Board-level responsibility for cybersecurity is a frequent topic for discussion today, though not universally accepted. A pending bill introduced in Congress on March 7, 2017, may change this. S.536, known as the “Cybersecurity Disclosure Act of 2017,” may force the issue into the boardroom, said Kevin Townsend of SecurityWeek, by requiring a board-level representation of cybersecurity expertise in annual SEC filings.
The purpose of S.536 is to promote transparency in the oversight of cybersecurity risks at publicly traded companies. It does so by imposing three requirements: 1) annual reports to the SEC must disclose the level of a board’s cybersecurity expertise; or, if none exists, 2) a statement of other cybersecurity steps that have been taken by the reporting company must be filed; and 3) the SEC, in consultation with the National Institute of Standards and Technology (NIST), is charged with defining what constitutes cybersecurity expertise, i.e., what specific skills and experience will qualify a board member as a cybersecurity expert. Soon, S.536 or other legislative or regulatory dictates may accelerate board considerations about the benefits and methods of enlisting cybersecurity expertise and legally impose such requirements.
Addressing the Accelerating Need for Cybersecurity Risk Assessment
As I write this, Reuters reports that major global firms have been targeted with ransomware attacks, including British multinational advertising and public relations agency WPP, Russian oil and gas company Rosneft, FedEx and Danish shipping firm Maersk. “Like many other companies worldwide, (FedEx subsidiary) TNT Express operations have been significantly affected by an information system virus,” said Patrick Fitzgerald, SVP FedEx integrated marketing and communications. Maersk issued a similar statement, saying its tech systems “are down across multiple sites and business units due to a cyber-attack.” (CNNtech) A similar broad attack on global interests, including the British healthcare system, occurred a month ago.
Nearly one-third of businesses have been victims of a major cyberattack over the past year, according to a recent survey jointly published by Harvey Nash/KPMG. Each year, the corporate world loses nearly $400 billion dealing with, and recovering from, breaches in cybersecurity. The amount spent on remediating computer viruses alone has reached about $55 billion per year. There is no evidence that these numbers will do anything but increase in the near future.
A cybersecurity expert on the board can certainly help by:
- Directing the board’s assessment of the company’s cybersecurity risk in a comprehensive plan to prevent a breach or respond to one;
- Ensuring that adequate cybersecurity policy is in place;
- Facilitating full board discussions on cybersecurity and assuring that the discussions are well documented; and
- Educating and training other board members on key cybersecurity issues.
A Cybersecurity Expert Can Properly Frame a Firm’s Cybersecurity Focus
Thirty years ago, Paul O’Neill, the new CEO of the Aluminum Company of America (Alcoa), stunned Wall Street by announcing to a group of prominent investors that a struggling Alcoa would not focus initially on profits. “If you want to understand how Alcoa is doing, you need to look at our workplace safety figures.” Profits, he said, didn’t matter as much as safety. “I intend to make Alcoa the safest company in America. I intend to go for zero injuries.”
The investors in the room almost stampeded out the doors when the presentation ended. One jogged to the lobby, found a pay phone, and called his 20 largest clients. “The board put a crazy hippie in charge, and he’s going to kill the company,” the investor said. He ordered his clients to sell their stock immediately, before everyone else in the room started calling their clients and telling them the same thing.
When O’Neill retired 13 years later, Alcoa was recognized as one of the safest companies in the world and, importantly, one of the most profitable. What O’Neill did was move safety from the back burner to the front. Like most companies in those days, Alcoa’s safety controls and processes were layered onto an already existing business plan. O’Neill demanded that safety policy and processes be embedded into every single day-to-day business process at its inception. “Safety first” meant just that. In fact, O’Neill’s relentless focus on safety improvements had a stunning ripple effect on the improvement of all company processes and, in the end, on profits.
Cybersecurity, until recently, was similarly situated on corporate flow charts. IT departments, like earlier safety and quality departments, were driven by leaders who were expected to apply cybersecurity controls, processes and fixes over existing business plans and processes. Extraordinary improvements in safety and quality only occurred after business leaders insisted that these disciplines work in tandem with operational leaders in the design of business plans and processes and embed safety and quality controls into everyday business processes at the outset.
This is where a cybersecurity expert on the board can perhaps have the greatest impact, by asking management the right questions to assure that business leaders drive cybersecurity programs and don’t simply assign them to a separate department. A cybersecurity expert with the right combination of management and communication skills and cybersecurity knowledge can be instrumental in helping the board shape a firm’s cybersecurity focus and culture.
This role will become increasingly important with the inevitable expansion of the Internet of things. As more products are designed that communicate with each other, it will be critical that everyone recognize that each new product becomes another entry point for hackers. A company that involves cybersecurity in the design of its products will both mitigate risk and enjoy a competitive advantage. A board armed with the proper cybersecurity expertise will play a big part in this process.
Choosing the Right Cybersecurity Expert
Selecting the right person to fill critical cybersecurity board positions will not be an easy task. The ideal person should straddle both the business and security arenas. Finding a candidate “who can parachute into boardrooms and provide guidance is quite difficult,” said Steve Durbin, managing director of the non-profit Information Security Forum. “The person must be a hybrid with strong communication skills, who understands how to operate at the board level, and have an understanding of the cyber space.” He added that this may be a chief privacy officer or chief risk officer with business experience. It certainly would not be someone with only hardware or software experience.
As stressed above, one of the biggest challenges is driving a change in corporate culture from the board’s vantage point. To this end, those who have had experience in senior management positions and who can command the respect of others who may not initially agree that cybersecurity deserves “a seat at the table” will be at a premium.