A recent Los Angeles Times story described how one company chose to enhance corporate governance of cyber risk (cybergovernance) by adding a cybersecurity expert to their board. Is this a path that other companies should emulate?
Parsons Corporation is a well-regarded, employee-owned engineering and construction services firm with 15,000 employees and $3 billion in annual revenue. The company’s projects include building bridges, utility plants, and military bases, and they do a significant amount of classified government work.
Two years ago, Parsons CEO Charles Harrington opted to fill a board seat with someone possessing deep experience and expertise in building cybersecurity infrastructure, retired Air Force major general Suzanne Vautrinot. It seems to have worked out well, and other companies have taken a similar step by adding directors with a cybersecurity background, including AIG, Blackberry, CMS Energy, Delta Air Lines, Ecolab, General Motors, and Wells Fargo.
How are other companies coping with cyber risk? A survey of NYSE members revealed that, while more than 80 percent of boards discuss cybersecurity at most or all meetings, 66 percent aren’t confident that their companies are secured against cyberattacks. While adding a cyber expert to the board to help with cybersecurity oversight may make sense for some organizations, three daunting issues challenge the idea of adopting it as a general solution to board governance of cyber risk:
- Cybersecurity is more than a technology problem.
- Board members risk incurring huge liability.
- Cyber experts are in extremely short supply.
Cybersecurity is more than a technology problem.
For the past decade or so, most CEOs have treated cybersecurity purely as a technology problem, tasking the IT department with developing and implementing measures to protect the organization. How well is this working?
An estimated 42.8 million cyber attacks were detected in 2014, an increase of 48% over 2013, according to PWC’s Global State of Information survey. Mandiant research estimates the average time from infection to detection is 205 days, or almost 7 months, and the costs are high. The Center for Strategic and International Studies estimates that computer and network crime cost U.S. business over $100 billion in 2014.
Cyber attacks are increasingly being treated as a business problem in a class of their own, since they represent such a large business risk. Technology is important, but a complete solution requires changes in company culture and awareness plus more vetting of the security posture of vendors. Addressing cyber risk is a business problem.
Board members risk incurring huge liability
The problem is so acute that the Securities & Exchange Commission, the Federal Trade Commission, and other agencies are fining and prosecuting directors who fail to exercise “prudent business oversight” and “duty of care.” Since part of a board’s fiduciary duty is helping the company avoid risk, asking them to assume responsibility for cyber risk is a natural step. However, a survey conducted by the National Association of Corporate Directors revealed that of over 36% of respondents aren’t satisfied with the quality and 52% aren’t satisfied with the quantity of cybersecurity and IT risk information provided by management.
“Without equivocation, Commissioner Aguilar stated that cyber security was a board responsibility… directors could or should be held personally accountable for cyber security breaches if they fail to keep their eye on the ball.”Harvard Law School Forum on Corporate Governance and Regulation
Cyber experts are in extremely short supply.
The 2014 Cisco Annual Security Report (CASR) projected a 500,000 to 1,000,000 person global shortage in the number of IT security professionals that public and private sector organizations will need to cope with the security challenges of the foreseeable future.
Even if adding a cybersecurity expert to each board were the best solution, the dearth of talent available prevents all but the largest companies from pursing this strategy.
A Better Approach
“It’s critical that we start to demystify cybersecurity for the director community. Directors don’t need to be technology experts, but they must play an effective role in cyber-risk oversight.”Ken Daly
More effective cybergovernance is critically needed. Given directors’ liability risk and the shortage of cyber experts, it’s time to acknowledge that cybersecurity is more than a technical problem. Three steps will enable board members to meet their fiduciary duty and become more effective in helping reduce cyber risk.
- Develop a common management platform
Effective cyber risk mitigation requires collaboration between management, the board, and security professionals. A common management platform for collaboration that demystifies cybersecurity for the board, enabling between the board, CEO, executive management, and security professionals to decide priorities together is critical.
- Adopt a standards-based governance model
For a common management platform to gain acceptance and credibility, it must be based upon a robust model for cybergovernance that incorporates the best from widely heralded industry models like the NIST Framework and the Department of Energy’s vaunted C2M2.
- Insure directors against liability
Pressure from the SEC, FTC, and other agencies is increasing. The threat of shareholder lawsuits against the board following a breach can be mitigated through a combination of insurance and technology. Traditional directors and officers insurance may not be enough. Some form of indemnification against legal expenses combined with a robust management platform can open the door for more effective cyber risk oversight.