Let me give you a real-world example of why corporate governance matters when it comes to cybersecurity.
A large, Asia-based supply chain company asked our firm to do a thorough penetration test of their networks as part of what they assumed would be a routine due diligence exercise. But we discovered that an expensive monitoring solution was not achieving its intended goals, and the CEO’s system was exposed. Leadership was shocked to learn this, prompting an urgent rethinking of how to restructure cyber governance and remove reliance on the internal IT team to solve security problems.
Unfortunately, this is happening far too frequently. Boards are playing catch-up when it comes to prioritizing cybersecurity as a vital governance issue. A 2018 global study of more than 1,000 board members conducted by McKinsey indicated that cybersecurity was a “potential business disruption” topic on the agendas of only 37% of boards.1 The good news is that figure represents a nearly 50% increase in just the past two years; the bad news is that cybersecurity remains a dangerously weak area of understanding for boards in assessing its potential impact on business operations.
Business leaders have to step up in making cybersecurity a more prominent element in corporate governance. But how?
There are four major areas where corporate governance needs to evolve when it comes to cybersecurity:
- Inverting the cybersecurity leadership responsibilities.
- Adopting and “living” the right cybersecurity framework.
- Addressing the organizational structure.
- Getting smarter so business leaders can ask the right questions.
Inverting the Cybersecurity Leadership Responsibilities
Cybersecurity has traditionally been designed with a bottom-up approach. In that model, individuals tasked with securing IT systems identified technical solutions to protect the infrastructure, applications, and data. Organizations spent untold billions of dollars on technology, only to find that it wasn’t enough to stem the impact of expanded threats, increased vulnerabilities, and innovative attackers.
Instead, the cybersecurity governance model needs to be inverted to a top-down approach. This is the essential definition of organizational leadership:
- Understand and identify the challenges and opportunities.
- Establish priorities.
- Promote collaboration and innovation around solutions.
- Lead by example.
If implemented correctly, a top-down governance framework will eliminate most threats and provide a mature, defensible, and flexible structure for protecting sensitive data. In the GRC realm, it will also help to ensure compliance, establish good legal protections, and encourage good cybersecurity hygiene among employees, partners, and suppliers.
Adopting and “Living” the Right Security Framework
Security frameworks are important because they embrace the full set of issues necessary for good cybersecurity: business operations, legal, regulatory, risk management, and technical processes.
While there are numerous good frameworks available for leadership to evaluate, the most relevant and actionable one comes from the U.S. National Institute of Standards and Technology (NIST). This voluntary framework is the most broadly accepted and most widely implemented around the world, and has its foundation in five pillars:
- Identify the assets to be protected.
- Protect those assets with the proper safeguards.
- Detect incidents quickly, reliably, and comprehensively.
- Respond to incidents in a way that minimizes their impact.
- Recover from incidents and restore business operations as soon and as completely as possible.
The real power of the NIST model from a governance standpoint is that it creates an opportunity—or, depending on your sense of urgency—it provides a flexible framework for executives and board members to internally mandate and be used to hold business units accountable.
Addressing the Organizational Structure
It has often been said that you can learn a lot about any organization’s priorities by looking at their org chart. This is becoming more and more true every day in the realm of cybersecurity governance.
Increasingly, corporate leaders are driving change by rethinking and realigning who is responsible for cybersecurity and how the role is positioned within the enterprise. For instance, the idea that physical security, internal investigations, and cybersecurity should be merged into a single organization reporting directly to the board is gaining in popularity, and has many advantages.
There is little question that announcements of changes in reporting structures make people sit up and take notice. Some of that is office politics, but much of it centers on the notion of what—and who—is gaining importance within the organization.
Getting Smarter So Business Leaders Can Ask the Right Questions
It’s important to remember that security is a business issue, not a technical one. While we need the right technology, cybersecurity practices and policies must be planned, measured, and governed against business benchmarks.
Doing that requires strong, vocal, visible, and constant support from business leaders and the board. But it also necessitates that top management and board members put more energy and resources against expanding their own knowledge about cybersecurity’s impact on their business. Remember: You can’t get the right answers if you ask the wrong questions. Or, in the context of this article, you can’t govern if you don’t know what you’re supposed to be governing.
Some people have gone as far as to recommend that every board should have at least one member with extensive cybersecurity expertise in order to “keep the CSO honest.” That concept may have some merit, but it still involves most board members and executive leaders turning to the “one wise man (or woman) in the room.”
What Boards Should Do Now
First, the board needs to understand what cyber threats exist inside their organizations. A good starting point would be to obtain a report on current cyber threats impacting their industry and some recommended safeguards
Second, keep in mind that employees are almost always targeted for attacks. Board members need to receive regular updates on the level of staff security awareness through steps like controlled phishing exercises
Third, internal and external resources should be deployed to regularly hunt for threats already on the networks but undetected, rather than simply relying on metrics around detected security events. Experience has shown us that attackers are often already inside networks for many months before real damage takes place.
Corporate governance has changed a lot in recent years, driven by such issues as increased regulatory oversight, more active and involved board members, and a need to apply healthy doses of both skepticism and support in an increasingly complex business environment.
And cybersecurity may be the single biggest thing to reshape corporate governance in decades.
Taking a more business-centric, inclusive, top-down approach to cybersecurity corporate governance will take us a long way toward achieving our respective organizations’ goals. When cybersecurity is considered as a business issue, rather than isolated as a technical problem that has to be solved by technical people using technical tools, we will have a much greater chance for success.
Paul Jackson is managing director and Asia-Pacific leader for cybersecurity and investigations at Kroll. This article has been excerpted from Navigating the Digital Age, Second Edition, published by Palo Alto Networks.
1 “A time for boards to act,” McKinsey, March 2018