The SEC's recent guidance on cybersecurity disclosures has put a renewed spotlight on how the board governs this evolving threat. The ruling came just months before several high-profile breaches at MGM, Cloudflare, Google and Amazon Web Services, which further underscore the scope and complexity of what companies are up against.
“The risks have just gotten dramatically worse,” says Larry Clinton, CEO of Internet Security Alliance (ISA), which represents chief information security officers of Fortune 100 companies. “The sophistication of the attacks, the damage from the attacks, the number of players involved: All have gotten much more dangerous in the last 10 years. Things that we used to consider a black swan event, like a $10 million loss to an organization, happen frequently now.”
The complexity, volume and application of new technology also plays a role in how cyber threats are evolving, says Chris Hetner, former senior cybersecurity advisor to the SEC chair and now cochair of cybersecurity and privacy for The NASDAQ Center for Board Excellence Insights Council. “The attack surface is expanding. We have more mobile devices, increased reliance on applications and applications that speak to applications, machines that speak to machines, plus advancements in cloud computing that introduces concentrated risk.”
Economic fallout from these attacks is getting worse by the day. According to World Economic Forum (WEF), the annual economic damage from cyberattacks is over $2 trillion a year. WEF predicts that number will rise to $10 trillion in a few years, a number roughly equivalent to China's gross domestic product .
Set the Right Context
In a speech to his colleagues that was detailed by Seapower Magazine, Aaron Weiss, chief information officer of the U.S. Navy, called out the Navy's “culture of compliance,” which gives a false sense of security based on a checklist when in fact, he argued, the department must be in a “constant state of readiness.” The insight is relevant not just to the Navy, but to all organizations. Getting the right kind of guidance and support around cyber starts with acknowledging a fact many boards fail to recognize: With a risk this complex, compliance alone is not sufficient.
“The board meets quarterly, but cybersecurity is much more dynamic and changing all the time,” says Robert Barr, a cybersecurity executive and cochair of the Private Directors Association's cybersecurity board governance committee. “When one has nation-states hacking companies to achieve their objectives — espionage, taking down financial systems, accessing another high-stakes company, taking down nuclear reactors — it requires a new level of understanding.”
This all means boards need a more holistic approach that elevates cyber beyond a technology problem. “There is definitely an evolution happening where leading boards increasingly consider cybersecurity as an overall strategic risk as opposed to merely an operational risk,” Clinton says. “Control of the cybersecurity agenda now also includes human resources and finance and, critically, research and development and public relations as well as legal. It's an enterprise-wide risk management that needs to be woven together.”
Yvonne Wassenaar, who serves on the boards of Arista Networks Inc., Rubrik, JFrog Ltd. and Forrester Research Inc., has seen this evolution on her boards. “There's a greater appreciation and understanding that cyber is a very important risk that must be mitigated at the board level. Across the board, we have been deepening and broadening the discussion of cyber. Our audits, dashboards and reporting have become more mature.”
It's critical for board members to get the right guidance and expertise so the board can keep pace with the threats.
Ask the Right Questions
Companies and the boards that oversee them have many tools at their disposal to help manage cybersecurity risks, including insurance, penetration testing and tabletop exercises. There are plenty of experts to provide consulting and guidance. But context-setting is critical. The type, breadth and depth of support the board needs is dependent on key factors like industry, company size and history of attacks. As is the case with many complex risks the board manages, there are trade-offs embedded in every decision, and the implications reverberate throughout the company. Asking the right questions to understand the risk/reward calculus is critical.
What's our risk appetite? Cyber is no different from any other business risk: The company must be able to tolerate potential downsides. Wassenaar recalls a conversation at a board meeting that underscores the point. “The CISO was doing a readout of the cybersecurity status and showed the number of vulnerabilities they were working on, how long they'd been outstanding and so forth. A couple of board members said, ‘What do you mean it's not zero?' There's nuance in truly understanding what some of these dashboards tell you. The reality is that some of the vulnerabilities found don't have a high probability of ever being executed so the risk is lower than it seems at first blush. There is a cost in trying to get to zero.”
Boards have to manage risk, but managing risk doesn't mean eliminating risk. It means being thoughtful on the return on investment against the probabilities and the potential damage and thinking about that in the context of a much broader landscape.”
“There are different kinds of risks, so it's important to determine how much risk you are willing to tolerate,” says Jim Rogers, a director of Appleseed Network and Active Transportation Alliance and the former CLO of Orbitz Worldwide Inc. and Cars.com Inc. “For example, how much of an outage can we afford to tolerate? What about our internal email? Can that be down a little longer than our external-facing stuff?”
What's the strength of our internal team? Understanding where cyber lives in the organization, how it reports up to the CEO and the strengths of your key leaders is critical to evaluate what the board can leverage internally and where outside expertise may be needed to fill gaps. “We see the board disconnected from cyber because they don't understand the deep technical information, and the CISO community continues to deliver that jargon into the boardroom,” says Hetner.
Boards should also look for consistent tracking of key metrics and an evolving lens that keeps pace with the risk landscape. “You want the measures and the metrics that help you understand how well you're doing,” says Wassenaar. “How are you ensuring the implementation of policies around phishing attempts? What are the policies and practices with your third-party suppliers? How are you going to identify if something bad has happened? How are you going to stop it and remediate it? How are you going to report on it or get help to resolve the issue? You want to make sure that you have a holistic viewpoint.”
When assessing the strength of the team, the board should also look beyond the CISO, says Hetner. “There should be an expectation that technology and cyber risk management is integrated into enterprise risk management to ensure that the whole of the enterprise is engaged in the management of cyber risk and its relevance to the business — financial impact, legal implications, privacy implications, operational resilience, the integrity of our brand. All those questions need to be answered, not by the CISO, but by enterprise risk management, so they're building the muscle across the enterprise to make sure that this is happening and the CISO is not running in isolation.”
What data do we most need to protect? Mapping risk to data is critical and will help boards focus on where to make the right investments in threat mitigation. “First and foremost, I think boards need to understand what is most critical to keeping the business operating and functional,” says Wassenaar. “Ask where the biggest points of risk are, because that will help point you in the direction of the things that are most critical to ensure that they are very tightly secured.”
Mapping risk to data helps boards hone in on where to make the right investments in threat mitigation. Under a true enterprise-wide, strategic approach to cybersecurity, the inputs should come from across the organization, not just the technology team. “An enterprise risk assessment is key here,” says Rogers. “Typically, it involves interviewing key business leaders to find out what kinds of data leakage or loss would pose the biggest risk to the business from their perspective so that you can get an overall view of where you need to focus resources and whether you are applying the right level of resources against each risk.”
What kinds of support are table stakes for our industry and risk profile? Aside from the enterprise risk profile Rogers mentions, boards should consider a periodic audit every two to three years via an independent third party to get a baseline and then periodic updates on overall cybersecurity health. This data will give board members powerful clues about where to focus both oversight and resources.
Every Director Has a Role
Merely adding a board director with cyber experience is not sufficient to resolve a company's cybersecurity issues and, in fact, may cause additional problems. Deep cyber expertise without a larger sense of business context can actually be counterproductive to board dialogue, says Hetner. “It can create a disadvantage because the conversation goes too tactical, too deep, and you lose context in the boardroom.”
Hetner offers an aviation analogy: “I'm not really concerned with the rivets on the airplane. I'm more concerned about the integrity of the airplane to make sure that it goes from New York to California and that it lands safely.”
Having a cyber specialist on the board can give the other directors a false sense of security. “The board’s liable to just turn to that cyber expert and say, ‘Okay, you handle cybersecurity,'” says Clinton. “You want the whole board to be involved because they need to understand that this is a strategic business issue.”
The shift from a compliance lens to a strategic lens means board members must engage more deeply. “The conversation around mitigating risk used to be ‘In case of cyberattack, let's just look to insurance,'” says Barr. “That's like saying, ‘Hey, I'm going to go drive a car. I don't need to learn how to drive. I don't need to understand it. I just need to get insurance, and then I can go drive on the highway and be fine.'”
Wassenaar has leveraged on-demand, board-focused cyber courses to augment her own knowledge. She also points to the team and resources the company has built around cyber as another source of board education. “With the boards that I sit on, it’s mostly been either the hiring of very seasoned CSOs or up-leveling of the security capabilities within the company, and then those individuals coming in and helping to educate the board and advance its maturity.”
Barr has helped the Private Directors Association establish a series of cyber trainings designed not just to educate directors, but also to deepen the board's understanding of cyber. “If we think about the value that board members can provide, then it requires not just knowledge, but going on a journey from point A to point B and step-level improvement.”
Ultimately, all board members must have a baseline level of cyber literacy, and they must take responsibility for educating themselves as needed. Not everybody on the board is expected to be a financial expert, but they are expected to be able to read financial statements. The same holds true with cyber, says Clinton.
“Directors need to be educated enough that they can deal with this critical business strategic issue. They don't need to know how to patch a system or what the proper configuration is, but they need to ask the right questions of their management team.”
Erin Essenmacher is a board director and strategic advisor, currently serving as chief experience and strategy officer of The Athena Alliance. She spent nearly 10 years in executive leadership at the National Association of Corporate Directors, most recently as president and chief strategy officer.