Today more than ever, cybersecurity is everybody’s business, and savvy board members will want to be at the vanguard of those committed to cyber preparedness. That was the key takeaway from an executive roundtable hosted by Palo Alto Networks, at the Yale Club, in New York City on June 27.
The challenge, of course, is for members of the board to gain insight into the issues without getting involved in day-to-day decisions.
“As a board member, your nose should be in it, but your fingers should be out,” said Ed Stroz, cybersecurity specialist, former FBI agent, and co-president of Stroz Friedberg. Stroz was one of the featured experts at the event, along with:
- Lisa Sotto, chair of the global privacy and cyber security practice at the law firm Hunton & Williams;
- Kal Bittianda focuses on technology at Egon Zehnder, where he is Global Head of its Information Security practice;
- Rick Howard, chief security officer at Palo Alto Networks,
Sotto set the stage for the conversation by noting that the responsibilities for board members shifted dramatically in 2013 after the data breach that affected more than 40 million customers of Target Corp.
“At Target, the CEO resigned and seven of 10 board of director members were threatened with ouster,” Sotto said. “That was the line in the sand.”
Since Target, the focus of regulators has shifted, to some degree, from privacy to notification of data breaches. In New York State, for example, companies are required to report a breach within 72 hours, and the company must certify annually that it will be compliant. This, Sotto noted, is similar to GDPR (General Data Protection Regulations) laws that go into effect next May, in Europe.
Sotto stressed that cybersecurity is not a technology issue, but a strategic risk issue. With that in mind, she posed several questions of particular interest to board members:
- Should the board form a cyber committee?
- Should the board form an audit committee?
- Should there be executive sessions between the board and the chief information security officer (CISO)?
- How can the board ensure that the proper resources are devoted to cybersecurity issues?
These questions precipitated a lively exchange among the speakers and the nearly 20 board members in attendance, representing a broad cross-section of industries, including financial services, insurance, healthcare, travel, pharmaceuticals, and entertainment.
The compelling discussion, which lasted more than three hours, heard participants cite challenges and examples from their own industries and experiences. Key issues raised were:
The board and the CISO
When looking for the right persona, managerial experience is more important than encryption expertise, Stroz suggested. One attendee said that boards are starting to bring in experts to help them ask the right questions. But, she noted, “that’s a lot of pressure to put on one person.” Another attendee said CISOs can get mired in tech talk, which limits their ability to communicate effectively with the board. To be more effective, they need to be able to speak clearly to the needs of the business.
Bittianda said there is no lack of awareness about cybersecurity in the boardroom, but the amount of attention paid by the board can be shaped by the industry or whether the company has a culture of security. “If the CISO and CIO aren’t pushing it,” he said, “the conversation isn’t happening.” One attendee said board members always try to exercise independent business judgment—but they need to know what questions to ask. “In life, you only get in trouble when you don’t know something,” he said, adding, “What are the right business questions to ask around cybersecurity? If that was clear, then the board could play more of a role.”
Boards taking on an active role
Another attendee said she is on the board of a bank that formed a technology committee. The plan is to have interactive sessions with the audit committee and then a joint session with the governance and risk committees. Importantly, she said, the CISO is present for all committee meetings. Another vital task for the board is to understand how cybersecurity is addressed structurally within the company. One attendee said the CFO should be actively involved to ensure that spending commitments are set aside and/or mandated.
WannaCry’s teachable moments
Sotto said companies should be aware of their “crown jewels.” Not all data is equal, she said, so companies need to determine what is most important and what must be backed up and recovered in what time frames. Howard of Palo Alto Networks suggested that companies reduce the material risk and cost: “Measure how many people have to respond to an incident. That’s a good key performance indicator. Automate as much as you can so can you can focus on the things that matter instead of chasing your tail.”
The session concluded with an open-ended discussion focused on the chief concerns of the board members in attendance. Here are some of the highlights:
- Clarity, please. “We need to know enough about what questions to ask. There’s so much jargon that board members are becoming numb.”
- Communications. “We need a common language. CISOs are selling features and buzzwords.”
- Understanding risk: “Where does the risk emanate from? How do you set the right tone and create limits?”
- M&A: “M&A doesn’t always include cybersecurity and privacy. It’s important but is sometimes forgotten: Does the company even own the data that is being valued?”
- Best practices: “There are great frameworks for self-assessments, but boards lack a framework. What do best practices even look like from a board perspective? We need a framework to go back and say ‘here’s an industry standard.’”
- Being better informed: “We get lots of conversation that is not useful and does not help us do our jobs. As directors, we’re exposed to corporate and personal risk and I may not even know if our company has cybersecurity insurance.”
Attacks such as WannaCry and Petya show us with great clarity that companies are facing cybersecurity challenges that are more sophisticated, coordinated, and potentially crippling than ever before. If you are on the board of directors of any company in any industry, you have a duty and responsibility to understand what company leadership is doing to mitigate risk. Your future, and the future of the company, depends on it. If you are a security executive who must report to and inform your board, pay heed to what it is they want to know and how they need to know it.