“The most important attribute for a board member to have regarding cybersecurity is intellectual curiosity.” This was the feedback from our day-long discussion at the New York Stock Exchange’s Cyber Risk Board Forum, held during the recent RSA 2016 conference in San Francisco. Starting the day with NSA Director Admiral Michael Rogers, a select group of board members and CEOs were walked through an executive level cyber attack scenario, developed by Stroz Friedberg and Palo Alto Networks, and had a marquee lineup of panelists discussing topics ranging from developing a security action plan to assessing insider business risk.
During NYSE’s traditional “peer to peer” session, audience members had a chance to break off into small groups and share their views on the discussions throughout the day. For this event participants ran through an “After Action Review” to discuss lessons learned from the earlier cyber attack scenario and share any personal advice or experiences they had. Below are some of the top takeaways from board members who have faced down cyber incidents and come away smarter and stronger:
- Education is a long process, but avoids a single point of failure. While many boards will have members who specialize in different areas of expertise, total responsibility for cyber risks cannot be pushed onto only one person. As our world become increasingly reliant on digitization, cyber risks and areas for IT innovation are woven into the business fabric of an organization. Learning about new technology can be difficult or even scary for many board members who don’t believe they have the expertise to ask smart questions. However, having an “intellectual curiosity” to drive education about new technology trends is a basic requirement to be a modern board member.
- When judging your cyber risk, get a second opinion.From Palo Alto Networks survey with Georgia Tech of board members from around the world, we found that 53% of boards sought outside experts to assist in evaluating their corporate risk. This outside perspective can be especially beneficial in cybersecurity, where internal company dynamics can hamper strong oversight. Here’s the problem: it’s tough to prove that your security investments and personnel are working well without a negative scenario that illustrates as much. If you have been hit by a successful attack, you believe you have made poor investments or your personnel are falling down on the job. But if you donâ€™t see any damaging attacks, how do you know if you are preventing anything or just not looking for problems? Often, not looking for problems can be a much safer career move for security personnel facing a board with little understanding of how to evaluate this highly technical issue. Bringing in an outside expert can help ensure there is honest and accurate reporting that places security personnel in a position to participate in conversations on investment and risk, rather than simply cherry-picking technical metrics to prove they are doing their jobs.
- “Just the facts” is not enough. As efforts to monitor, detect, and analyze cyber threats get better every day, reporting on risk grows more convoluted. At the security operations level, this means more manual work tracking all of this data. At the board level, this means heat-maps and dashboards full of highly technical jargon, with little meaning for non-security experts. Occasionally, companies will be blessed with the CISO who picked up an MBA along her career and can translate technical data into business risk language, but this is neither reliable for oversight, nor scalable for all businesses. Instead, management must play an active role in looking at the economic risks associated with specific threats. This requires security personnel to be tied into the enterprise risk management process so that they can understand what is relevant and what is just noise. Done ahead of time, this can help management present the board with more digestible reporting on how their investments match up against cyber threats to the company’s bottom line.
Moving forward, Palo Alto Networks will be joining NYSE as a part of their groundbreaking “Future of Responsibility, Governance and Ethics” (FORGE) initiative to enable leaders to drive integrity and innovation around mitigating cyber risk within their organizations. To support the initiative, NYSE is assembling a hand-selected group of C-level executives and leading board directors to explore solutions to pressing business challenges.
Look for more events and insights coming soon from NYSE and Palo Alto Networks here.