Board members do not need to be cybersecurity experts to play an important role in defining the overall cyber health of their organization. In this article, we will discuss how to shift boardroom conversations and considerations about cybersecurity to enable members, company management, and information security personnel to work together to implement a more effective cybersecurity program.
Why Boards Should Stop Searching for the ROI on Cybersecurity
If you’re looking for the ROI on cybersecurity, you may find it difficult to measure.
These are not words you’d expect to hear from a shareholder at a cybersecurity company, right?
That doesn’t mean that cybersecurity is unimportant, though. The problem doesn’t lie in the value of information security—it’s absolutely valuable. The problem lies in the typical conversation around its value.
You own ABC Widgets, Inc., and you have a warehouse where you store all your widgets.
Every day, you pay employees to work there. One of their tasks is to ensure that the warehouse is locked before they leave.
Every day, they lock the warehouse before leaving. What’s the ROI for the 5 minutes it took to lock the warehouse? If no one ever tries to break in, then the ROI on that effort is zero. On the other hand, if locking the warehouse thwarts an actual break-in attempt, then the ROI could be everything in the warehouse.
So, what is the ROI on locking the warehouse? The effort doesn’t increase earnings or revenue – it prevents the loss of inventory, thereby avoiding losing money.
That analogy helps to articulate the challenge of trying to measure the value of an effective cybersecurity program. Cybersecurity rarely offers a clear way to “win” in the traditional sense, as such investments aren’t typically tied to direct increases in company revenues. Instead, cybersecurity investments offer strategies to prevent losses which are, quite honestly, often hard to get people excited about. Even so, the boardroom conversation around cybersecurity must shift if we want to understand its true value.
Instead of asking how much more money a company can make from its cybersecurity efforts, it is more appropriate to ask how much the company is avoiding losing by investing in cybersecurity. That can be hard to determine, but like most things in information security, proper evaluation starts with a risk assessment.
While many security threats are similar across organizations, cybersecurity risk is different for every company. The purpose of a risk assessment is to help an organization identify, catalog, and measure the unique cybersecurity risks it faces, and the potential impact if those risks were to be realized.
Once a risk assessment has been completed, the organization will have a solid basis for discussing cybersecurity in the boardroom. At that point, board members and company executives have the background knowledge necessary to recognize which risks the organization faces, their likelihood of occurring, and the potential impact on both revenue and public opinion of the entity.
To properly evaluate the benefits of cybersecurity investments, instead of asking how cybersecurity will increase profits, ask how it will decrease or prevent losses. Investing in cybersecurity can help a company avoid costly mistakes and potential loss of customer trust—and it’s very difficult to put a specific dollar amount on that.
Is Management Involving the CISO in Strategic Business Decisions?
Seasoned Board of Directors members know that big decisions happen quickly. Often, significant company decisions don’t include all key leadership representatives within the company, such as the security team. This oversight can leave the security experts scrambling to implement controls, identify other risk mitigation strategies, or otherwise get up-to-speed with company changes, and can introduce unexpected costs and delays into the planned changes.
This omission generally happens because of a simple misunderstanding. There’s a misconception that security teams are the “no” police and will do anything in their power to keep the business from making big changes.
However, the goal of a strong cybersecurity function is to align itself with the goals of the business, and to advise business leaders regarding cybersecurity considerations so they can make well-informed decisions, not to say “no” whenever possible.
Here’s a simple analogy:
When asked why brakes on a car are important, most people will respond, “Because they let you stop when you need to.”
In actuality, brakes are important because they allow the car to go faster than it would without them.
Imagine driving a car without brakes. To avoid a major catastrophe, the car would have to stay on flat ground and wouldn’t be able to go more than a few miles per hour (and it would likely need a Flintstones-style hole the floor so the driver could use his/her feet to bring it to rest).
The same is true for information security controls. They don’t exist to slow an organization down, or worse—to stop it in its tracks. An organization’s cybersecurity team exists so the company can take bigger risks more safely.
Think about this:
Without security controls, an organization would hardly be able to store, process, or transmit any sensitive data, because it would be so readily accessible to anyone who wanted to get into a network and find it.
Security controls and the efforts of the cybersecurity team are what allow a business to function most effectively and securely. However, a security team brings the most value for the least cost when it can be involved in strategic business decisions—when there’s a two-way relationship established between management and the security team or the Chief Information Security Officer (CISO).
How can a Board of Directors help foster that relationship at an organization?
First, understand that it is the responsibility of the management team to involve the CISO in strategic decisions. Rarely will a CISO beat down the door of management to get involved in big decisions. And even if that does happen, he or she may not find an executive team who understands why his or her involvement is necessary. Thus, management must take the initiative to understand the importance of the CISO role and the benefit of involving the security team in strategic decisions.
Second, it’s the responsibility of the CISO to be a good team member and endeavor to understand the business objectives. What does that mean, exactly? Mainly, the CISO can’t be the “no” police. He or she shouldn’t attempt to shut down any proposition that presents a risk to the organization. The CISO must understand not just the plans made by the management team, but also why they are important to the business.
If the management team proposes a strategic move that poses a moderate risk to the company’s security profile but could have a huge financial payoff, the CISO must be willing to entertain and potentially help implement the idea. Put another way, the CISO should acknowledge the benefits of the proposed business initiative and seek to find affordable ways to manage risk to an acceptable level. Beyond that, the CISO must understand the language of the boardroom and be able to present security concepts to management in ways that are easily understandable and accessible, without the “geekspeak” often associated with information technology conversations.
In the end, both the CISO and the management team must be working toward the same goal—a better business. However, each side must do its part to ensure that the goal can be realized.
Is the CISO Reporting Appropriately Within the Company?
A hammer is a valuable tool—but not if you’re trying to cut down a tree. In the same way, a cybersecurity team is an asset to a company’s success, but it’s most effective when used correctly.
When trying to determine if an organization is effectively using its security team—and consequently, if the CISO reporting structure is appropriate—first ask this question: What does the company need and/or expect the cybersecurity team to provide to the organization? The answer to that determines the appropriate reporting structure for the security function.
Traditionally, cybersecurity teams follow one of two basic modes of operation:
In this function, the cybersecurity team is separate from the company’s IT team. The CISO reports to the Chief Legal Officer or Chief Compliance Official. The benefit of this structure is that it allows segregation of duties between the IT team—who often handles day-to-day technical operations—and the cybersecurity team—whose time is better spent addressing security and compliance challenges.
This model works best for organizations that are process-centric (i.e., the company has implemented formal processes for most business operations and does not have to spend much time solving problems “on the fly”). For this model to work most effectively, “oversight” must be defined very clearly.
- How will the security team oversee company processes?
- What exactly will be done?
- What specific activities are involved in the oversight process?
- What authority will the cybersecurity function have to prescribe solutions?
2. Operations + Oversight
In this structure, the cybersecurity team is responsible for both the oversight of the company’s security program, as well as some of its day-to-day IT operations. This model works best for organizations that are not necessarily process-centric and find themselves “putting out fires,” because it allows for a rapid, integrated response when necessary.
The benefit of this model is that it allows the cybersecurity team to work directly with the IT team—a necessity in any organization. Beyond that, it allows organizations to mature to a more process-centric structure, at which point the IT and cybersecurity teams can be segregated. One challenge with this structure is that day-to-day operations can consume the team’s security efforts. Instead of spending their time identifying and communicating risk and aligning strategic priorities, cybersecurity experts can get stuck chasing helpdesk tickets.
3. The Hybrid Method
While the two methods above have their benefits, the most advanced companies follow a hybrid model, in which the cybersecurity team is spread across three reporting categories:
- Reports both to the IT Department and the cybersecurity team itself
- Reports solely to the IT Department
- Reports solely to the Oversight/Compliance/Etc. Department
What’s the benefit of this structure? This model creates three minor divisions within the cybersecurity team: one team that provides oversight, one that handles operation, and another that performs both oversight and operations as needed. This model allows the security team to be flexible and responsive to day-to-day operations, when necessary, while maintaining strong (and objective) security and compliance posture. To whom the CISO ultimately reports in this hybrid design depends on what the cybersecurity function is expected to provide to the company, as well as the organization’s culture.
Board of Directors representatives should understand what cybersecurity operating model management has decided on and be familiar with what cybersecurity is expected to do for the company. This knowledge will allow Directors to determine if security is reporting appropriately within the company.
Does Your Company Have a Comprehensive Cybersecurity Program?
While it would be great if there were an exact set of steps to follow to be fully secure, there are no one-size-fits-all cybersecurity programs. From a 30,000-foot view, developing a comprehensive information security program seems straightforward—and it is. The challenges appear when you begin to get in the weeds and look at specific risks an organization faces, because many cybersecurity questions don’t have a straightforward answer.
Just like a tailored suit or the way each person prefers their coffee, cybersecurity programs are unique. To have a comprehensive cyber program, it’s not enough to look at what other companies are doing and mirror their efforts. Each organization must define what an appropriate program looks like for their company. Boards of Directors should ask management, “What does a good cybersecurity program look like for us?” That said, there are four key steps that every organization should be doing to ensure their cybersecurity program is properly tailored to their needs and risk tolerance.
1. Perform a risk analysis.
A risk analysis is the foundation of an information security program. It asks and answers questions such as: What type of data does the company store, process, and/or transmit? What’s the likelihood that sensitive data could be accessed by a malicious user? What would be the consequences of a breach? The good news is that organizations don’t have to do this analysis on their own. There are experienced, qualified entities (like LBMC Information Security) that can provide an objective but fully informed perspective on cybersecurity risks and help prioritize weaknesses so each organization can ensure it is utilizing its limited resources to address the most important cyber risks.
The risk analysis should evaluate the company against a well-established, universally accepted industry standard like NIST CSF, ISO 27001, or any other common security framework in the company’s industry. The creators of these frameworks have taken the time to define general areas and functions that all cybersecurity programs should consider and address. Using a framework as a basis for evaluation and decision-making ensures that an entity is taking an in-depth and well-rounded look at its risks.
2. Develop controls to integrate security into business operations.
Auditors (and hackers, for that matter) don’t care how much a company talks about cybersecurity. They care whether controls are in place and functioning as designed. Use the risk analysis as a guideline to determine which controls must be implemented (or enhanced) to secure data to a reasonable degree. This is where decisions and actions begin to differ for various companies.
Some companies store incredibly sensitive data in highly visible and accessible systems, and therefore must spend high dollars to protect that data. Other organizations store lower-risk data in less accessible ways, which can often be afforded a lower budget. Ultimately, each organization must determine how it can implement cybersecurity into the day-to-day operations of the business to reduce risk to an acceptable level.
3. Write it down.
For the security program to be truly real, it must be written down. Documentation is important for a few reasons. First, employees can’t perform their security duties if they don’t know what those duties are. Documenting security controls provides clarity and transparency into a company’s information security program, as well as its expectations for protecting sensitive data.
Second, it’s difficult to assess the effectiveness of a program if the program’s objectives and approach aren’t clearly documented. The proper way to verify that security controls are in place and operating effectively is to inspect (audit) them. Without a written record of controls that are required to be in place, it is impossible to know what to evaluate to determine the organization’s security posture.
4. Implement the controls.
Determining and documenting cybersecurity controls are huge steps for many companies. The problem is, too many companies stop there. Often a company has comprehensive documentation about their security program, but their implementation of the control processes is lacking.
To ensure the cybersecurity program produces the desired results, organizations must carry the baton across the finish line. Once controls have been designed and documented, they must be effectively implemented throughout the company. Be sure not to make the mistake of documenting desired future-state as the current reality; document the controls that are truly being performed within the organization today. Documenting what the organization aspires to do might be helpful to set a future goal, but it won’t impress an assessor. What’s written down should reflect reality within the organization.
Is the Company Fostering a Culture of Compliance and Security?
Here’s a fact: Employees at every organization create, handle, and manipulate sensitive data daily. That means employees are the first line of defense for protecting an organization’s sensitive data.
The problem is, at many companies, cybersecurity training isn’t treated as a learning opportunity, but rather a box to be checked off periodically (and largely forgotten after it’s completed). Add to that the fact that, after working with sensitive data for a significant period, many employees fall into one of two camps:
1. They become numb.
Some employees handle sensitive data so often that they forget it’s even sensitive. They are exposed to it and processing it so frequently that they treat sensitive data like the results of last night’s football game. It’s trivial.
2. They become overly sensitive.
Other employees become the opposite of numb. They feel the weight of the data they handle—all of it. That means they might misclassify patently insensitive data as “sensitive” or might go to unnecessary lengths to protect unimportant data.
How can a Board of Directors help management and the employees discern sensitive data and handle it correctly? Ask one simple question: Has the company implemented proper security awareness training?
Proper training means making sure the organization’s cybersecurity awareness program is tailored to the individual functions inside the company. Many organizations provide the same training to all employees—even though employees in different departments handle widely different data with differing degrees of frequency.
While a baseline security awareness training program is helpful for all employees, companies should also provide additional training to certain employees based on their specific job function.
An entry-level employee at a healthcare company may handle mildly sensitive data for a set number of clients or patients.
Contrast that with a senior-level cybersecurity team member who regularly interacts with the company’s entire spectrum of sensitive data.
In the examples above, both employees should have a baseline level of security awareness training, but the cybersecurity team member should undergo more intensive training as well. Further, the entry-level employee should have training relevant to the data he or she handles regularly.
To truly develop a culture of compliance and security within an organization, the company may have to change the way it views and reacts to data handling mistakes. Cybersecurity mistakes can’t always be viewed as punishable offenses or unforgivable blunders. If employees believe they’ll be punished every time they make a mistake, they may be tempted to hide those mistakes as well as their lack of knowledge about cybersecurity-related topics out of fear they’ll get in trouble.
Instead, view the majority of data handling mistakes as teaching opportunities. An information security gaffe is an opportunity to revisit and clarify the employee’s responsibilities and teach exactly how the problem can be avoided in the future. And of course, there should be consequences if an employee continually fails to fulfill his or her responsibilities.
A culture of compliance and security starts with the tone at the top. It’s up to Board members to emphasize to the company that cybersecurity is:
- Important, not just at a general level, but at a specific level for each role.
- A continuous learning experience for everyone involved. It’s okay to admit a mistake or lack of knowledge in efforts to improve.
Tips on Cybersecurity Vendor Risk Management
Each of a company’s vendors presents a unique risk to the organization. Whether it’s a risk to information security or the availability of the company’s product or service, all vendor services come with a specific level of risk.
In the current technological environment, vendors are not only helpful but are required to run certain aspects of many businesses. Most organizations keep tabs on their vendors at the beginning of the relationship, having them sign a nondisclosure agreement and/or some type of contract that outlines responsibilities and expectations related to the agreement. Those organizations might also check in on their vendors’ security postures once a year for compliance purposes.
Companies may be checking off the boxes to keep the auditors happy—but, if all they’re doing is checking boxes, they’re not properly managing the risk posed by vendors. Here are three key questions Board members should ask management regarding vendors:
1. Do we understand who all our vendors are?
This question may seem simplistic, but the list of vendors is likely larger than expected. It’s worth the time to look at the contract management system or Accounts Payable to define a concrete list of vendors.
An important note here is that risk does not stop at the vendor. Thanks to HIPAA’s Omnibus Rule passed in 2013, vendor risk management programs must extend to the entire chain of vendors in a particular supply chain. That means vendors’ vendors—and so on, all the way down the chain, may need to be included in the inventory.
2. Do we have a risk ranking for each of our vendors?
Not all vendors pose the same level of risk. The waste management company probably doesn’t introduce the same level of risk to a company’s security or availability as a cloud service provider. Management should be asking questions that help determine the level of risk for each vendor, such as:
- What type of data does this vendor handle? Is it sensitive?
- How much data do they handle on a daily, weekly, monthly, etc. basis?
- How many people interact with the data?
- Is this vendor critical to the delivery of our products/services to our customers/clients?
The larger a role a vendor plays in a business, the higher the level of risk they introduce. Remember, don’t just look at risk solely from a security perspective. If a vendor doesn’t handle much sensitive data, but is critical to the company’s business offering, that vendor might still receive a high-risk ranking.
3. What controls have we implemented for our vendors?
As mentioned earlier, most companies are good at “checking off boxes” and signing the appropriate paperwork during the beginning of the relationship. But to have a truly comprehensive vendor risk management program, controls should be implemented throughout the entire business lifecycle.
Implement controls that address the risks identified in Step 2. For example, it might be appropriate to perform backups regularly and store copies offline for a cloud service provider who stores a significant amount of data necessary for normal business processes. The strategies utilized for each vendor risk management program may not eliminate certain risks entirely, but they should be able to mitigate risks to a reasonable extent.
Vendors are integral to most business processes. Therefore, it is important to not only start these relationships on the right foot, but to maintain them effectively throughout the entire business lifecycle. Properly designed and implemented oversight of these critical business relationships will help a company with their vendor risk management.
Gaining Comfort Around the Company’s Legal Processes
Look around. That’s all it takes to notice that today’s technological landscape is wildly different from what it used to be. With an abundance of new “smart” devices comes an increased risk that they will be targeted. And with a staggering amount of personal data stored, processed, and handled every day, it’s no surprise to see legislation developing around the topic.
Keeping up with changing rules, regulations, and laws around cybersecurity is a full-time job. The cybersecurity profession is evolving—quickly. The idea behind laws and regulations around information security is to inform consumers, so they can make better decisions related to their privacy.
While Board members may not be concerned with consumers’ understanding of the legal processes around cybersecurity, they should be comfortable with the company’s understanding of those legal processes and its obligations to comply with any applicable regulations. Board members should be asking:
How is the company maintaining a current understanding of cybersecurity laws and regulations?
These laws and regulations set the tone for the company’s entire culture around information security, so they can’t be an afterthought. Each organization should have a general counsel or CLO in place to stay abreast of the newest cybersecurity laws and regulations and to effectively communicate the ramifications of those laws and regulations to the company’s board and leadership team. Beyond that, each organization should also periodically work with external counsel to ensure that no “blind spots” were overlooked by the general counsel or the organization.
It’s not only important for general and external counsel to stay abreast of laws and regulations, but those individuals must also work closely with the cybersecurity team to ensure the cyber leaders maintain a thorough understanding of the laws and regulations and effectively implement controls to address them. Legal counsel should also examine each of the company’s contracts with vendors, as these contractual arrangements and obligations can introduce cybersecurity requirements, such as compliance with requirements from PCI or HIPAA.
The common thread here is reduction of risk. Noncompliance with laws, regulations, or contractual obligations adds significant risk to an organization. Maintaining awareness around these topics decreases the risk of harm to reputation, loss of sensitive data, failure to meet contractual obligations, and much more.
With all of the newsworthy events occurring related to cybersecurity compromises and data breaches, it’s hard to overlook these topics, but it’s also hard to manage cybersecurity issues effectively. LBMC Information Security can help identify the laws, regulations, and contractual obligations your company must meet and help you put controls in place to address them effectively.
Everything Your Board Should Know about Cybersecurity Insurance
Most new cars sold these days include good safety features designed to reduce the chance of a collision and minimize the impact on the occupants if one does occur. Of course, most new car buyers don’t buy a car expecting to utilize the safety features – in fact, buyers hope to never have to use them! In an ideal world, those safety features would sit unused for years.
Cybersecurity insurance is like those car safety features. It’s something an organization hopes it will never need to advantage of, but that will be very helpful in the event of an emergency. Put another way, cyber insurance is something many organizations don’t know they need, until they wish they already had it.
The difference between a car’s safety features and cybersecurity insurance, though, is that, while safety features might help car occupants walk away from a crash without a scratch, no company walks away from a breach without feeling its effects.
While cybersecurity insurance can’t stop a breach, it can help offset the cost of cleaning up the mess after a breach occurs. The problem is that cybersecurity insurance is not cheap.
But here’s the good news: How much cybersecurity insurance costs an organization depends, in large part, on the quality of the company’s cybersecurity program. When determining the cost and amount of coverage to offer, insurance companies must assess the risk involved in taking the company on as a customer.
Customers who pose more of a risk—i.e., companies “who are more likely to experience a breach” (read: Don’t have a comprehensive cybersecurity program)—will likely pay more for insurance or be denied the opportunity for coverage at all.
Conversely, companies that pose less of a risk—i.e., “who are less likely to experience a breach” (read: DO have a comprehensive cybersecurity program)—will likely find adequate coverage available and pay less for the insurance.
In short—cybersecurity insurance isn’t a bad idea, but it’s unlikely to solve any cybersecurity problems. Instead, it will help offset the cost of solving problems after they’ve already happened. Companies can protect themselves—and get a better rate—by implementing a comprehensive cyber security program.
Here are a couple of conversation starters for Boards:
- How has management determined the amount of cybersecurity insurance the company needs?
- What level of cybersecurity insurance does management require for critical vendors?
No matter where your organization is at in its cybersecurity journey, LBMC Information Security can help.
We hope this article will help you and your board shift your conversations and considerations about cybersecurity so that your board members, company management, and information security personnel can work effectively together to implement a more effective cybersecurity program. To learn more about how LBMC Information Security’s comprehensive information security services, contact us today!