Cyber risk and the boardroom
The National Association of Corporate Directors (NACD) has published a discussion between the leader of PwC’s Center for Board Governance, Mary Ann Cloyd, and an expert on cyber who formally served as a leader of the US Air Force’s cyber operations, Suzanne Vautrinot.
It’s an interesting read on a number of levels; I recommend it for board members, executives, information security professionals and auditors.
Here are some of the points in the discussion worth emphasizing:
“An R&D organization, a manufacturer, a retail company, a financial institution, and a critical utility would likely have different considerations regarding cyber risk. Certainly, some of the solutions and security technology can be the same, but it’s not a cookie-cutter approach. An informed risk assessment and management strategy must be part of the dialogue.”
“When we as board members are dealing with something that requires true core competency expertise—whether it’s mergers and acquisitions or banking and investments or cybersecurity—there are advisors and experts to turn to because it is their core competency. They can facilitate the discussion and provide background information, and enable the board to have a very robust, fulsome conversation about risks and actions.”
“The board needs to be comfortable having the conversation with management and the internal experts. They need to understand how cybersecurity risk affects business decisions and strategy. The board can then have a conversation with management saying, ‘OK, given this kind of risk, what are we willing to accept or do to try to mitigate it? Let’s have a conversation about how we do this currently in our corporation and why.’”
“Cloyd: What you just described doesn’t sound unique to cybersecurity. It’s like other business risks that you’re assessing, evaluating, and dealing with. It’s another part of the risk appetite discussion. Vautrinot: Correct. The only thing that’s different is the expertise you bring in, and the conversation you have may involve slightly different technology.”
“Cloyd: Cybersecurity is like other risks, so don’t be intimidated by it. Just put on your director hat and oversee this as you do other major risks. Vautrinot: And demand that the answers be provided in a way that you understand. Continue to ask questions until you understand, because sometimes the words or the jargon get in the way.”
“Cybersecurity is a business issue, it’s not just a technology issue.”
This was a fairly long conversation as these things go, but time and other limitations probably affected the discussion – and limited the ability to probe the topic in greater depth.
For example, there are some more points that I would emphasize to boards:
- It is impossible to eliminate cyber-related risk. The goal should be to understand what the risk is at any point and obtain assurance that management (a) knows what the risk is, (b) considers it as part of decision-making, including its potential effect on new initiatives, (c) has established at what point the risk becomes acceptable, because investing more has diminishing returns, (d) has reason to believe its ability to prevent/detect cyber breaches is at the right level, considering the risk and the cost of additional measures (and is taking corrective actions when it is not at the desired level), (e) has a process to respond promptly and appropriately in the event of a breach, (f) has tested that capability, and (g) has a process in place to communicate to the board the information the board needs, when it needs it, to provide effective oversight.
- Cyber risk should not be managed separately from enterprise or business risk. Cyber may be only one of several sources of risk to a new initiative, and the total risk to that initiative needs to be understood.
- Cyber-related risk should be assessed and evaluated based on its effect on the business, not based on some calculated value for the information asset.
- The board can never have, or maintain, the level of sophisticated knowledge required to assess cyber risk itself. It needs to ask questions and probe management’s responses until it has confidence that management has the ability to address cyber risk.
I welcome your comments and observations on the article and my points, above.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
General Vautrinot was part of a panel at the San Antonio NACD Chapter meeting last month (along with two other former officers now in private industry). It was the best Board-level discussion of cyber-risk I’ve ever heard. I’m a CIO who knows something about the subject, but my table-mates were quite uninformed about the subject–and we all agreed she nailed it.
I agree that no Board–and few organizations below the F50–will have the need or budget for full-time in-house resources as good as the experts that can be brought in as needed. As the interview makes clear, this is no different than deciphering the arcana of new tax laws or regulations.
There is one difference: every Board has Directors who have some experience with taxes, laws, regulations. Few have even one Director with any real IT experience. It’s all well and good to say “make the experts explain it until you understand it,” but without some base of knowledge and judgement the explanation can become so watered-down as to be meaningless.
General Vautrinot herself sits on several Boards, including that of one mega-bank. If an organization that can and does keep world-class experts on staff feels the need to have a cyber-command General on their Board, this should send a strong message to other Boards: there’s no substitute for Board knowledge of technology.
It’s also important that Boards focus on more than risk. With the advent of SMAC-IT (Social, Mobile, Analytics, Cloud, Internet of Things) disrupting entire industries, Boards need to look at the opportunities offered by technology and not just on preventing cyber-breaches.
By all means buy expertise when facing a new situation, but It’s dangerous to outsource one’s brains. Boards need to know what questions to ask and understand the answers.
Please see this related post: https://iaonline.theiia.org/blogs/marks/2015/difficulties-assessing-and-addressing-cyberrisk
The two opinions expressed are both correct.
Of course, the Board has to understand what it is talking about and get appropriate help if that is not the case, not just regarding cyber risk, but with anything that it does not understand.
Of interest to me is the (probably unintentional) debunking of the notion that risk appetite is appropriately specified at Board level. I therefore welcome Norman’s statement requiring that “management .. (c) has established at what point the risk becomes acceptable”, as long as by management it is meant each process owner’s boss. A risk appetite is risk specific.You cannot specify it before knowing what the risk is that you have to determine whether it is acceptable or not.
Cyber risk is not one risk. It will take a long time for the Board to get adequate assurance on every cyber risk with a probable effect on different aspects of the organisational objectives, especially given the statement “It is impossible to eliminate cyber-related risk.” This period could be significantly reduced if they had independent assurance that the organisation implemented adequate and effective governance, risk management and control processes.
Such assurance means that the organisation IS on continuous alert for whatever may impact on the organisation’s objectives. It will also make the point that when doing so, threats and opportunities are considered, not just threats as would seem to be the case to the uninitiated from the above. The main thing about that assurance is that when it is provided periodically (hopefully quarterly) as both engagement and overall opinions, internal auditing should ensure that it reflects a pervasive situation at each of those levels, rather than a discrete opinion about a particular risk.
I particularly welcome the paragraph beginning with the statement, “Cyber risk should not be managed separately from enterprise or business risk.” Information technology is just one of many aspects that most objectives have, that should be considered as a matter of course during the risk management process. If it does not apply to a particular objective, at least the possibility had been looked at that it might. “SMAC-IT” (or the respective components thereof) could then be added as one of the sub-aspects of security management or T service continuity (however the organisation has adopted its risk/control framework).
Thanks for the comment, Kaya