Home > Risk > Cyber security and the board

Cyber security and the board

October 29, 2016 Leave a comment Go to comments

In December, I will be presenting on the topic of how much an organization should spend to address its cyber risk.

So, every publication on the topic is getting a little more attention from me than usual.

A software vendor (a new one for me), Delta Risk, recently published a white paper aimed at helping boards address the issue of cyber.

Cyber Security and the Board of Directors (registration required) focuses on financial services organizations.

That is an important point to make because the risk of damage from a cyber breach is generally high for financial services organizations. It is not always as high when it comes to manufacturing, for example.

While I respect the professionals who wrote this paper, I don’t agree with all their points.

For example, they say that the board and its members should be educated on cyber.

That sounds logical, but is it?

Should the board have a greater level of technical knowledge when it comes to cyber than the CEO, CFO, or COO?

Can the board, even if a member has cyber expertise and experience, possibly stay up-to-date?

Isn’t it better by far to obtain assurance that the issues surrounding cyber are being addressed?

  • The top executives are engaged and have a sufficient understanding to make sensible business decisions around cyber
  • Those responsible for information security have the experience, tools, resources, and so on they need to manage the risk at acceptable levels

Delta then suggests that cyber security be incorporated into the Risk Appetite Framework. They get it mostly right when they say:

The [Risk Appetite] Statement should broadly identify the information that is most valuable to the organization based on business considerations; legal and compliance requirements; the financial impact of denial, disclosure, loss, or other exploitation of that information; and other factors.

Risk needs to be expressed in terms of the potential for a breach to affect the achievement of the enterprise’s objectives. Understanding the information assets necessary to support the achievement of objectives is part of the journey, but not the entire journey.

Delta fails when they continue:

Corollary to identifying the information with the most business value is clarifying expectations on how this data is to be protected. Broad statements can be applied here such as “This category of information shall be protected with the most stringent security controls and the highest degree of operational oversight.”

That statement says and means nothing.

Is management willing to spend every penny of revenue on security controls and operational insight? Of course not!

The next paragraph is:

The Statement of Risk Appetite can also be used to establish specific risk-oriented requirements that are tied directly to business strategy. For example, up-time requirements for consumer online banking (e.g., “…On-line banking is available to our customers 99.9 percent of time throughout the year.”) or other business services may be appropriate.

Risk practitioners know that the statement is missing an expression of likelihood.

The statement as shown is an objective. How much risk to that objective is acceptable?

In this environment, where we know for a fact that we cannot provide 100% assurance that a breach can be prevented let alone detected on a timely basis, are we willing to accept a 5% likelihood that a hacker will disrupt the business? How about a 10% likelihood?

Delta is not the only firm that talks about establishing cyber metrics. While it can be useful to monitor completion of policies and procedures, training and so on, how do you measure the ability to detect a breach?

You can have world-class cyber programs and suffer a breach while the negligent competitor down the road escapes.

I don’t find this section useful.

I think it would be better to ask management:

How do you know whether your information security program is effective? How do you measure it?”

The paper has a section on the very important topic of integrating cyber into enterprise risk management.

But I would do it differently.

We are talking about risks to objectives so we need to consider the effect of all risks on each objective.

Integration is not simply adding cyber to the risk register.

Integration is achieved when business decisions are made with due consideration of all risks, including cyber.

So, how much should an organization spend on cyber?

My general theme will be:

  • This is a business decision
  • Understand the level of risk to the enterprise and its business objectives
  • What is an acceptable level of business risk? Consider compliance requirements and the cost of non-compliance
  • What are the options?
  • How much will spending affect the level of risk? Is there a return on additional investment?
  • Is there an option that makes more sense than others?
  • Act
  • Monitor and review very frequently, as risks change at blazing speed

Your thoughts?


By the way, a recent piece in SC Magazine included a useful quote about organizations that seek only to meet regulatory requirements:

Think about [cybersecurity] divorced from the regulatory landscape,” said David Glockner, regional director at the U.S. Securities and Exchange Commission’s Chicago Regional Office, which has its own set of guidelines for publicly traded companies. Rather, “Think about it from a business perspective: What is your most sensitive information? What are your most sensitive operations and what vulnerabilities do you have? And thinking about how you protect what’s critical to your business operation in most instances is going to get you most, if not all of the way, toward being… compliant.”

  1. October 29, 2016 at 8:41 AM

    The cost of Cyber security breach is high for financial organizations but it can approach catastrophic levels for defense, police and transport which are also linked to manufacturing on their supply sides. A recent Chinese orchestrated attack on Australia’s Bureau of Meteorology had implications for Defence security. The point is its not just finance anymore where the costs of cybersecurity breaches are high because of the integration among organizations and the possibility the attack can be state backed or heavily funded.Many non-finance organizations are lagging behind in their management of cyber-security. This is due, in part, to late arrival to the issues but also to increase resources now being thrown behind the attackers.

  2. October 29, 2016 at 9:23 AM

    In the article you challenge the assumption board member should be educated in cyber saying: “Isn’t it better by far to obtain assurance that the issues surrounding cyber are being addressed?”

    Of course there is a balance, but without a minimal level of education (by at least on of the board members) how do you as a board gain assurance “issues surrounding cyber are being addressed”? How do you ask the right questions, scrutinize the right subjects, hold the executive team accountable, apply the right pressure – if you do not understand what an right looks like and can’t ask the right questions?

    If cyber is a legitimate risk to your organization then it seems like someone on the board should have a working education on Technology risk. Just like other members of the board would have similar knowledge/education of other topics.

    • Norman Marks
      October 29, 2016 at 11:22 AM

      Christian, I agree that the board members need some level of education. But that is not the #1 priority.

      Board members need, as you say, sufficient understanding to ask the right questions.

      I expect they will ‘sniff out’ when the CEO and his leadership team can’t answer the questions confidently, without resorting to generalities like “It’s fine” or “We have it under control”.

  3. Jai
    October 30, 2016 at 5:02 PM

    I agree with David that in light of high level of integration in organisations and the fact that cybersecurity is a business risk, finance is not the only area where the costs of cybersecurity breaches are high. It can be equally high in many other areas of operation.

    I do not believe that in this day and age a board member would be effective if he/she did not have a reasonable understanding of IT risks including cybersecurity matters. Placing total reliance on IT Manager and CEO is, in my view , a high risk strategy.

  4. October 31, 2016 at 5:04 AM

    Boards needs to have some basic understanding of the occurances of cyber risk. For instance that you can’t rely on assurance. I know of a big4 IT-auditor who said that he would not supply assurance (like an ISO-27001 certificate, ISAE-3402 statement). The reason: zero day exploit. An organisation may have a high level of security implementented, but can already be hacked without knowing.
    So they need to have the gust to say no to the director of sales and marketing who wants to make the new company website available to the public to meet the deadline when they know it hasnot yet been tested for security and accept passing the deadline.
    Second, these reports are mostly directed to big companies. In number, most companies connected to the internet are small and medium sized. This demands for another set of controls. One of them could be to cut the internet connection when being severely attacked as they will have less means for defence. You seldom read about this.
    But I agree, in all cases it should be a business decision..

  5. Koo
    November 1, 2016 at 2:05 AM

    I agree with Norman that it is too much for the Board to really understand cyber risk. The Board needs to know the implication of cyberrisk to the business, which then the company needs to have proper countermeasures. I think all these formal training for Board on cyberrisk is just an overhyped commercial development in the IT security marketplace. In Asia, most board members are senior people whom cant really understand in depth the cyber technics anyway…

  1. November 2, 2016 at 3:39 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: