Chapter 1
Cyber Expertise in the Boardroom
Cyber Expertise in the Boardroom
In May 2021, the United States faced the country’s largest publicly disclosed cyberattack against its critical infrastructure – an attack with such far-reaching implications that President Joe Biden had to declare a state of emergency.
The victim was Colonial Pipelines, one of the largest and the most crucial oil pipelines in the US, which was held to ransomware by threat actors by infecting some of the company’s most vital digital systems. Attackers entered the company’s IT network through an exposed VPN network, stole around 100 GB of data within a span of two hours, and infected the network with ransomware.
The attack forced Colonial Pipelines to shut down services for several days, impacting major airlines in the country and sparking panic-buying among the public. This cyberattack threatened to become a matter of national security until the company was forced to pay the hackers $4.4 million in bitcoin in exchange for the decryption key to regain control of its systems.
By no means is this an isolated attack. Threat actors holding organizations to ransom is almost, unfortunately, a monthly occurrence.
In 2019, threat actors gained access to and hijacked the software compilation process for SolarWinds’ Orion platform, placed a backdoor inside their software updates, and infected thousands of consumers over a span of several months. Impacting government agencies like the Department of Justice and tech giants like Microsoft alike, these cyberattacks left a bad taste for the company and the world at large, as they revealed a fatal flaw in enterprise security strategies.
The Need for Cyber Expertise in the Board
Although we are no longer strangers to the malicious activities of threat actors, the magnitude and the frequency of cybersecurity breaches have exponentially increased since 2020. The negative impacts of a breach – financial loss, brand reputation risks, legal liabilities, loss of customer trust – are no longer an IT challenge. They have become a prominent business challenge now and thus, vigilance against them have become an enterprise-level priority.
Gartner predicts that, to drive accountability for cybersecurity, there will be an increase in the presence of cyber experts in the boardroom. According to the technology research firm, by 2025, 40% of board directors globally will have a cybersecurity committee overseen by a qualified member.
In early 2022, the Securities and Exchange Commission of USA drafted a rule applicable to all public/listed companies that mandated direct board oversight into cybersecurity governance capabilities of the organization. It also mandated companies to disclose the cybersecurity expertise of their Board.
So, the word is out. Cyber expertise in the boardroom is no longer just an option.
Building a cyber-competent Board capable of elevating cyber security as an organizational priority and an organizational culture is an investment that organizations across the globe will now have to make.
The first step in building cyber expertise in the boardroom begins with the understanding that cybersecurity plays a vital role as a business enabler by safeguarding critical business assets like customer data, intellectual property, trade secrets, and financial information.
How to Have Productive Cyber Board Engagement
The new digital landscape that businesses operate in demand the Board to be equipped with enough oversight and for the CISO to be more than just an advisor. It is time to change the long-standing tradition of separating IT from the rest of the departments like finance, accounting, and legal; rather than just a utilitarian department, IT is in itself a whole separate business function. And as such, it needs adequate representation in the boardroom to ensure that IT strategies form a crucial part of the larger business strategies.
Fostering productive cyber board engagement requires committed efforts, continuous education, and effective collaboration.
Induct Cyber Experts
Boards often struggle with cyber risk analysis because up until recently, there has not been a simple directive or framework to be followed. Having industry-specific knowledge is instrumental in scrutinizing and evaluating the effectiveness of not just the organization’s IT strategies but risk assessment and mitigation plans.
A cybersecurity expert in the Board can bring invaluable insights to the table when it comes to information security, risk assessment, and incident response planning. Their presence can help the Board understand current cybersecurity trends and empower them to comprehend the risks facing them. Fruitful discussions with the IT departments become crucial for the Board to gain a comprehensive understanding of the organization’s cybersecurity framework, make informed decisions, and ensure accountability.
A cyber expert in the boardroom also helps in expediting damage control measures in the event of a cyberattack.
Build Cyber Expertise Inhouse
Organizations must invest in developing cyber expertise across the Board and the C-suite. To defend against possible cyberattacks and to be proactive in this defense, Board members must have a baseline understanding of the matter.
In the absence of a certified expert, organizations should have enough people in the Board with the capability to understand the nuances of their cybersecurity programs to manage risks effectively. As a practical step, organizations must build the expertise inhouse. Having an inhouse team helps you nurture a workforce that is fully aligned with your organization’s larger goals and functions according to your organization’s culture. It also lets you have direct day-to-day oversight on your cybersecurity programs and how they are being put into effect.
Communication and collaboration are also far more effective and seamless with an inhouse team. Organizations with highly specialized technical needs will benefit more with an inhouse cyber team because it addresses any concerns on confidentiality.
Develop Cyber Awareness
Developing cyber awareness in the boardroom and the C-suite is crucial for establishing a culture of cybersecurity within the organization. Education and training are vital steps in building this awareness as it is imperative for the CISO and the Board to be on the same page and use the same frameworks to effectively implement cybersecurity programs.
Education and training must ideally be a two-way process; any curriculum building on technical knowledge must be directed by the CISO and any training on organizational strategies must be directed by the Board. Regular training sessions designed for the Board members and C-suite will help them stay updated on current cybersecurity trends, emerging threats, and vulnerability areas in the organization’s armor.
Engaging external experts will help provide insights and guidance to the Board and C-suite. Their expertise can help the leadership on the evolving threat landscape, industry standards, and best practices and protocols to follow. External experts can also assist in evaluating the organization’s cybersecurity posture and suggesting improvements.
Inculcate Diversity in Expertise
Building a diverse range of voices from various C-suite stakeholders can enhance the cyber awareness in the boardroom. The Board must invite cybersecurity representation, side by side with that from legal, finance, technology, and other leading business functions. This diversity brings different perspectives and enhances decision-making.
It is also a good practice to form dedicated committees within the Board focused on cybersecurity. Members with relevant expertise in cybersecurity, IT, risk management, legal, and other related areas will be highly valuable resources for these committees.
A sound security program built by a mix of diverse stakeholders will take into account a broader range of potential risks from a variety of angles. The diversity of thought brought by the diverse department representatives can help in creating more comprehensive and effective cybersecurity strategies and taking well-rounded decisions.
The constantly evolving cybersecurity landscape can be far more effectively navigated and the newly emerging threats efficiently mitigated with this collective intelligence of a diverse Board.
Establishing Board-Level Oversight
As we discussed at length earlier, Board-level oversight for cybersecurity affairs is critical not only for effective governance and risk management but to ensure that the cybersecurity programs are aligned with the organization’s overall strategic objectives.
There is no one correct way to establish robust Board-level oversight for cybersecurity. While some corporate boards delegate it to an external audit committee, some others would prefer to create an inhouse stand-alone committee within the Board. Regardless of which route an organization takes, the key objective of this exercise is to ensure that cybersecurity is a business priority that garners attention from the Board level.
Here are a few steps to ensure Board-level oversight for cybersecurity programs:
Regular Independent Cybersecurity Risk Assessments
As new threats and vulnerabilities emerge in an ever-evolving cybersecurity landscape, regular and comprehensive risk assessments should be an ongoing process rather than a one-time exercise. It is a crucial process to identify potential vulnerabilities, mitigate risks, and ensure the security of corporate assets and information.
The risk assessment must be conducted by a team of qualified cybersecurity professionals, which could include inhouse experts or external consultants. To ensure that no corporate asset is a potential vulnerability, the assessment should cover hardware, software, network devices, and data repositories. Understanding what needs to be protected is the first step – and a crucial one – of the risk assessment process.
This is one of the scenarios where the need of a cyber expert becomes paramount. To run an effective risk assessment exercise, it is important to have in-depth knowledge on the current cybersecurity trends and recent cyberattacks. Knowing what is out there and what you can expect will form the foundation for what you can do to mitigate it. A cyber expert who possesses this skill will be an invaluable resource to analyze how these threats could impact the organization.
Evaluating the effectiveness of the organization’s existing cybersecurity strategies is a key step in this process. This involves reviewing the existing policies and strategies to determine how adequate and effective they would be in the event of a cyberattack. Vulnerability scans and penetration tests will help identify any chinks in the armor and formulate plans to keep these attacks at bay.
Any risk assessment must include clear, concise documentation, capturing all the critical findings in a manner that’s easy for even non-technical personnel to understand. Keeping track of the progress of remediation measures implemented is another step to ensure that vulnerabilities are addressed and risks are mitigated effectively.
Considerations for Cyber Risk Management Goals
Monitoring the organization’s cyber risk management goals needs a systematic approach to ensure that any or all risks are mitigated effectively. This process must be subjected to continuous improvement to enhance the organization’s resilience to cyber threats and safeguard sensitive corporate and customer information.
Setting, managing, and monitoring cyber risk management goals begins with assessing the organization’s risk appetite and setting appropriate cyber risk tolerance levels. Risk appetite – the amount and types of risks the organization is willing to be impacted by in pursuit of its objectives – must be assessed based on multiple factors like the culture of the organization, the industry it is working in, the regulations it has to abide by, and the expectations of its stakeholders and customers. Only once you effectively gauge the organization’s risk appetite can you successfully set its risk tolerance level.
Setting the risk tolerance levels must be an inclusive exercise, involving the experience and expertise of all key stakeholders – Board members, cyber experts, relevant department heads, and even on-the-field executives. The collective wisdom of all of them is essential to set the acceptable level of risk exposure for the organization without adversely impacting its critical functions.
Establishing the risk appetite and risk tolerance will set the tone for evaluating the organization’s existing risk posture, assessing its ability to detect and protect against emerging cyber threats.
Risk mitigation strategies aligning with the organization’s tolerance levels can be developed with a combination of policies, procedures, and organization-wide training and awareness programs.
Being a process that requires regular auditing and continuous improvement, security experts – internal or external – will help to evaluate the viability of the organization’s cyber risk goals and the effectiveness of its strategies.
Allocation of Appropriate Resources
Cybersecurity no longer being just an IT challenge, allocating appropriate resources to the cybersecurity program is critical to its success. The Board must assess the organization’s cybersecurity needs by identifying the most critical assets, potential risks and vulnerabilities, and – once again – the emerging threats. This comprehensive assessment will help define the resource requirements effectively, resources that will include personnel, technologies, infrastructure upgrades/maintenance among any number of others.
Training the human resources and upgrading the technology resources must be done on a periodic basis to ensure that the organization’s defense against cyber threats remains impenetrable.
Financial resources allocated to cybersecurity programs must cover a wide range of requirements like hiring, training, purchasing technology, the cost associated with appointing external auditors or experts, and running awareness workshops.
For something as vital to the organization’s health as its cybersecurity strategies, the resource requirement is not limited to personnel and finance. It is also imperative to establish and leverage an ecosystem of cybersecurity resources as a support mechanism for these strategies to be effective.
An external ecosystem of industry associations, trusted partners, and cybersecurity vendors must be carefully cultivated and nurtured to build fruitful relationships. Attending industry conferences and networking events will help in knowledge sharing and keeping pace with the rapidly changing cybersecurity landscape.
Adopting a Cybersecurity Risk Management Framework
Cybersecurity risk management frameworks will vary according to the organizational goals, overall strategies, industry standards, and regulatory requirements. As such, there is no one-size-fits-all framework that can be blindly adopted to plug and play.
When developing a framework that best suits your organization, it will be a good practice to involve cybersecurity experts – external if need be – to ensure its success.
An ideal cybersecurity risk management framework must enable the organization to identify, assess, and mitigate risks with minimum impact to business activities and reputation. The process to design a cybersecurity risk management framework includes:
- Identifying the critical corporate assets to be protected
- Identifying potential threats and vulnerabilities
- Determining the impact of these threats to the organization
- Developing risk mitigation strategies based on the threats and vulnerabilities identified
- Establishing policies, procedures, and incident response plans to reduce the risk impact
- Continuously monitoring the effectiveness of these strategies
- Regular auditing and updating of all processes and policies
Building a Cybersecurity Strategy from the Top Down
A strong and effective cybersecurity strategy will lay the foundation for a future-ready organization, and that begins at the top.
A cyber-aware Board that demonstrates a strong grasp of the cyber landscape will be proficient enough to navigate it and steer the organization away from a similar event as that of Colonial Pipelines.
With the growing cyber threats and the subsequent need to strengthen compliance and regulations, and mitigating measures, ad hoc discussions at the event of a cyber threat are no longer enough to keep bad actors at bay. There must be committed efforts to keep the board regularly updated by following a well-oiled framework, which we will discuss in the next chapter.