A Ready-To-Use Framework For Intelligent & Holistic Engagement
As our digital environment continues to expand, there is much to celebrate on human advancements in both cause and effect of this trend. Just a few of the obvious advancements that make our lives easier and more fulfilling include increased communication speed, social connectivity, accessible education, remote working opportunities, and all types of helpful automation. Yes, I know this list is woefully light with so many other available examples to list. With all of the upside, however, it is sometimes easy to overlook the negative side of so-called advancement. As quickly as digital upsidecan occur, just as quickly can a potential digital downside be encountered. For a Board, the downside of our digital environment typically rears its ugly head in the form of the cybersecurity topic.
Although cybersecurity is a huge buzzword in the boardroom, it remains a foggy and ever-morphing challenge for many organizations ...but how is this possible, you ask? Data security has become ubiquitous along with risk and reputation, so how is it that something that can instantaneously affect brand and shareholder value remain such a challenge? Opinions still vary on the definitive need for cybersecurity experts on specific Boards, but there is a general consensus among Boards, management, and investors that this need is increasing. A Forrester Consulting Thought Leadership Paper Commissioned By BitSight entitled 'Better Security And Business Outcomes With Security Performance Management'polled 207 security decision-makers with responsibility for risk, compliance, and/or communications with Boards of Directors to explore this topic, tells the sobering story for those still unconvinced. This study evaluated how security leaders measure their enterprise’s security performance and states, "...more than one-third of companies agree that they have lost business due to either a real or perceived lack of security rigor. Additionally, 82% of decision makers agree that the way customers and partners perceive security is increasingly important to the way their firm makes decisions."
Boards are generally answering the call to infuse cybersecurity expertise into their immediate circle as the steady news stream of data breaches, fines, and subsequent social media tidal waves swirl. What is interesting with this trend, however, is how the application of both strategy and governance of the cybersecurity topic typically remains with only one Board Member (cybersecurity expert), even when the Board makes the deliberate effort to tackle the issue. In other words, with cybersecurity being such a specific knowledge and skillset area, the question must be asked of how is it even possible for other Board Members, some with no technology or data security background, to institute proper 'checks and balances' as well as intelligently be part of the discussion?"The single biggest weakness in Board oversight of Cyber risk is that Cybersecurity is treated as a black magic where only the initiated can participate. Since most Board Members believe they are not initiated, they exclude themselves from trying to understand," states Alex Beigelman, CEO at Beigelman Risk Advisors and Chairman Of The Board at The National Cybersecurity Society. "The truth is that Cybersecurity and Cyber risk are only different because they are presented in arcane and highly technical language. The issues can and must be explained in a way any Board Member can understand. The task, therefore, is not to make every Board Member a Cyber expert, but to bring in advisors who can remove the secret veil and inform rather than mystify."
Savvy Board Directors know that a key component of their success, and the success of the organizations they serve, is in asking the right questions (remember that questions relating to process and measurement can be most beneficial in the boardroom). They also know that an emergency doesn't have to be an absence of choice. These concepts remain absolutely true for Board Directors when 'probing' in the cybersecurity area, too. Whether you are a cybersecurity expert or technologically clumsy, a cybersecurity framework is a great reference point to channel your thoughts into logical 'buckets.' By understanding a cybersecurity framework, your purpose and direction can become quite clear at any knowledge level. A great cybersecurity framework can be referenced within the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce. From their 'New To Framework' webpage, their charter is clear by stating, "Recognizing the national and economic security of the United States depends on the reliable function of critical infrastructure, the President issued Executive Order (EO) 13636, Improving Critical Infrastructure Cybersecurity, in February 2013. The Order directed NIST to work with stakeholders to develop a voluntary framework – based on existing standards, guidelines, and practices - for reducing cyber risks to critical infrastructure. The Cybersecurity Enhancement Act of 2014 reinforced NIST’s EO 13636 role."
So, let's make all of this implementable with a few examples of how a Board Member can leverage an agreed cybersecurity framework and lifecycle for their benefit and for the benefit of the organization. When discussing the overall cybersecurity program, or a specific component, in the boardroom: