- Donald E. Hester
Cybersecurity Governance Unleashed: Empowering for Effective Risk Oversight
In today's world, cybersecurity is a crucial part of any business. As organizations become more reliant on technology, they become more vulnerable to cyber-attacks. Cybersecurity risk oversight is a crucial component of governance, and the board-level accountability for cybersecurity has become increasingly important. The session "Do Better: Board-Level Accountability in Cybersecurity" at the RSA Conference covered the critical aspects of cyber risk oversight and governance of information and technology.
The session had a panel of experts from the cybersecurity, law, and corporate strategy fields, including Maggie Wilderotter, Chairman & CEO/Board Chair, Grand Reserve Inn/DocuSign, Brian Stafford, CEO, Diligent Corporation, Greg Silberman, Associate General Counsel, Zoom Video Communications, and Chris Hallenbeck, CISO, Tanium.
The board of directors has three fundamental roles that are essential for effective governance. Firstly, they are responsible for setting the organization's strategy, defining the long-term goals, and outlining the direction the company should take. Secondly, the board has the authority to hire or fire the CEO, ensuring that the organization has capable leadership to drive its success. Finally, and of particular relevance to this session, the board provides oversight to ensure that the organization is well-governed. This includes engaging in cyber risk oversight, where the board actively monitors and assesses the organization's cybersecurity risks, protocols, and measures. This session explored how the board can fulfill its oversight role and effectively engage in cyber risk oversight, thereby ensuring that the organization is equipped to navigate the evolving cybersecurity landscape.
Defining a material breach is a complex task that varies among organizations. The rules for breach disclosure based on materiality often exist in a gray area, leaving room for ambiguity. Attorneys involved in the process may have differing perspectives and interpretations. Consequently, it becomes crucial for the regulators to establish a clear definition of a material breach and determine the threshold at which it should be disclosed. This ensures consistency and transparency in addressing cybersecurity incidents.
To demonstrate effective oversight of cyber risks, board members must actively participate in cyber risk management. This involvement is crucial as effective oversight of cybersecurity risks plays a pivotal role in litigation scenarios. When facing litigation, the primary concern is typically whether the board demonstrated effective oversight rather than solely focusing on the impact of the breach. The question of board awareness and their proactive efforts will take precedence over factors such as the number of compromised records or downtime. It is imperative for board members to be aware and actively engaged in addressing cyber risks to showcase their commitment towards mitigating potential breaches.
In order to demonstrate effective cyber risk oversight, it is essential for board members to possess a certain level of cyber literacy. This means that board education plays a crucial role. Board members need to be well-informed about cybersecurity risks, enabling them to make informed decisions. It is important for the board to avoid getting lost in the intricate details and instead focus on key issues related to cybersecurity. The audit committee can serve as a valuable resource in enhancing board members' understanding of cybersecurity risks, providing guidance and insights to help them navigate this complex domain effectively. By prioritizing board education, organizations can ensure that their board members are equipped with the necessary knowledge to contribute actively to cyber risk oversight.
Board members can actively participate in tabletop exercises to gain valuable insights into their organization's ability to respond to a cyber incident. These exercises play a crucial role in enhancing their cyber literacy and deepening their understanding of the potential impact on business operations. By engaging in tabletop exercises, board members can witness firsthand the organization's preparedness, identify potential gaps or weaknesses, and support refining the incident response plan. This hands-on experience not only helps board members develop a comprehensive understanding of cybersecurity risks but also enables them to demonstrate oversight and support for mitigating future incidents.
To demonstrate effective oversight, board members should ensure that the Chief Information Security Officer (CISO) reports directly to them. This organizational structure emphasizes the accountability of the CISO to the board, as well as the board's responsibility for cybersecurity risk management. By having a direct reporting line, the board can stay informed about the measures being taken to mitigate cybersecurity risks and assess the organization's overall cyber resilience.
Having the CISO report to the board is also a critical factor that cyber insurance providers and credit rating agencies consider. They recognize the significance of independent oversight and a dedicated focus on cybersecurity. It demonstrates a commitment to proactive risk management and signals to external stakeholders that the organization takes cybersecurity seriously.
Moreover, separating the CISO role from being buried under the Chief Information Officer (CIO) highlights the need for a distinct and specialized focus on cybersecurity. It allows the CISO to have a direct line of communication with the board, fostering effective collaboration and ensuring that cybersecurity risks receive the necessary attention and prioritization.
Overall, establishing a reporting relationship between the CISO and the board reinforces the board's oversight role, enhances cyber risk management, and strengthens the organization's overall cybersecurity posture.
Effective communication plays a pivotal role in cybersecurity risk oversight. CISOs must skillfully convey risk information to the board in a manner that is engaging and relatable. It is essential to go beyond mere PowerPoint presentations filled with numbers and statistics. Instead, the focus should be on fostering a meaningful discussion that encourages dialogue and understanding. It is crucial to ensure that the board comprehends the risks and their implications for the business.
By promoting interactive and engaging dialogue, the board can actively participate in the oversight process rather than being overwhelmed by a one-sided barrage of information. This approach not only facilitates better comprehension but also enables the board to provide valuable insights and guidance.
Moreover, ongoing dialogue serves as evidence of the board's active oversight, which can be crucial in potential litigation scenarios. By consistently engaging in discussions about cybersecurity risks, the board demonstrates its continuous commitment to overseeing the organization's cybersecurity posture and addressing any emerging challenges effectively.
There are certain things that boards should never do to fulfill their responsibilities effectively. Firstly, they cannot claim ignorance by saying they didn't know about a particular issue or risk. Boards have a duty to be informed and aware of the critical aspects of their organization, including cybersecurity risks. They should actively seek knowledge and stay updated to make informed decisions.
Secondly, boards should refrain from using the actions or decisions of other organizations as definitive guidance for their own. Each organization operates in a unique context with its risks and challenges. Relying solely on external actions without considering the specific circumstances of other organizations can lead to ineffective decision-making and oversight. Boards must evaluate their situation independently and make informed choices based on their organization's needs and objectives.
During the session, the speakers recommended two programs to help board members enhance their education and understanding of cybersecurity risk oversight responsibilities. The first program mentioned was the board cyber risk certification offered by Diligent Corporation. This certification aims to equip board members with the knowledge and skills to fulfill their cybersecurity oversight duties effectively.
The second program recommended was the Stanford Directors Program, which provides comprehensive education and training for board members. This program likely includes valuable insights into various aspects of corporate governance, including cybersecurity risk management.
It is worth noting that the speakers did not mention the National Association of Corporate Directors (NACD) CERT Certificate in Cyber-Risk Oversight Program during the session. However, it is another recognized program that offers board members specialized training in understanding and addressing cyber risks in the context of their governance responsibilities.
These programs serve as valuable resources for board members seeking to enhance their cyber risk literacy and contribute to effective cybersecurity oversight within their organizations.
The principles discussed regarding cybersecurity governance and oversight at the RSA Conference session hold significant relevance to local governments, particularly when considering city councils as equivalent to boards of directors. While the session primarily focused on publicly traded companies, it is crucial to recognize that good governance extends beyond the corporate sphere. Local governments, entrusted with public funds through taxes and investments, also bear the responsibility of ensuring that resources are allocated wisely and material risks are adequately addressed.
The importance of effective oversight and cybersecurity risk management becomes even more critical in the context of local governments. These entities provide essential services to the public, and any interruption or compromise in their operations can have far-reaching consequences. Therefore, local governments must prioritize good governance to safeguard the delivery of critical services and prevent potentially costly incidents.
By adopting the guidelines and principles discussed during the session, city councils can bolster their cybersecurity governance, enhance their understanding of risks, and actively engage in oversight. This proactive approach helps local governments mitigate potential cyber threats, safeguard public funds, and ensure the uninterrupted provision of vital services to their communities.
This session highlighted the importance of cybersecurity risk oversight and board-level accountability in today's cyber risk landscape. With organizations increasingly reliant on technology, they are more vulnerable to cyber-attacks, making cybersecurity a crucial aspect of governance. We also need to acknowledge the applicability of these principles to local governments, where good governance and cybersecurity oversight are vital for the uninterrupted delivery of critical services to the public.
Stanford Directors Program https://conferences.law.stanford.edu/directorscollege/
National Association of Corporate Directors (NACD) CERT Certificate in Cyber-Risk Oversight Program https://www.nacdonline.org/events/detail.cfm?ItemNumber=37092
Diligent Cyber Risk & Strategy Certification https://www.diligent.com/landing/cyber-risk-strategy-leadership-certification/