Wrapping your arms around Cybersecurity has proven to be one of the most difficult tasks businesses face today. What many people don’t understand is that no security is ever perfect! When addressing Cybersecurity, it is essential that the main emphasis be directed towards how to decrease the risk of attack and the process for managing one when it occurs. Front Page Headlines, Kim S. Nash, directs us to some key points Directors should be asking their Cybersecurity Chiefs.
Boards are trying to build more productive, transparent relationships with cybersecurity chiefs to decrease the risk of attack. But directors can by stymied by a lack of basic security knowledge.
New guidance from the National Association of Corporate Directors suggests asking more searching questions of chief information security officers, including how they measure their teams and technology and whether they have ongoing contacts with the Federal Bureau of Investigation and other law enforcement bodies that investigate attacks.
The most common question directors ask of CISOs is whether their company is vulnerable to breaches similar to those at Target Corp., Anthem Inc. and the U.S. Office of Personnel Management, said Phil Ferraro, a former CISO at Las Vegas Sands Corp. who now consults with boards. But that approach is simplistic, he said. “Directors don’t understand that no security is ever perfect.”
More productive are conversations about how to decrease the risk of attack and the process for managing one when it occurs, Mr. Ferraro said. For example, the NACD suggests boards continuously ask about the most significant cybersecurity incident in the prior quarter and how the security team handled it, so that the discussion may lead to better practices.
Key Questions Directors Must Ask Cybersecurity Chiefs
— What was our most significant cybersecurity incident in the past quarter?
What was our response?
— What was our most significant near miss? How was it discovered?
— How is the performance of the security team evaluated?
— Do you have relationships with law enforcement, such as the FBI and Interpol?
— Do you work with business leaders on due diligence of acquisition Targets? With supply chain leaders on security protocols of vendors and other partners?
— What process is in place to ensure you can escalate serious issues and provide prompt, full disclosure of cybersecurity deficiencies?
Source: National Association of Corporate Directors
Still, there is no single set of questions directors can ask to uncover all cybersecurity weak spots, said Tom Glocer, a director at Morgan Stanley and Merck & Co. Inc., and the former CEO of Thomson Reuters Corp.
“My experience is that the horribly dangerous cyber threats are the ones you don’t even know about,” said Mr. Glocer, who chairs Morgan Stanley’s board-level technology committee.
But directors should engage CISOs in continuous discussion to let management know that the board “cares and is watching,” he said. Security is a regular agenda item at Morgan Stanley board meetings, discussed boardwide and in the risk and technology committees. Morgan Stanley is one of just 15 of the Fortune 100 with a formal technology committee at the board level.
At boards less versed in technology and cybersecurity, CISOs must often first educate directors about the range of potential security problems because many members “simply don’t know,” Mr. Ferraro said.
Just 11% of board members across industries say they have a “high level” of knowledge about the topic, according to a recent NACD survey of 1,034 directors.
An important check is for CISOs to talk with board members about developing a process to ensure they can escalate serious issues and provide prompt, full disclosure of cybersecurity deficiencies, the NACD advised. “That’s something boards have got to pay attention to, because they’re on the line as much as management when something bad happens,” Mr. Ferraro said.