“As the scale and complexity of the cyber threat landscape is revealed, so too is the general lack of cybersecurity readiness in organizations, even those that spend hundreds of millions of dollars on state-of-the-art technology. Investors who have flooded the cybersecurity market in search for the next software “unicorn” have yet to realize that when it comes to a risk as complex as this one, there is no panacea — certainly not one that depends on technology alone.”
Dante Disparte and Chris Furlow
“The Best Cybersecurity Investment You Can Make Is Better Training”
Harvard Business Review, May 16, 2017
Massive financial fraud in the early 2000s led to the passage of the Sarbanes-Oxley Act, which highlighted the need to apply more rigorous processes for managing financial information. Eventually, better training for those directly responsible for accounting and finance systems became a vital element of implementing and maintaining better control over financial risk.
More recently, massive cybersecurity breaches have caused a new addition to the portfolio of enterprise-wide risks – cyber risk. Unlike the mitigation of financial risk by department-centric enhancements to financial systems and providing financial personnel with more guidance, cyber risk requires extending much broader policies and processes and enhanced cyber awareness by all people across an organization.
When cyber breaches were first perceived as a significant problem, the responsibility for addressing it was placed squarely with IT. CIOs, then later CISOs, were appointed by CEOs and told to “go fix it.” Emphasis was placed on protecting the external walls of the organization. When their efforts failed, they were fired and replaced.
“…the CISO job is a poisoned chalice: the job is well-paid, respected and increasingly available to people of all backgrounds (thanks to the well-publicized InfoSec skills shortage), and yet the average job can last 18 months or less. A CISO could be dismissed for any number of things, from a breach or missed vulnerability to failing to align security operations with the board’s business goals.”
“These CISOs Explain Why They Got Fired”
CSO, April 20, 2016
The eventual realization that cyber risk is another substantial form of corporate risk has changed how organizations address it. It’s now obvious that CISOs need help from all corners of an organization, including from executive management as well as rank-and-file employees. While effective technologies are critical for protection, better policies and processes alongside consistent and targeted training programs will raise a company’ cyber maturity and overall defenses. Coupled with the fact that 80% of cyber breaches are caused by failures of people, not failures of technology, these will be vital for continued operations.
Managing cybersecurity across the organization requires a cultural shift by all, and several key groups besides IT and security play significant roles in risk mitigation:
Board Members and the C-Suite– The ultimate responsibility for corporate risk lands on corporate directors and the executive management team. The board’s fiduciary duty to oversee and mitigate risk is driving them to ask more questions and gather more knowledge about the state of the enterprise’s cybersecurity posture. Ridge Global, NACD, and the CERT Division of the Software Engineering Institute now offer specific training in cybersecurity governance for directors, conferring a CERT Certificate in Cybersecurity Oversight for those who successfully complete the training. Oversight by the board makes cyber governance a higher priority up and down the organization, and can prevent detrimental liabilities during possible successful breaches.
General Counsel – A critical role of corporate counsel is to identify and mitigate sources of potential liability. Cyber risk now looms as a major threat, since it can create strategic, reputational, operational, and compliance and financial liability. A 2015 survey by BakerGilmore and NYSE Governance Services suggested that, “general counsel at publicly traded companies could greatly benefit from more training on cybersecurity to help combat increasingly prevalent threats to corporate data.”
Internal Auditors – The passage of Sarbanes-Oxley eventually led to more sophisticated internal systems for managing financial risk. Direct responsibility for these systems is generally placed upon internal audit and the board’s audit committee. With the greater understanding of the threat cyber risk poses, the audit committees of public companies are putting more pressure on internal auditors to help them track the implementation of cyber risk mitigation measures. More cybersecurity and cyber risk governance training is required of internal auditors so they can accurately establish internal control systems for managing cyber risk.
Human Resources – HR departments inadvertently introduce more risk into organizations with the hiring of new employees. HR directors need to understand the role they play in effective cyber risk governance by learning about secure ways to conduct new hire screening, execute on termination procedures, on-board new hires and train all staff to support organization-wide policies and cybersecurity awareness programs.
Procurement and Purchasing – Acquiring goods and services introduces another significant risk into the organization. Purchasing managers should be trained in how to identify and handle potential cyber risk from supplier and partner relationships, including contractual cybersecurity requirements and appropriate levels of vetting for contractors, consultants, and vendors.
Virtually anyone connected to the network represents a threat to the organization. Creating effective cyber risk governance and a “cyber aware” enterprise requires more than everyone attending a one-time class. Risk oversight by board members, the adoption of regular cybersecurity training programs as part of corporate strategy by the C-suite, constant vigilance by general counsel, internal management of compliance by auditors, and strong policies and processes from HR and Procurement are critical efforts in a company-wide push for better cyber defense. Achieving this level of cyber risk governance requires raising the level of knowledge and awareness of the entire organization, and more attention must be paid to provide the training needed to meet the challenge.