Issue 90 of Board Perspectives: Risk Oversight published by Protiviti Inc. (“Protiviti”) addresses the role of Boards of Directors (“Boards”) in ensuring cybersecurity capabilities are continuously improving in the organizations they serve. Protiviti sites cyber as being amongst the top five risks for many businesses across industries, largely due to innovative IT transformation initiatives (e.g. mobile device usage, cloud computing solutions).
Research conducted by Protiviti indicates that Board engagement in security matters has improved, and they presented the following eight “business realities” for Boards to consider in order to maintain this trend:
- The organization must be prepared for success. Protiviti recommends Boards ensure cybersecurity is managed in a manner that allows organizations to benefit from technological innovation through resilient policies and systems rather than overly managing cyber risk at the expense of technical evolution.
- It is highly probable that the company is already breached and doesn’t know it. Cyber risk events may have already occurred and/or are underway at companies that don’t have the ability to detect them. Protiviti suggests organizations become resistant to cyber events to protect their reputation and brand image. They recommend that periodic simulations of attacks be performed and the effectiveness of defenses assessed, and that Boards focus on the length of time it takes for organizations to detect and respond to breaches.
- The board should focus on adverse business outcomes that must be managed. Protiviti suggests Boards encourage focus on organizational strategies and objectives when assessing security risks as opposed to only protecting the underlying “key” systems/applications.
- Cyber threats are constantly evolving. Protiviti stresses the need for evolutional protection measures in order for organizations to stay ahead of threat profiles and recommends Boards become aware of how management identifies and responds to new cyber threats.
- Cybersecurity is like a game of chess, so play it that way. Protiviti cautions that reliance on technology to effectively monitor security is unsafe in today’s computing environment, and suggests organizations improve their methods of delivering protective services to create enterprise-wide cyber awareness.
- Cybersecurity must extend beyond the four walls. In light of collaboration with third parties and increases in access extended to channel partners (e.g. vendors) and customers, Protiviti recommends Boards hold management responsible for assessing associated vulnerabilities and proactively implementing cost effective solutions.
- Cyber issues cannot dominate the IT budget. Protiviti warns Boards that they should not allow cybersecurity spend to disproportionately suppress technological advancements, cautioning that insufficient funding for innovation could result in insolvency due to the organizations failure to remain competitive against new market entrants.
- Directors should gauge their confidence in the advice they’re receiving. Protiviti recommends Boards consider adding technology savvy members or advisors to assess the adequacy of expertise the Board relies on regarding cybersecurity matters.
Protiviti also reported that cybersecurity program offices are emerging for the purpose of successfully managing large security projects in organizations that are not readily capable of managing cyber risks.
In closing, Protiviti reiterated the need for companies to target protection investments on business outcomes, maintain awareness/understanding of the changing threat landscape, and prepare for inevitable incidents since cyber risks will continually evolve and become increasingly difficult to manage.
My favorite sentence in the article was: “It is always less expensive to build security into a system’s design early rather than to retrofit it later.” What’s yours?