Cyber risk and the boardroom
The National Association of Corporate Directors (NACD) has published a discussion between the leader of PwC’s Center for Board Governance, Mary Ann Cloyd, and an expert on cyber who formally served as a leader of the US Air Force’s cyber operations, Suzanne Vautrinot.
It’s an interesting read on a number of levels; I recommend it for board members, executives, information security professionals and auditors.
Here are some of the points in the discussion worth emphasizing:
“An R&D organization, a manufacturer, a retail company, a financial institution, and a critical utility would likely have different considerations regarding cyber risk. Certainly, some of the solutions and security technology can be the same, but it’s not a cookie-cutter approach. An informed risk assessment and management strategy must be part of the dialogue.”
“When we as board members are dealing with something that requires true core competency expertise—whether it’s mergers and acquisitions or banking and investments or cybersecurity—there are advisors and experts to turn to because it is their core competency. They can facilitate the discussion and provide background information, and enable the board to have a very robust, fulsome conversation about risks and actions.”
“The board needs to be comfortable having the conversation with management and the internal experts. They need to understand how cybersecurity risk affects business decisions and strategy. The board can then have a conversation with management saying, ‘OK, given this kind of risk, what are we willing to accept or do to try to mitigate it? Let’s have a conversation about how we do this currently in our corporation and why.’”
“Cloyd: What you just described doesn’t sound unique to cybersecurity. It’s like other business risks that you’re assessing, evaluating, and dealing with. It’s another part of the risk appetite discussion. Vautrinot: Correct. The only thing that’s different is the expertise you bring in, and the conversation you have may involve slightly different technology.”
“Cloyd: Cybersecurity is like other risks, so don’t be intimidated by it. Just put on your director hat and oversee this as you do other major risks. Vautrinot: And demand that the answers be provided in a way that you understand. Continue to ask questions until you understand, because sometimes the words or the jargon get in the way.”
“Cybersecurity is a business issue, it’s not just a technology issue.”
This was a fairly long conversation as these things go, but time and other limitations probably affected the discussion – and limited the ability to probe the topic in greater depth.
For example, there are some more points that I would emphasize to boards:
- It is impossible to eliminate cyber-related risk. The goal should be to understand what the risk is at any point and obtain assurance that management (a) knows what the risk is, (b) considers it as part of decision-making, including its potential effect on new initiatives, (c) has established at what point the risk becomes acceptable, because investing more has diminishing returns, (d) has reason to believe its ability to prevent/detect cyber breaches is at the right level, considering the risk and the cost of additional measures (and is taking corrective actions when it is not at the desired level), (e) has a process to respond promptly and appropriately in the event of a breach, (f) has tested that capability, and (g) has a process in place to communicate to the board the information the board needs, when it needs it, to provide effective oversight.
- Cyber risk should not be managed separately from enterprise or business risk. Cyber may be only one of several sources of risk to a new initiative, and the total risk to that initiative needs to be understood.
- Cyber-related risk should be assessed and evaluated based on its effect on the business, not based on some calculated value for the information asset.
- The board can never have, or maintain, the level of sophisticated knowledge required to assess cyber risk itself. It needs to ask questions and probe management’s responses until it has confidence that management has the ability to address cyber risk.
I welcome your comments and observations on the article and my points, above.