Corporate Boards Must Lead on Cybersecurity

The past few weeks have been a reminder for corporate leaders that the world’s businesses are vulnerable to catastrophic cyberattacks.

In short order, Colonial Pipeline paid a $4.4 million ransom to cybervandals who locked down its computer systems, and President Biden issued an executive order requiring federal contractors to shore up software security and quickly report any breaches or malicious activity to the government.

Fortunately, many CEOs have taken a proactive approach. Few people have seen this up close like Maggie Wilderotter. As a former CEO (nearly 12 years leading Frontier Communications) and a board member of Hewlett-Packard Enterprise, Costco, and Tanium, she addresses these issues every day.

[Read also: President Biden’s executive order: Strengthening cybersecurity defenses.]

Wilderotter recently spoke with Endpoint about what she’s seeing in corporate boardrooms, the business challenges that cyberthreats pose, the importance of public and private collaboration, and how and why companies must diversify their boards to keep up with emerging cyberthreats.

What role should boards play in navigating cyberthreats?

Boards have to play an active role. Part of a board’s work is to make sure we mitigate risks and that we understand what the top risks of the company are. We have to understand what the company is doing about managing that risk.

And we have to ensure that governance and transparency satisfy the needs, not just of the company’s shareholders but also of its stakeholders. That includes its customers, government affiliations, and other businesses that rely on the company in their supply chain.

For instance, I chair three public company audit committees. We are in charge of risk oversight on behalf of the board, which has ultimate oversight responsibility. Some public company boards actually have a cybertechnology committee. Cyber is a review we do every quarter at the audit committee level, and we do a deep dive with the board once a year. But a lot of that is based upon what we know, not what we don’t know.

What are the challenges in providing security oversight?

We’re still dealing with a lot of networks that are legacy. The processes and capabilities of those networks don’t necessarily lend themselves to resist the sophistication of today’s cyberattacks. Transforming those networks takes time, effort, money, and other resources.

So, everybody, I think, plays more catch-up than we do getting ahead of it. And when it comes to legacy systems, there’s a lot of hesitancy to even touch them because organizations don’t want to experience the downtime or because it’s expensive. But you just have to bite the bullet and do it.

When it comes to legacy systems, there’s a lot of hesitancy to even touch them.

What’s happened over time is when a new cyber vulnerability is discovered, companies wind up buying a point solution instead of thinking about utilizing a platform that can be expanded to solve a problem. So over time, companies wind up with multiple point solutions, and none of them are integrated or talk to each other. 

Company CTOs, your CIOs and CISOs, have chosen these solutions and implemented them. Then, over time, companies realize that unless solutions are integrated properly, they’re really not protected. With a large set of point solutions, the technology leaders are not quick to replace them because of the investments made to install and utilize them in their systems.

It would also make those leaders look less competent in their decisions for having implemented these point solutions in the first place. CIO and CISO tenure is already short for large enterprise companies. So, the pressure is to “live with” a less than adequate solution set.

So how does a company solve this problem?

The solution is to have the senior leadership—including the CEO, CFO, and COO—as well as the board ready to give permission to replace these point solutions with platforms that can be leveraged with multiple application solutions that are fully integrated.

[Read also: How to take control of assets across your organization]

Then, these platforms can give horizontal linkages across all facets of the company for visibility, vulnerability testing, and—for that key defense—isolation when something does happen. And if something happens, a breach or other malicious activity, you must have a system that can give you facts so you can act fast. Attacks will continue to morph and get more sophisticated. The cost of the Colonial Pipeline breach was $44 million, significant but below the $200 million average cost of a breach for large enterprises.

Today, boards are looking for cyber and technology expertise, and if they don’t have it themselves, they are looking to outside consultants, industry partnerships, and think tanks to educate themselves.

Has the federal government done enough to make businesses understand how serious the threat is, and to offer businesses the support they need?

One of the things government has not done, and I think private enterprise would really love, is to look at cybercrimes as an act of war. What do I mean? The catalyst for all this was the Sony attack from North Korea. [In 2014, North Korea hacked Sony Pictures’ corporate IT system after the studio released a Seth Rogen film parodying North Korea’s leader, Kim Jong-un.]

We are now seeing foreign actors with ransomware freezing companies’ assets. These are acts of war.

We are now seeing foreign actors with ransomware freezing company assets. These are acts of war. These attacks amount to one nation trying to destroy the economy of another nation. I have not heard about any open discussions about this in Congress or even between Congress and the business community. That should happen.

Who in the government should be responsible for this?

There are a lot of government agencies that have some cybersecurity responsibility, but a more cohesive plan or program should be put in place. A more proactive collaboration between the public and private sector is really needed. I ran a telecom for 12 years. Telecom is highly regulated.

The industry holds a lot of people’s personal communications information. Our governing agency is the FCC, and they have a great track record in consumer protection. The other regulated industry with strong cyber-regulatory oversight is the financial industry, which includes large and regional banks.

[Read also: Global threats require a global response]

So, there are best practices out there to use as a starting point for public-private partnerships to put capability in place for cybersecurity and ensure it’s shared with software supply chains, which are spread across the globe and are not always very sophisticated in their security. That would go a long way toward better protection and detection.