Board cyber literacy is crucial for effective risk oversight.
It’s hard to pick up a newspaper these days without seeing headlines of another high-profile breach. As breach rates continue to grow, so does the liability of the organization’s leadership. Glaring issues from headlines of the past couple weeks include:
- “Russian Agents Behind Yahoo Breach, U.S. Says” – New York Times
- “McDonald’s: Anti-Trump tweet from ‘compromised’ account” – CNN
- “WikiLeaks Reveal Demonstrates Encryption Apps’ Vulnerabilities” – NPR
Getting Back to the Basics
To begin to govern cyber risk, board members must first understand certain aspects of their organization’s cyber risk program. Below are five questions that directors should be asking to effectively assess and govern their organization.
- What cyber regulations and industry standards does our organization need to follow?
From compliance regulations such as HIPAA, PCI DSS, and NY DFS to industry standards such as NIST CSF, ISO-27001, and the CIS CSC, board members should become familiar with the standards and frameworks their cyber risk program is built upon and which regulations apply to their organization.
- What are the “crown jewels” our adversaries want to steal?
- How are we measuring the success of our cyber investments?
Reporting on the right metrics is key to improving a cyber risk program. An organization should understand the performance of its people, processes, policies, and technologies so that future investments are effective and ensure that the organization is getting the best bang for its buck. Common metrics for tracking a cyber risk program include the success rate for stopping breaches, time from detection to response, and time to patch security flaws. Unfortunately, it is all too common for organizations to find out about a breach from an external organization such as the FBI. As the old cybersecurity saying goes, “prevention is ideal, but detection is a must.”
- How would a cyberattack affect our revenue, business, brand, and reputation?
Going back to inherent risk, directors should anticipate the impact to their organization if a breach were to occur. It’s now more a question of “when” than “if.” Potential damage should be assessed in the same way as other risks that are handled by the organization. Some non-technical risks include inability of employees to accomplish business activities, lawsuits and fines, negative media coverage, loss of customer trust, and falling stock price.
- How will my organization respond if we are breached?
To minimize losses, the public relations handling of a breach is just as important as the technical response. Many organizations have an incident response plan in place but forgo adding contacting customers and controlling the media. To prevent reputation harm, it is crucial to have a plan in place to quickly contain any damages.
An understanding of the organization’s key assets is critical to assessing risk. Some organizations inherently have more risk than others. For example, a company storing credit card data may have much more to lose than a company that doesn’t store valuable customer data. Sensitive data the organization processes must be identified and governed as an enterprise risk.
A Call to Action
Cyber risk governance is a pressing matter that can no longer be taken lightly, and it all starts with an understanding of the link between cyber risk and enterprise risk. Regulations, assets, investments, impact, and response all play their part in all risks to an organization, nor only cyber risk. Can you answer these questions for your organization?