Note To The C-Suite: It’s Time To Stop Avoiding Cyber Risk Governance

The significant threat cyber attacks represent to commerce and infrastructure is intensifying calls for government to “encourage” companies and agencies to act more responsibly. Pending actions, which include a presidential executive order, bills in the U.S. Congress, and legislation in 35 state governments, call for standardized cyber risk reporting and management based on a de facto standard, namely the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF). What is driving all this activity?

The recent revelation of two massive Yahoo breaches raised the bar for the scale and awareness of devastating cyber attacks. The $350 million drop in the valuation of the company’s acquisition by Verizon made it clear that technology alone won’t overcome a lack of management and board commitment to protect an enterprise from cyber risk. Ripple effects of the Yahoo breach and multiple breaches of U.S. government agencies has led to widespread calls for more and better oversight of cyber risk on a par with oversight of financial risk, and it is rapidly elevating the importance of cyber risk governance (CRG).

In the last two years, a broad understanding has emerged: cyber risk is no longer a problem that IT should grapple with alone. While IT professionals have worked hard to build moats around their organizations using millions of dollars’ worth of external perimeter defense technologies, the truth is that most breaches don’t result from technology failures. Leaving the problem to IT without executive oversight has resulted in spending 80% of cybersecurity budgets to protect the perimeter, while only 20% of breaches result from failed technology, according to Zeus Kerravala, principal analyst at ZK Research.

Mitigating risk that cyber attacks pose to enterprises requires a widespread awareness that the right mix of people, policies and process, paired with technology, is necessary. Cybersecurity should be a team sport; it involves the CIO and CISO, of course, but other critical functions each have important roles to play in enhancing cyber resilience, including Internal Audit, General Counsel, Risk Management, Human Resources, and Procurement.

If cybersecurity is a team sport, what key steps can team members take to implement effective CRG?

• CIOs and CISOs should acknowledge that their efforts must be augmented with a broad culture of awareness and action, and they must be willing to deliver information that matters and is comprehensible to non-technical team members.
• Internal Auditors should devise understandable internal control systems for managing cyber risk that foster collaboration across the enterprise.
• General Counsel should insist on cyber risk management processes that do more to decrease liability for the company, its management, and its board.
• Risk Management needs to fully embrace cyber risk as an equal enterprise-wide source of risk and insist that it be treated equally as important as other sources of risk.
• Human Resources must work hand in hand with IT and Security to (a) ensure that every employee learns how to avoid introducing risk into the organization’s networks, and (b) ensure that only necessary employees are given appropriate access to critical data.
• Procurement should begin evaluating the risk that doing business with an insecure vendor represents, improve its vetting processes, and incorporate cyber risk into the evaluation process.

The failures that breaches characterize are a direct result of people, policies and process that are not aligned with a security-minded IT team. Cultures must change, boards and C-suites must adjust, and CRG needs to be considered an integral business function.

Improving cyber risk governance has been discussed in the past, but it’s now on the front burner as the best way to focus on effective management of cyber risk and to orchestrate organization-wide risk mitigation efforts. It’s become a topic in most boardrooms as directors accept cyber risk oversight as part of their fiduciary duties and look for objective ways to evaluate and monitor their organization’s cybersecurity.