A new report recommends that corporate boards answer four key questions on a regular basis to guide cybersecurity governance.
There is no dashboard or set metrics for managing cybersecurity. The attack surface is so broad and the potential threats are so fast moving that traditional rules don’t apply. Not only do corporate board members and CISOs have to run to keep up with a moving target, they need a whole new approach to understanding the issue.
Booz Allen Hamilton and The Center for Long-Term Cybersecurity (CLTC) at the University of California, Berkeley might have the answer in a new report, “Considerations for Effective Oversight of Cyber Risk.” Bill Phelps, executive vice president, commercial business lead, Booz Allen Hamilton, and Ann Cleaveland, executive director of the CLTC, and Steve Weber, faculty director of the CTLC, wrote the report.
During the summer of 2019, the team interviewed 20 corporate board members from communication services, consumer goods, the financial industry, health care, utilities, information technology, and real estate. The goal was to assess their beliefs, practices, and aspirations on cybersecurity governance.
SEE: How to get users on board with essential security measures (free PDF)
Board members said cybersecurity is an existential risk for businesses and they want to understand the issue because problems are growing faster than they are being solved.
The report recommends defining a security posture that reflects a company’s priorities and risk tolerances. Corporate boards should use a list of four questions of “dynamic tensions” to do this and revisit the list frequently to measure changes in risk, regulation, and internal expertise.
CISOs need to develop deep working relationships with board members and find new ways to educate them on current risks and future ones. CISOs should work with the board to answer these four questions:
1. What is our overall risk model for governing cybersecurity?
2. Where, how, and when do we access the expertise to understand the risks?
3. Is collaboration or competition our preferred approach with industry partners?
4. How do we share and exchange information on cyber with management and the CISO?
The key is to ask and answer these questions frequently to “multiply the upsides and de-risk the downside” of a company’s approach to managing security. The report found that there is no one right answer to the questions and that the best answer changes over time:
“There are no optimal landing spots that can be calculated given a known set of parameters. Dynamic tensions are, in fact, dynamic, as the terms of the relevant trade-offs are in motion. We articulate the most salient strengths and weaknesses associated with particular choices along each of the tensions.”
The report recommends that corporate boards use this framework to oversee and govern cybersecurity in the enterprise right now and as new threats and regulations emerge.
Future goals for cybersecurity
Once a company decides how much tension is tolerable, the next step is to build for the future.
The report sets several cybersecurity stretch goals:
- Integrate cybersecurity and innovation to imagine positive outcomes, not just worst-case scenarios
- Work with regulators to improve the overall cybersecurity environment
- Establish the difference internally and externally between privacy and cybersecurity
- Define clear roles for CISOs and chief privacy officers and identify when their domains intersect
- Push cybersecurity thinking into product-level processes and treat customers and clients as responsible partners
Companies that take this approach, they said, will truly be improving corporate resilience by building a system that evolves over time and emerges stronger than it was before.
To start developing a cybersecurity governance approach, the report offers guidance on how to decide how much tension a company can tolerate in each of the four components.
#1: Standard risk management or existential threat?
This first dynamic tension is the most important governance decision: Is cybersecurity just another category of risk or does it need its own special designation? The report found that few directors think that cybersecurity can be integrated into existing enterprise risk management systems. This governance choice is highly influenced by external events that reveal unexpected vulnerabilities and costs.
To pick an approach, boards have to first figure out who is responsible for managing risk within and organization and then determine whether these responsibilities should be centralized or decentralized.
These complexities are part of the reason no one is ready to implement “security by design,” according to the board members interviewed for the report.
Boards that want a more traditional approach should promote cyber risk to a high level within the hierarchy for enterprise risk and clearly define expectations for the chief information security officers as compared to the chief risk officer.
If the board sees cybersecurity as an existential threat, members should prioritize due diligence of cyber risk in the supply chain and develop a culture of preparedness and stress-testing including semi-worst-case scenarios.
#2: Who is the expert?
The decision here is about who should be responsible for security on a corporate board—one designated board seat or the entire board. The report found that the majority of directors believe all board members need significant cybersecurity knowledge to do their jobs.
One director compared the situation to managing a baseball team: A team can perform well with a mix of highly specialized players who play one position and semi-specialized players who can play more than one. The challenge is knowing when a company needs a specialist and when a generalist will do.
One disadvantage to the distributing the responsibility is that many directors have the wrong mindset to think creatively about security:
“… security professionals and the cybersecurity world generally often benefit from a different mindset, as they learn to think like a ‘bad actor’ and find ways to break things and make systems fail, which is a different mindset and culture.”
Companies that lean toward broad responsibilities for security expertise should look to third parties for specialized knowledge and to avoid group-think traps. The report also recommends assigning specific oversight tasks to committees to set clear accountability.
For boards that prefer having a cyber expert take the lead, the group should prioritize full board discussions of cyber oversight and hire external subject matter experts to test and improve internal expertise.
#3 – Is the default competition or cooperation?
There was a lot of uncertainty around this element of cybersecurity governance with board members seeing pros and cons for both approaches. Board members also think that antitrust and competition law and policy are creating barriers to more active collaboration and provision of collective cybersecurity goods.
On one hand, board members see value in using competitive pressure to encourage companies to innovate. The downsides of a competitive approach are that claiming a security advantage could make a company a prime target for attackers and firms depend on one anothers’ security in the overall ecosystem.
There is a self-preservation advantage to a cooperative approach in that shunting risk to a competitor might turn into a problem later.
For a board that leans toward competition, the report recommends that companies measure return on security investments beyond protection and integrate privacy and security-by-design in product development.
If the idea of a collective good is more powerful, companies should actively invest in information sharing capabilities across private and public sectors and measure “herd immunity,” the health of the overall security ecosystem.
The report emphasizes that this is not an either/or choice and strategy around this component is more subtle and fluid than it appears.
#4 Is high touch or arm’s length more effective?
The report found that no one has this one figured out yet. One of the biggest challenges is picking metrics that are both useful right now and can remain relevant as the threat landscape changes.
Board members said that the speed of change and adaptive adversaries add even more complexity.
Boards that prefer metrics should choose a consistent framework but allow the measurements to evolve and supplement quantitative metrics with integrated qualitative aspects.
Directors who prefer governance by walking around should make it easy for management and employees to expose cybersecurity risks and take a “trust but verify” approach with the CISO.
The report also called out a lack of imagination from board members in thinking about innovation:
“We are confident that if we had interviewed a group of prominent cyber-criminals
and nation-state agencies with offensive cyber roles, discussions about rapid and ambitious innovation would have been much more prominent.”
The Center for Long-Term Cybersecurity is a research and collaboration hub that helps individuals and organizations address tomorrow’s information security challenges to amplify the upside of the digital revolution.