the operating system is patched with current updates.
  • Ensuring that software applications have current updates.
  • Restricting administrative privileges.

Boards should ensure that management is assessing cybersecurity not only as it relates to the firm's own networks but also with regard to the larger ecosystem in which the company operates. Progressive boards will engage management in a discussion of the varying levels of risk that exist in the company's ecosphere and take them into consideration as they calculate the appropriate cyberrisk posture and tolerance for their own corporation. They should also understand what "crown jewels" the company most needs to protect, and ensure that management has a protection strategy that builds from those high-value targets outward. The board should instruct management to consider not only the highest-probability attacks and defenses, but also low-probability, high-impact attacks that would be catastrophic.

When asked to assess the quality of information provided by the board to senior management, information about IT was rated lowest, with more than one-third of all corporate board members reporting they didn't receive enough information about IT, and only 13 percent said they were very satisfied with the quality of the information they received.

One study found that 60 percent of IT staff do not report cybersecurity risks until they are urgent — and more difficult to mitigate — and acknowledged that they try to filter out negative results.

Keep reading to the last page! The authors have included questions directors can ask, not only about cybersecurity in general, but after a breach has been detected, as well.

I like this report and commend the NACD for making it freely available.

What do you think?

The opinions expressed by Internal Auditor’s bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.

 

 

Comment on this blog post

comments powered by Disqus
  • MNP_Natonal Can Conf_July2017_Blog 1
  • LockPath2_July2017_Blog 2
  • IIA TRN-OnsiteWebAd_July2017_Blog 3