Bridging the gap between board governance and IT security teams
BY Jim Jaeger
Today’s cyber criminals are highly sophisticated and constantly morphing their methods and attacks, presenting new risks to the organization on a daily basis. Confronted with the real potential of financial loss, brand and reputation damage, loss of intellectual property, reduction in customer confidence, and the costs of litigation, the risk of cyber breaches is clearly an area of heightened focus in the region. Against this backdrop, now more than ever, it is critical that those responsible for corporate governance of cybersecurity and those responsible for the day-to-day defense against threats work together to protect the organization from harm.
Unfortunately, significant gaps in knowledge, visibility and trust between the two groups are jeopardizing the ability to quickly, efficiently and effectively respond to cybersecurity threats, thus leaving the organization more vulnerable to a breach.
Cybersecurity is unquestionably a core component of corporate governance; however, many boards remain behind the curve when it comes to their ability to respond to cybersecurity risk and provide proper oversight. According to research by the Ponemon Institute, while 76 percent of boards review or approve security strategy and incident response plans, 41 percent of board members admit that they lack cybersecurity expertise and 26 percent said they have minimal or no knowledge of cybersecurity. This deficit makes it difficult for board members to understand whether the security practices in place adequately address the risks faced by their organization.
Despite lack of cybersecurity knowledge, 59 percent of board members believe that their firms’ cybersecurity governance practices are effective, while only 18 percent of IT security professionals believe the same. The significant difference in opinion between the two groups is likely a result of the board’s lack of information about threats and defense, network compromises and response activity, as well as breach data. Further, although cybersecurity governance is on 65 percent of boards’ agendas, the report shows that most members were unaware if their organizations had been breached in the recent past. The board’s lack of knowledge has created a further trust divide. Nearly 60 percent of IT security professionals believe that the board does not understand the cybersecurity risks of the organization, compared to 70 percent of board members who believe that they do.
Board members’ overconfidence in the effectiveness of cybersecurity governance further widens the gap. Seventy-nine percent of boards, for example, believe that they are very effective in dealing with cyber risk versus 42 percent of practitioners.
Bridging these gaps is vital in protecting the organization and its customers from harm.
Bridging the Knowledge Gap
Cyber literacy can be equated to financial literacy. While not everyone on the board is an auditor, it can be reasonably expected that all directors can read a financial statement and understand the financial language of business. The same holds true for cybersecurity. Board members don’t need to be cyber experts, but they should have a thorough knowledge of the risks that their organizations face and provide the support needed by IT security professionals to protect against those risks.
Bridging the Visibility Gap
The primary distinction between successfully recovering from a cyber breach versus sustaining significant damage is the speed with which an organization is able to identify and contain the spread of the damage.
- Establish Two-Way Communications: Company management can bridge the visibility gap through regular communications regarding the current status of cybersecurity to the risk committee and the board as a whole. Care should be taken to avoid data overload and to keep the dialogue focused on board issues. In addition, the security leadership should consider presenting a summary report on incident trends at every risk committee and board meeting.
- Establish Consistent, Formalized Reporting: To foster transparency and establish common knowledge, companies would do well to formalize bi-directional sharing of information between the board and company management, including the CISO. The creation of such a board-level reporting system gives directors timely and usable information necessary to make reliable high-level evaluations of the company’s cybersecurity status and risk profile.
- CISO Must Speak the Language of Business: The language in the boardroom is business. Everyone from the CEO and CFO to the other board members must speak the same language. In order for CISOs to have a stronger voice and be understood in the boardroom, it is vital that the CISO speak the language of business as well.
Bridging the Trust Gap
Organizations face a world of continuous compromise. Threat actors, sometimes sponsored by nation states, are highly sophisticated, well-funded and patient. While prevention serves as a meaningful and necessary deterrent, no preventive solution is 100 percent effective. In short, if they target your organization, they will at some point penetrate your defenses. Boards must recognize this fact and be ready to focus on mitigating and remediating the damage.
- Create Shared Understanding and Experience: Mutual trust between board members, company management and IT security professionals is vital for effective governance and breach response. It sets the foundation for open communication between these groups and allows an organization to move forward with agility and responsiveness in finding and remediating potential security breaches.
- Move Beyond the “Blame Game”: Empowering the CISO and his or her team to protect the organization from cyber-attacks begins with moving beyond the “blame game” and shifting to a mindset of preparedness, effective governance and teamwork based on mutual trust.
In moving forward, organizations would do well to examine the role that their boards play in cyber-risk governance and determine how to best bridge the gaps in knowledge, visibility and trust that exist between the two groups. The enemy is too focused, patient and persistent for today’s organizations to settle for anything less.
Jim Jaeger is the chief cyber strategist at Fidelis Cybersecurity and a retired Brigadier General in the U.S. Air Force.