If you’re a board member concerned about cyber risk, you regularly ask “how secure are we from a cyber breach?” Is the answer delivered in technology metrics or a measurement of business risk?
“I’ve been in boardroom meetings where as soon as the CISO’s metrics presentation flashed on screen, eyes rolled heavenward and email was surreptitiously checked.”
Measuring and monitoring current practices vis-à-vis best practices and standards can ensure two things: (1) that cybersecurity efforts are focused on improving business practices, and (2) that technology deployment priorities are driven by business objectives. With this type of context, the board of directors is able to actively oversee the progress of the firm toward cyber maturity.
Directors pursuing their fiduciary duty of mitigating risk are increasingly frustrated. Despite an estimated $70 billion spent on cyber technology and services last year, the potential fallout from cyber breaches is increasing. In a recent NYSE survey of 276 public board members, 60% expect an increase in shareholder suits and 72% expect more regulation related to cyber risk governance.
Personal and corporate liability for breaches is a hot topic. The current buzzword in board discussions is “active engagement.” To protect the company in the event of shareholder suits after a breach, evidence must show that the company had been working diligently to mitigate cyber risk before the breach, and that the directors had been actively engaged in overseeing the process.
The realization that technology alone won’t solve the problem has led boards to seek third-party evaluations of their company’s cyber status. Most assessments are of two forms: (1) an evaluation based on an external examination of defenses, or (2) an internal audit by a large consulting firm.
The external evaluation is conducted by a technology firm that rates the company’s defenses by examining externally available data gained via its own testing combined with data from a variety of other sources. An internal audit is usually an expensive, disruptive process that deploys interviewers across the organization to answer hundreds of questions usually held in a proprietary spreadsheet. Each provides a point-in-time snapshot of the organization’s cyber readiness, based upon the judgment and expertise of the firm conducting the assessment.
Performing these evaluations resembles checking the safety of a house. The external assessment is like peeking in through the bathroom window to see what’s visible. The internal exam corresponds to taking a walk inside to check locks and how things are stored. While the first may point out current failings, the inside inspection gives a more comprehensive understanding.
In either case, the big question is “says who?” How can you know that what you’re being told is reliable? To what standard are the examinations being held?
Bodies of experts have developed and defined a number of cybersecurity frameworks. These highly regarded standards identify and describe measures that help an organization achieve greater cybersecurity through risk management. Although the standards bear different names (NIST, C2M2, ISO, HIPPA, PCI, etc.), they all share a common DNA. Each allows comparison of actual practice against best practices in order to highlight gaps that create unnecessary risk exposure.
The standards require the measurement and monitoring of what are known as “controls.” Simply put, a control is a policy, process, or procedure that should be implemented to mitigate risk. By monitoring hundreds of these controls and comparing the thousands of their potential states against the most rigorous standards, a company’s board and management can know how well the company is protecting itself against cyber risk. Some standards are general (e.g. NIST, C2M2, ISO), while others apply to specific industries.
|NIST Cybersecurity Framework||National Institute of Standards and Technology||All||Gold standard for high level reporting|
|C2M2 (Cybersecurity Capability Maturity Model)||U.S. Department of Energy||All||Integrates deeper reporting under the NIST Framework|
|ISO 27001:2013||International Standards Organization||All||Certification of information security management systems|
|HIPAA||Health Insurance Portability and Accountability Act||Healthcare||Significant portion devoted to proper handling and protection of electronic records|
|FINRA||Securities and Exchange Commission||Financial||Assess financial services firms’ approaches to managing cybersecurity threats|
|PCI||Payment Card Industry Security Standards Council||Card Processing||Increase controls around cardholder data to reduce credit card fraud|
|FERPA||Family Educational Rights and Privacy Act||Education||Gives families control over the disclosure of information of their children’s education records|
Assessments delivered without comparison to these standards are simply opinions. So the question of the day is this: if you’re being told that the right measures are being taken to improve the cybersecurity posture, ask yourself – says who?