Most boards of directors don't have someone that understands cyber security issues. As a consequence, they can't provide the proper oversight over the companies they are responsible for. This presentation will cover the issues boards of directors need to understand, what questions board members need to ask and how to communicate with them.
1. 1
EducatingThe Board of Directors
InfoSec Summit
Central Ohio ISSA
Bob West, Managing Director
March 29, 2016
2. 2
2
• Board of Directors Role
• Historical Issues
• Impact
• CISO Role and Communication
• Guiding Principles for The Board
• Questions Boards of Directors Should Ask
• Summary
• Q&A
3. 3
Board of Directors Role
• “A primary responsibility of every board of directors is to secure
the future of the organization. The very survival of the organization
depends on the ability of the board and management not only to
cope with future events but to anticipate the impact those events
will have on both the company and the industry as a whole…
• It is imperative that the board not relegate the cybersecurity topic
to the IT department. Directors need to take an active role in the
organization’s cybersecurity or face the possibility of potential
shareholder lawsuits, and even the possibility of being removed
from the board. ”
Cybersecurity: What the Board of Directors Needs to Ask, Institute of Internal Auditors
4. 4
4
• Reportinglevel
• Business prevention unit
• Lack of clear communication
• Black magic
• CSO dysfunction– target on their back
5. 5
5
• Executive teams understand business value, impact to brand and image,
how their investments relate to top and bottom line growth
• For Security and Risk to be effective in their roles, they need to translate
security and risk into business value
• Similar to a general counsel, security and risk need to come to the table
as partners and counsel the business on what risks are acceptable
• All other parts of an organization are measured on their performance
and yet security in many instances is still considered black magic
• Mature security and risk organizations need to have clear metrics to help
the executive team understand whether they are performing effectively
or not
• A comprehensive, enterprise approach is necessary for security and risk
to align with business and technology strategy
• Security and risk need to be integrated into fundamental business
process
6. 6
Guiding Principles for the Board
• Directors need to understand and approach cybersecurity as an
enterprise-wide risk management issue, not just an IT issue.
• Directors should understand the legal implications of cyber risks as they
relate to their company’s specific circumstances.
• Boards should have adequate access to cybersecurity expertise, and
discussions about cyber-risk management should be given regular and
adequate time on the board meeting agenda.
• Directors should set the expectation that management will establish an
enterprise-wide risk management framework with adequate staffing and
budget.
• Board-management discussion of cyber risk should include identification
of which risks to avoid, accept, mitigate, or transfer through insurance, as
well as specific plans associated with each approach.
7. 7
SixQuestions the BoardShouldAsk
Does the organization use a security framework?
• ISO 27001, NIST Cybersecurity Framework or 800-53 (U.S. Federal
Government comprehensive framework) COBIT framework
(Governance, Risk, and Control)
• HIPAA or HITRUST (for health-care industry)
• PCI-DSS for credit card acceptance (retail industry, finance
industry)
• NERC, FERC (Electric Sector)
8. 8
SixQuestions the BoardShouldAsk
What are the top five risks the organization has related to
cybersecurity?
• Proliferation of BYOD and smart devices
• Cloud computing
• Outsourcing of critical business processes to a third party (and lack
of controls around third-party services)
• Disaster recovery and business continuity Periodic access reviews
• Log reviews
• Advanced persistent threats
9. 9
SixQuestions the BoardShouldAsk
How are employees made aware of their role related to
cybersecurity?
• The organization should have a security awareness training
program, and each employee should be required to review the
training and pass the test annually. The CEO (or other top
executive) must communicate the importance of safeguarding the
organization’s critical assets.
• Project Managers
• Infrastructure administration
• Developers
10. 10
SixQuestions the BoardShouldAsk
Are external and internal threats considered when planning
cybersecurity program activities?
• Although external incidents tend to receive more media exposure,
the likelihood of an internal incident causing a major cyber
incident is actually greater than the external threat.
11. 11
SixQuestions the BoardShouldAsk
How is security governance managed within the organization?
• Understanding the three lines of defense as they relate to the
organization is important. There can be a gray area of security
governance between the CISO and internal audit. It is important
for the board to understand how the governance activities of the
CISO complement those of internal audit.
12. 12
SixQuestions the BoardShouldAsk
In the event of a serious breach, has management developed a
robust response protocol?
• Incident response program
• Crisis management program
• Crisis management team and their responsibilities
13. 13
1
• Cybersecurity: What the Board of Directors Needs to Ask, Institute
of Internal Auditors
• National Association of Corporate Directors
• Information Security Governance: Guidance for Boards of Directors
and Executive Management (ISBN 1-933284-29-3)