Chapter 1
Cyber Expertise in the Boardroom
Every organization, no matter its size, has undergone a massive transformation in the last two decades. It is now impossible for any to thrive without embracing the use of information technology, and even those entities that dragged their feet initially have undergone fundamental changes through the usage of computers – from how they invent, develop, and manufacture products, to how goods are marketed, sold and distributed, to how employees are hired, managed, and supported. Every detail of every business is now stored on and run through computers.  

And, to drive this change, companies have hired people with deep knowledge in these areas. Many board members have been selected because they bring to the table expertise on driving this positive digital transformation. And at this point, all board members are expected to provide advice on how to drive positive business results within these new technical constructs. 

But most organizations, including at the board level, have been slower to embrace an understanding of the downside risks associated with this fundamental shift to a digital world. Only in the last couple of years have boards started to really dive into and appreciate the risks associated with business models that involve placing the company’s crown jewels on computers that are connected to the open internet. And now, with ever more stories of security issues significantly harming organizations, and regulators starting to bring the heat, the time has come for every boardroom to demonstrate a minimum level of cyber expertise. 
Points of View
The role of the board at any organization is to provide a supervisory role for the organization and ensure long-term sustainability of the entity. To do that well, the board must be made up of individuals who collectively are capable of identifying and calibrating properly all of the risks and opportunities presented to that institution.  

Cyber security risk has grown dramatically as a result of digital transformation, and it is now imperative that every board must actively engage on the topic and do so with a sufficient level of expertise to meet the expectations of shareholders who are counting on the board to protect their interests. 

Boards often struggle with cyber risk analysis because there is not a simple objective framework for measuring risk. Cyber risk is hard to quantify from an impact standpoint (as it often is more about brand impact than customer impact), regulators have struggled to provide clear guidance and expectations, the cyber security product industry is immature (and often focused on selling smoke and mirrors more than quality products), and the cyber security profession has so far struggled to develop c-level talent. 

Boards must invest in developing the appropriate level of expertise, either through training existing members or onboarding new members with the appropriate level of expertise. Every board should have at least one member who is qualified and designated as the lead on cyber security risk. 

Boards must ensure that their organizations invest appropriately in cyber security defenses. That starts with developing an understanding of the specific information security risk profile of their organization and ensuring that it meets a minimum acceptable standard. This should include an objective and structured process for engaging with operating functions within the company to measure progress on cyber risk and ensure the entity is on a path to continued improvement.  
Supporting Information and Decision Matrix
It is not easy to evaluate the cyber security posture of any organization. An effective risk analysis requires an understanding of the unique technology footprint of the organization, the third parties that the organization relies on or connects with digitally, the specific assets that are most at risk, the third parties that are most likely to target the organization, the industry-specific security frameworks that have been developed, and the formal and informal expectations of regulators. 

When evaluating cyber security risk, the board needs to focus on economic impact and reputation. On the economic impact standpoint, threats should be categorized in a way that addresses business continuity risk as well as loss of assets, and also considers financial penalties imposed by regulators or litigation. 

There are many different programs and approaches for evaluating cyber risk, but a general framework that can help drive dialogue within the organization and that has been fairly widely adopted in recent years is the NIST (U.S. National Institute for Standards and Technology) Cyber Security Framework. This approach encourages entities to think about five key areas: how to identify risks, protect against harm, detect problems, respond to incidents, and recover quickly and effectively. 
Case Study
Too often when we think about cyber risk, we focus only on external threats to the organization. While cyber-attacks from the outside are common and important to address, good cyber security starts with proper internal controls. In this way board members should think about cyber security in the same way that boards have long been trained to think about financial controls. It can be a good starting point to adopt security standards that mirror what we have long seen in the SOX world. 

A good case study to consider that demonstrates the importance of a board requiring strong internal cyber controls is the collapse of the FTX Group in November and December of 2022. This case has made headlines due to the massive amount of money at risk and the fact that regulation of the crypto currency world remains at its infancy. But a functioning board is responsible for oversight regardless of the external standards, and basic controls are important in every organization. 

While at first glance, if you might wonder why FTX would be listed as a cybercrime case study, you only need to peel back a little bit of the onion to understand why. When John Ray, the new CEO brought in to resolve the open issues for debtors, was called on shortly after he started to give testimony before Congress on what went wrong, his written list of the institutional failings literally started with two security issues. He cited as fundamental failings: 

  • The use of computer infrastructure that gave individuals in senior management access to systems that stored customer assets, without security controls to prevent them from redirecting those assets.   
  • The storing of certain private keys to access hundreds of millions of dollars in crypto assets without effective security controls or encryption. 
Both of these are foundational cyber security controls. If FTX had proper cyber security controls in place, both of these issues would have been in a fundamentally different place

Guidance in Practice

The board cannot wait for the operations teams within the organization to initiate dialogue around cyber security risk. The board must insist on minimum elements of a program. These should include:
 
  • A structured and process of communication between the board and operations teams within the company (covered in Chapter 2) both around ongoing improvements and (importantly) crisis situations. 
  • A defined role for board members in governance of cyber risk (covered in Chapter 3) and structured approaches to relationships with internal stakeholders such as the CISO (covered in Chapter 5) and mandatory forms and times of communication about cyber risk (covered in Chapter 6). 
  • An agreed framework for measuring risk that addresses technical, organizational and operational issues. 
  • A process for evaluating where and how much to prioritize future investment. 
  • Mechanisms for holding the operations teams accountable for continuous improvement (Covered in Chapter 4).