What are some of the critical areas of oversight that recur year after year on your board’s work plan and calendars? Financial performance no doubt comes to mind, as do matters of human and labor relations. Oversight of strategy, key performance indicators (KPIs), and execution of the strategic plan are also high priorities. The board will routinely engage in oversight of internal and external audits, executive compensation, deals and more. Compliance is another recurring area of board oversight, as is risk.
Cybersecurity & Your Organization
When it comes to risks, cybersecurity continues to attract increased scrutiny. Whether or not one of your board committees is charged with reviewing reports on trends and outcomes of phishing, social engineering and other cybercrime attempts, oversight of the organization’s protection of corporate data should also be a recurring item for the board. That’s because there’s tremendous value to be mined from your corporate data, whether you support the board of a corporation, a public sector body, a not-for-profit or any other type of organization.
When the board receives cybersecurity reports, those reports and the subsequent discussions should specifically include oversight of the organization’s storage and protection of its corporate data. That’s critical, given the value of corporate data. Think of all the confidential or sensitive mission-critical information contained in the committee and board agenda packages that you prepare, and you’ll likely have little difficulty identifying the organization’s “crown jewels.” Those would be the assorted pieces of data that are of the greatest value to the organization.
The Value of Your Corporate Data
This is the same corporate data that cybercriminals – any parties that may want to present a threat to your organization’s reputation or capacity to function – might want to extract from your organization’s systems. Alternately, cybercriminals could wreak financial, legal and other havoc by simply impeding your organization’s access to corporate data that’s essential to operations. Considered in this context, the board will want to ensure that information assets are routinely reviewed for the purpose of identifying those that have potential, if compromised, to expose the organization to significant adverse operational and reputational impacts.
If there’s any doubt as to the potential for organizations to fall prey to cybercrime, the University of Cambridge’s Global Risk Index 2019 Executive Summary, published by the Cambridge Centre for Risk Studies, will put to rest such reservations. As noted in the report, “… the frequency and scale of cyber events is growing year on year.” We are informed, too, that the severity of cyberattack losses is on the rise, “…with several recent attacks showing the potential for systemic impacts with global reach.” It may make for unpleasant reading, but it’s important to be aware of and pay attention to such reports. It’s not just other organizations facing such risks; it’s all organizations.
Boards and management teams need to recognize that cyber crime is not restricted to external parties. As cited by Cisco, the 2016 Verizon Data Breach Investigations Report found that 15% of data breaches were “… a direct result of insider deliberate or malicious behaviour.” That 15% is itself believed to reflect a low reporting rate, as not all insider breaches are discovered. You may anticipate, too, that the reported rate does not include some insider breaches that were discovered, but that went unreported. That’s in part because of the highly sensitive nature of some of the information that’s accessible to insiders.
How to Protect Your Corporate Data
What, then, is a board to do about protecting the organization’s corporate data? Let’s begin by remembering that the board’s role is one of oversight. This does not, however, absolve the board from its responsibility to develop and build its understanding of cybersecurity and cybercrime. Reports from the Chief Information Security Officer (CISO) are a logical starting point, and the board may delegate review of some routine reports to one of its committees. If one of the board’s committees is specifically tasked with attention to cybersecurity, it may ask management to routinely produce reports reflecting the monitoring and assessment of the organization’s information technology systems as well as breach attempts and outcomes.
Boards that routinely review risk registers and/or heat maps will already be reviewing and discussing technology-related risks, mitigation strategies and potential consequences associated with specific breaches. Such reports and related discussions may also assess the adequacy of internal resources.
Given the crucial nature of corporate data, it’s reasonable to anticipate that the board as a whole – and not just a committee – will routinely meet with the CISO for discussion of cybersecurity, and how the organization is protecting its corporate data. The effectiveness of such conversations will be reliant on the board and the CISO understanding one another’s needs. First, directors won’t necessarily understand tech-speak; how many of your directors and executive team are familiar with the terminology that CISOs and their staff use in everyday conversations? Ann Johnson, Corporate Vice President, Cybersecurity Solutions Group at Microsoft, has written about the culture of information security (InfoSec). She wasn’t referring to communicating with boards of directors, but Johnson’s encouragement that her industry peers examine how and what they communicate is encouraging for directors, governance professionals and executive teams.
Second, CISOs need to be appropriately briefed on what it is their boards want and need to know. You as the governance professional can help pre-empt frustrations and wasteful use of board and CISO time and goodwill by communicating the board’s needs and expectations. That way, you won’t leave your CISO guessing on what to report and discuss. By also encouraging your CISO to speak in clear terms that won’t leave directors guessing, you’ll be supporting a more productive board meeting.
Final Steps to Protecting Corporate Data
When it comes to protection of corporate data, boards could take a page from Robert Herjavec’s cybersecurity discussion recommendations for CEOs. Herjavec, the CEO of information security firm Herjavec Group, encourages CEOs to frame why-focused cybersecurity questions, rather than technical (how) questions.
Adopting Herjavec’s approach for CEOs, your board could focus its discussions and assets on assets, threats, defenses and needs. Board members might adopt or tweak his questions when considering oversight of the protection of corporate data, as follows.
What are the organization’s crown jewels (assets)? Who might want to disrupt, steal or destroy (threaten) those crown jewels? What does the organization have in place (defenses) to prevent that from happening? Where are the gaps (needs)?
From there, the board may continue to probe, again drawing on questions such as those Herjavec has recommended that CEOs ask of their teams. Some examples: Are there compliance measures we need to consider or to which we should adapt? If we’re looking at a specific change, development or roadmap, what is the timeline? What investments are required to achieve such objectives?
Boards would also be well served by routinely (annually) reviewing and ensuring satisfaction with the organization’s incident response protocols.