Creating a Cybersecurity-Savvy Board

SEP 18, 2019

A Ready-To-Use Framework For Intelligent & Holistic Engagement

As our digital environment continues to expand, there is much to celebrate on human advancements in both cause and effect of this trend. Just a few of the obvious advancements that make our lives easier and more fulfilling include increased communication speed, social connectivity, accessible education, remote working opportunities, and all types of helpful automation. Yes, I know this list is woefully light with so many other available examples to list. With all of the upside, however, it is sometimes easy to overlook the negative side of so-called advancement. As quickly as digital upsidecan occur, just as quickly can a potential digital downside be encountered. For a Board, the downside of our digital environment typically rears its ugly head in the form of the cybersecurity topic.

Although cybersecurity is a huge buzzword in the boardroom, it remains a foggy and ever-morphing challenge for many organizations ...but how is this possible, you ask? Data security has become ubiquitous along with risk and reputation, so how is it that something that can instantaneously affect brand and shareholder value remain such a challenge? Opinions still vary on the definitive need for cybersecurity experts on specific Boards, but there is a general consensus among Boards, management, and investors that this need is increasing. A Forrester Consulting Thought Leadership Paper Commissioned By BitSight entitled 'Better Security And Business Outcomes With Security Performance Management'polled 207 security decision-makers with responsibility for risk, compliance, and/or communications with Boards of Directors to explore this topic, tells the sobering story for those still unconvinced. This study evaluated how security leaders measure their enterprise’s security performance and states, "...more than one-third of companies agree that they have lost business due to either a real or perceived lack of security rigor. Additionally, 82% of decision makers agree that the way customers and partners perceive security is increasingly important to the way their firm makes decisions."

Boards are generally answering the call to infuse cybersecurity expertise into their immediate circle as the steady news stream of data breaches, fines, and subsequent social media tidal waves swirl. What is interesting with this trend, however, is how the application of both strategy and governance of the cybersecurity topic typically remains with only one Board Member (cybersecurity expert), even when the Board makes the deliberate effort to tackle the issue. In other words, with cybersecurity being such a specific knowledge and skillset area, the question must be asked of how is it even possible for other Board Members, some with no technology or data security background, to institute proper 'checks and balances' as well as intelligently be part of the discussion?"The single biggest weakness in Board oversight of Cyber risk is that Cybersecurity is treated as a black magic where only the initiated can participate. Since most Board Members believe they are not initiated, they exclude themselves from trying to understand," states Alex Beigelman, CEO at Beigelman Risk Advisors and Chairman Of The Board at The National Cybersecurity Society"The truth is that Cybersecurity and Cyber risk are only different because they are presented in arcane and highly technical language. The issues can and must be explained in a way any Board Member can understand. The task, therefore, is not to make every Board Member a Cyber expert, but to bring in advisors who can remove the secret veil and inform rather than mystify."

Savvy Board Directors know that a key component of their success, and the success of the organizations they serve, is in asking the right questions (remember that questions relating to process and measurement can be most beneficial in the boardroom). They also know that an emergency doesn't have to be an absence of choice. These concepts remain absolutely true for Board Directors when 'probing' in the cybersecurity area, too. Whether you are a cybersecurity expert or technologically clumsy, a cybersecurity framework is a great reference point to channel your thoughts into logical 'buckets.' By understanding a cybersecurity framework, your purpose and direction can become quite clear at any knowledge level. A great cybersecurity framework can be referenced within the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce. From their 'New To Framework' webpage, their charter is clear by stating, "Recognizing the national and economic security of the United States depends on the reliable function of critical infrastructure, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. The Order directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure. The Cybersecurity Enhancement Act of 2014 reinforced NIST’s EO 13636 role."

Framework Components

The NIST framework is quite unique in that it caters towards both the cybersecurity expert AND cybersecurity novice simultaneously - by design. The Cybersecurity Framework consists of three main components: the CoreImplementation Tiers, and Profiles.
The Framework Core provides a set of desired cybersecurity activities and outcomes using common language that is easy to understand. The Core guides organizations in managing and reducing their cybersecurity risks in a way that complements an organization’s existing cybersecurity and risk management processes.

The Framework Implementation Tiers assist organizations by providing context on how an organization views cybersecurity risk management. The Tiers guide organizations to consider the appropriate level of rigor for their cybersecurity program and are often used as a communication tool to discuss risk appetite, mission priority, and budget.

Framework Profiles are an organization’s unique alignment of their organizational requirements and objectives, risk appetite, and resources against the desired outcomes of the Framework Core.  Profiles are primarily used to identify and prioritize opportunities for improving cybersecurity at an organization.
Framework Implementation Tiers

Tiers describe the degree to which an organization’s cybersecurity risk management practices exhibit the characteristics defined in the Framework.
The Tiers range from Partial (Tier 1) to Adaptive (Tier 4) and describe an increasing degree of rigor, and how well integrated cybersecurity risk decisions are into broader risk decisions, and the degree to which the organization shares and receives cybersecurity info from external parties.
Identify - Protect - Detect - Respond - Recover
A further step-by-step lifecycle breakdown of the framework is seen here and is likely most helpful for non-cybersecurity Board Members. Understanding the path and focal-points of how robust cybersecurity programs operate can work wonders in becoming a helpful Board Member when it comes to weighing-in and participating intelligently.

So, let's make all of this implementable with a few examples of how a Board Member can leverage an agreed cybersecurity framework and lifecycle for their benefit and for the benefit of the organization. When discussing the overall cybersecurity program, or a specific component, in the boardroom:

  • For non-cybersecurity Board Members: 
    • Listen carefully to the discussion to pinpoint which lifecycle 'step' is being addressed (identify, protect, detect, respond, recover). This will give you a footing on which specific area is being referenced. 
    • Look for lifecycle steps that are rarely touched on or breezed through for gaps in the needed holistic cybersecurity process. For example, if the topics of identifyprotect, and detect are frequently discussed, focus your questions on the readiness and robustness of the respond and recover lifecycle steps. Always consider the balance of all areas to ensure a holistic program.
    • Come to the boardroom more prepared! Further your knowledge through programs, courses, and workshops that specifically address the governance aspects of properly implemented cybersecurity programs.
  • For cybersecurity Board Members: 
    • Structure your discussions on the cybersecurity topic mindfully by first calling out the lifecycle step that you are addressing (identify, protect, detect, respond, recover). This helps to create a visual reference point for all Board Members at any level of cybersecurity knowledge. 
    • Aim to level the 'technology speak' to layman's terms to ensure understanding at all levels of technology and cyber awareness.

When an entire Board increases their cybersecurity awareness, knowledge, and information sharing approach, they exponentially lower the overall organization's risk. "Enterprises with mature response and resolution of cyber attacks will have a better chance to absorb impact of the compromise," states Ondrej Krehel, CEO of LIFARS, a cybersecurity firm based in New York City. "Executives should focus on gaining visibility and auditability of cyber incidents, including potential attacks. It is important to have a true understanding what data are being targeted and why." In the true spirit of Board Director (and collective Board) continuing education, why not focus some needed effort in the cybersecurity area?
How are you prioritizing Cybersecurity Savviness within your Board?
Reach out directly to Mark A. Pfister to discuss creating Board Cybersecurity Savviness with his 'Strategy Workshop' offering and National Speaking Tour topics.