The SolarWinds supply chain hack in 2020 was beyond bad. It exposed sensitive data from 100 companies and government agencies and caused the network-management company’s stock to nosedive. But what hit the company later was equally troubling—and personal.
Investors sued former and current members of the board of directors in November 2021, alleging they had failed to properly monitor cybersecurity risks that led to the hack.
The lawsuit served as a wake-up call for board members who simply sit back and delegate cybersecurity oversight to corporate leaders. Emerging legal and regulatory requirements, including new board governance and reporting rules now under SEC review, are making that hands-off approach as obsolete as relying on firewalls for corporate security.
Today, board oversight for cybersecurity is dismal. In fact, many boards are unprepared to deal with a cyberattack, according to a recent survey by the Cybersecurity at MIT Sloan (CAMS) consortium in Harvard Business Review: 23% of respondents say there are no board plans or strategies in place for cybersecurity. And even
though 88% of boards view a security breach as a major business risk, only 12% have a board-level cybersecurity committee, according
Among the issues: a lack of technical expertise among board members—something the proposed SEC rules seek to solve. Unfamiliarity with security technology makes it difficult to parse executive briefings that are often laden with jargon and acronyms.
Worse, board members often don’t know what questions to ask to assess the security of a company’s network and its assets against cyber threats.
Here’s one question they do ask, right after a headline-grabbing flaw like Log4j: Are we protected against this? Even if the answer is yes, the question misses the point: Bad actors, always probing for new vulnerabilities and cooking up more potent recipes, move on faster than you can say “bitcoin transfer.”
With cybersecurity, you’re always playing Whac-A-Mole. That’s how I describe it to the board members I meet who are eager to learn how to step up and help. Having spent my career in cybersecurity beating back the bad guys, including some 21 years at Wells Fargo, I can tell you every time there’s a problem, security pros in every industry want to spend big bucks on a new hammer. But that hammer only works for a similar mole coming through the same kind of hole.
So what questions should board members ask? Here are six that I find most helpful for boards looking to improve their company’s security spending, planning, and governance.
1. Which assets are we securing?
Asset visibility is a basic, but critical question. After all, you can’t protect what you can’t see.
With cybersecurity, you’re always playing Whac-A-Mole. That’s how I describe it to the board members
I meet who are eager to learn how to step up and help.
But only 30% of IT professionals are very confident in their ability to monitor more than 85% of their organization’s endpoints at any time, according to a survey by research company IDG Connect.
How many pieces of hardware are connecting to the company’s network and which software is running on those devices? How do security executives know what they know? Exact numbers won’t be meaningful to board members, but they can probe further to verify that corporate leaders have reliable asset discovery and inventory systems in place.
2. How are we protecting our “crown jewels”?
Examples of a company’s “crown jewels”: source code for key products; encryption keys and security strategies; sensitive financial, legal, and regulatory discussions. Board members must fully understand the controls a company has in place to secure access to this and other highly sensitive data.
For instance, how secure are cloud platforms? Does the company know which employees have privileged access to certain data?
How often does an organization conduct threat assessments and penetration testing exercises to find vulnerabilities in the highest-value data, and has it implemented any insights gleaned from
3. Who exactly poses the greatest security risk to us?
Board members need to uncover the company’s potential attackers, beyond the generic “usual suspects” like Russia, China, North Korea, and Iran.
A key way to do this is through adversarial consulting, a line of inquiry that goes beyond the simple “who might attack us” question and asks: “What do we look like to an attacker and how could they carry out an attack?” This approach goes a long way toward determining if the organization is adequately protected against well-known tactics, techniques, and procedures used by any would-be miscreant. That said, threats may include hacktivists seeking to cause mayhem, competitors looking to steal intellectual property, and the most headline-grabbing threat at the moment, ransomware gangs after lucrative payouts.
Directors should ask about the protocols in place to educate employees about the latest phishing tactics and other vulnerabilities to ensure that the company bakes the strategy of “zero trust” into its security posture.
4. What level of confidence do we have in our risk-mitigation strategies?
Yes, “confidence” is a subjective metric, but it’s important for board members to ask executives about confidence levels as a way to gauge whether the security team feels it has adequate resources and support to meet the challenges the company faces. If corporate leaders report that their confidence level in a particular technology or approach is close to 100% or below 20%, alarm bells should ring.
Yes, ‘confidence’ is a subjective metric, but it’s important for
board members to ask executives about [it].
Regardless of the precise numbers, the best C-level leaders will bring data to the boardroom to support their estimates, such as: the number of critical vulnerabilities, the average days to patch them, and the percentage of third parties assessed over the past 12 months, charted over several quarters. The best data includes value-based metrics aligned with business outcomes, such as a 70% reduction in ransomware recovery costs or a 50% reduction in unscheduled outages related to unpatched vulnerabilities, according to a recent conference presentation from Gartner vice president and distinguished analyst Paul Proctor.
5. Which proactive measures are in place to prepare for
Board members tend to approach cybersecurity with a defensive mindset. But given the skyrocketing number of cyberattacks, corporate leaders should proactively envision specific scenarios for a breach. To do this, a company must have a well-defined cybersecurity incident response team (CSIRT) in place. It must also have documented incident response plans.
Among the strategic initiatives corporate security leaders may deploy are cyberattack simulations that test those plans. Doing so will expose weaknesses, proactively revealing blind spots. At some companies, such as Mastercard, board members participate in attack simulations, which can help translate their theoretical knowledge into lived experience.
6. What is the board’s role in the event of an incident?
While most companies have incident response plans in place in case of a cyberattack, board members should ask key questions about their role, as well as who within the organization “owns” critical response and incident recovery plans. Will the company potentially pay a ransom? Is it legal to do so? (A ransom policy should be in place in case the board cannot be convened on short notice.) Who contacts authorities during a ransomware attack?
Other questions include: How will the board communicate with one another if corporate networks become paralyzed? Who will communicate with employees, customers, and vendors in the event of a massive breach? Is there a public relations strategy in place for communicating with the press?
Ensuring that a plan exists isn’t good enough—board members should vet the plan at a high level, and discuss their role in it, before a breach occurs. Ultimately, they should remain alert and prepared. Only then can they hope to avoid becoming the next target of a SolarWinds-style lawsuit.