The accountability gap
Tanium teamed up with NASDAQ to shed light on the gap between corporate leaders’ presumed and actual understanding of their own cybersecurity vulnerability. In The Accountability Gap: Cybersecurity & Building a Culture of Responsibility, researchers from Goldsmiths, University of London, identified seven inherent challenges that businesses must overcome to manage cybersecurity vulnerability: cyber literacy, risk appetite, threat intelligence, legislation and regulation, network resilience, response and behavior.
Importance of enterprise risk management (ERM)
The relationship between risk and the board is an increasingly complicated dance. The lightning-fast pace of technological and economic change has made Enterprise Risk Management (ERM) a more demanding, hands-on responsibility for directors. And while taking on risk has many strategic advantages for an organization’s growth, cybersecurity has risen to the top of the ERM list — a very different threat requiring a different strategy, language and ground rules. Cybersecurity vulnerability is a risk that can’t be managed or mitigated. It must be eliminated. An organization can no longer leave the responsibility for cyber exclusively to technical leadership: everyone from the top down should be held accountable for the consequences of cybersecurity vulnerability.
While board members should not be expected to be technology experts, the board should be in a position to ask the right questions about IT benchmarks and best practices within the industry. We found that 91% of board members at the most vulnerable companies are unable to interpret a cybersecurity report and only 50% reported receiving cybersecurity training.
Boards must understand an organization’s cyber threat landscape — just like any financial risk. But if an organization lacks confidence in its data and the right operational controls are not in place, yet boards don’t understand enough to assess and oversee cybersecurity, who is actually accountable? Board members can do more to help themselves and technical leadership can do more to partner with the board.
What board members can do more to help themselves
CIOs and CISOs can begin turning around these numbers by providing the board:
- An overall understanding of the threat landscape
- An accurate identification of company assets and associated risk levels
- A clear explanation of the costs incurred for security relative to risk mitigation for the business
As a director myself, I speak to cybersecurity experts on a regular basis and review case studies to keep up to speed. Through my years working in the enterprise and consumer tech industries, I am fortunate to understand IT environments, classes of security technology and the general language used to describe cybersecurity issues; board members who do not have this background should speak with their company CIO or CISO. At a minimum, information and security leaders should lead an annual “Cyber 101” session and share a glossary of terminology in lay-terms.
Other recommended activities:
- Expand your board’s Audit Committee to encompass both Audit and Risk, as well as adding a cyber risk member to the committee who has a deep background and knowledge of cybersecurity and how it relates to and impacts the organization
- Conduct a business impact assessment and ensure non-technical leadership understands cybersecurity’s impact on the business
- Conduct annual board evaluations to proactively identify where effort should be targeted to continuously improve cyber skills
- Create a standard set of metrics and a scorecard for easy month-over-month and year-over-year benchmarking
- Develop a three-year security plan, which allows the board to understand and track the progress of planned improvements to mitigate identified risks
- The introduction of Sarbanes-Oxley ten years ago was a turning point in company financial oversight and control and completely changed the way fiduciary oversight was handled. While we have not yet met the same tipping point with respect to cybersecurity, oversight of the IT environment is a key element for all public company audit plans. I am encouraged to see the development of cyber risk management frameworks today and expect that public company boards will ultimately understand and oversee cyber risk frameworks like they do today with financial reporting. Until then, it’s on all board members to take an active role in their own cyber literacy.