Information Technology has become so fundamental to business that it’s moved out of the traditional IT shop and into the business arena. Many companies today see themselves as technology companies that happen to sell retail goods, financial services, or some other product thus compelling IT to be viewed as both a strategic asset and a major risk. From the spectacular cyber breach impacting millions of customers to the mundane system upgrade, technology continues to pose a host of strategic, reputational and compliance challenges. And while directors are becoming more tech-savvy, board oversight continues to wrestle with understanding IT risks and strategies and how they can help ensure the company is protecting itself while making the most of disruptive technologies.
No longer relegated to the domain of the IT organization cyber security is now unquestionably a C-suite priority. Cyber security is also front and center for boards and their audit committees. The recent breach of Target’s data demonstrates cyber security is not just an IT problem but a business problem. And the subsequent resignation of Target’s CEO and CIO underscores the consequences a cyber-incident can have on confidence in the organization’s leadership, market reputation, and shareholder value.
But what are the prudent domains a board will want to consider to understand critical inflection points? Consider the following key developments causing IT insecurity and the strategies to build confidence in managing cyber threats.
Change Acceleration
Threat Actors
There are lots of complexities that lead to cyber insecurity, among which includes the different types of adversaries. In the past, threat actors were primarily isolated individuals that on occasion launched homemade attacks against targets of opportunity. Today however, threat actors are highly organized, rigorous in their pursuit, and attack targets of choice. Threat sources include organized crime, nation-states, cyber espionage, hacktivists and insider threats.
Disruptive Technology
Security gaps occur due to a reliance on yesterday’s approach to dealing with how business is conducted today. The pace of innovation and adoption of new technology requires an evolved control environment to gain confidence. Given firms now increasingly rely on information from disruptive technologies– mobile, social, cloud and data analytics to make decisions, a rethink of approach is required. There’s now a greater burden on management to hold richer discussions with their board on the impact emerging technologies and social media have on the company’s strategy and risk profile. Concurrently, ongoing awareness of regulatory change is necessary given laws will keep pace with business demands.
Data Inequality
In the information age data is growing at an exponential pace but not all data is equal. It’s important to understand the value of the company’s various data sets and whether appropriate resources are devoted to securing the most critical assets. Organization’s carry pockets of sensitive information, such as operational data, strategic information (mergers & acquisitions (M&A)) and inputs for financial statements. Is it clear where such high value data resides? Who has access to it? Is it adequately protected? How quickly will it be known when it’s stolen or shared? These and other concerns require new control points designed and implemented.
Control Foresight
Boards take into account how much dynamic change the business is going through, such as is the company expanding, going global, considering a M&A, contemplating going public or private. Such business changes place heavy demands on IT to keep pace with strategy, which invariably increases cyber risks. What is the right control strategy to mitigate risks?
Cyber Knowledge
The traditional CEO and CIO understands technology but may not possess cyber knowledge. Therefore, it’s incumbent upon companies to make sure they have at least one board member who’s knowledgeable about IT and IT security. This places demands on C-suite executives to effectively articulate cyber issues, in business context. Further, forward looking boards are considering moving responsibility for network security from audit committees to risk committees, as cyber security is increasingly viewed a business risk more than a compliance issue.
Risk Assessment
Should the board conduct an independent IT risk assessment that considers the entire information supply chain – vendors, law firms, and business partners? Considering the high costs and reputational impact from a resulting major breach a risk assessment oftentimes provides a great return on investment.
Niche Services
The further an organization moves away from its strategic core the greater the risks. Some functions are just not in the strategic interest to develop in house therefore it can be a better business model to outsource certain expertise, such as ethical pen testing or independent audits (SSAE 16). It may also be a good idea to have a formal retainer in the event subject matter experts (SMEs) are needed quickly.
Supply Chain
Companies that rely on partners to conduct business must ensure their suppliers aren’t leaking information. Attestation reports can provide some comfort but audit committees may want more details about their third party’s control environment. Some companies adopt international standards such as the ISO 3500 model to secure operations and value the same in their suppliers.
Point in Time vs Continuous Monitoring
An independent audit, such as ISO 27001 or an annual pen test, provides an assessment of the security posture at a given point in time. But how is an organization alerted to issues that occur post-audit? Continuous monitoring when designed appropriately can provide real-time data over critical security metrics. But what good is having robust monitoring technology if there is a failure to respond to alerts in a timely manner (such as the Target incident)? Boards will have to holistically weigh various factors in order to determine investments best suited to protect the business.
Key Performance Indicators
Board and their Audit Committee may consider reviewing the CIO’s cyber-monitoring dashboard, which management uses to monitor and manage cyber security incidents. An effective dashboard is designed from industry benchmarks, key scorecards and metrics important to competitors.
Response Plan
The question isn’t if there will be an incident, but rather when! And when it does occur it likely will not just be an IT issue but rather a reputational one. How will the organization respond to a breach? Will business be stopped if an attack is ongoing? What will the company disclose? Who will assist? Precarious indeed to consider such concerns while an incident is underway. That is why the resiliency of the business continuity plan and cyber-incident response plan should be tested periodically and reviewed by the board. The plan should consider proactive protections, detective defenses and timely remediation.
Communication Governance
A powerful statistic to consider: 90% of data breaches result from people not following established controls. Training and retraining employees to policies & procedures can reduce the risk posed by people. Effective policies require input and buy in from leadership across the enterprise, including legal to ensure coverage of laws and regulations. A robust awareness program reinforces key security concepts.
In short, a board’s traditional role is to focus on new markets, portfolio diversification, corporate performance, long-term value creation, succession planning and strategy. Due to change acceleration and the need for control foresight, boards and their audit committee must also ask their IT leaders prudent questions and expect answers covering gaps, frameworks and investments explained in business context. Forward looking organizations that view IT security as a strategic business enabler and not just a compliance activity realize improved decision making, avoid catastrophic risk and empower personnel throughout the organization.