Comments
Cybersecurity: How Involved Should Boards Of Directors Be?
Newest First  |  Oldest First  |  Threaded View
inforiskgroup
50%
50%
inforiskgroup,
User Rank: Apprentice
8/19/2014 | 11:12:45 PM
Quite, according to the SEC
Please see SEC Comisioner Aguilar's speech to the NYSE given June 10, 2014. http://www.sec.gov/News/Speech/Detail/Speech/1370542057946#.U_QQqMvD8m8
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
8/19/2014 | 4:22:35 PM
Re: The Board
Good point. The board should be involved as an institution, which doesn't mean every member should be involved or at least "actively involved." All should have a level of understanding of the risks they are incurring through IT operations and understand the judgments about what risks are acceptable.
David F. Carr
50%
50%
David F. Carr,
User Rank: Author
8/19/2014 | 4:16:13 PM
Re: New day
Target was certainly mentioned frequently as an example of how an organization can get stung, but board level officers weren't necessarily represented at the GRC event (or if they were, I didn't meet them).

One other example that came up was General Motors, not for cybersecurity but for the reputational risk associated for failing to act on vehicle safety problems. The couple of GM risk management specialists at the conference said they couldn't talk much about that example, other than to say that they no longer have a chief risk officer. After getting called on the carpet in front of Congress, GM CEO Mary Barra told staff she considered herself the CRO -- because it was ultimately her neck that was on the line if the company suffered another embarrassment like that.
aws0513
50%
50%
aws0513,
User Rank: Apprentice
8/19/2014 | 3:45:16 PM
Board members should be able to ask simple questions and get honest answers.
Great article!!
Often, I get engaged in security discussions with people who are on corporation boards or steering commitees.  Your article touches on the common concerns I often hear from them.  When they ask me for any guidance on what to watch or ask about, I tell them to first look into the organization infrastructure regarding security.

If the organization does not have the necessary infrastructure necessary to implement and properly maintain security controls, no security control will function as it should.  Security is not a one man shop and installing a security relevant application alone does not ensure security risk is mitigated.  It takes a team of people, each with training and appropriate accesses and resources, to ensure a security program is implemented and maintained properly.

Often, to keep things simple, I provide these folks a list of the PM controls from NIST 800-53.  For those of you not familiar with this control family, here is a quick summary list

PM-1 Information Security Program Plan
PM-2 Senior Information Security Officer
PM-3 Information Security Resources
PM-4 Plan of Action and Milestones Process
PM-5 Information System Inventory
PM-6 Information Security Measures of Performance
PM-7 Enterprise Architecture
PM-8 Critical Infrastructure Plan
PM-9 Risk Management Strategy
PM-10 Security Authorization Process
PM-11 Mission/Business Process Definition
PM-12 Insider Threat Program
PM-13 Information Security Workforce
PM-14 Testing, Training, and Monitoring
PM-15 Contacts with Security Groups and Associations
PM-16 Threat Awareness Program

Other than PM-15 any board member should be able to ask about how the above control items are implemented within the organization.  Always remember that any security framework is subject to consideration for the organization business model, maturity, size, and any regulatory requirements.  Where a control makes sense, it should exist.  Where it doesn't make sense, it should be documented as to why that is.

There is much more to each control, so if you are a board member or on a top level steering committee, I suggest you visit the NIST site and get a copy of 800-53 (currently release 4) and look through the PM family of controls for specifics.  If the CEO or CISO cannot provide answers to questions regarding PM controls, then there may be an opportunity for improvement, or at least an opportunity for enlightenment.

Is the NIST 800-53 framework the end-all, beat-all approach? 
No...  not likely.  But it isn't a bad start.
soozyg
50%
50%
soozyg,
User Rank: Ninja
8/19/2014 | 3:41:31 PM
Re: The Board
58% of board members felt they should be actively involved in cybersecurity preparedness

Well, yes and no. If too many Board members that don't understand the IT issues get involved, the company could have a too-many-cooks scenario. Thus the suggestion for a contact person/middle man.
soozyg
50%
50%
soozyg,
User Rank: Ninja
8/19/2014 | 3:39:03 PM
The Board
How about if at least one member of a Board is the IT contact person/middle man. This person knows something about IT and can talk to IT while explaining the IT issues to the Board.
Laurianne
50%
50%
Laurianne,
User Rank: Author
8/19/2014 | 1:56:14 PM
New day
I would think the Target experience revamped how many board members view this topic. Did that come through in your conversations at the conference, Dave?


IT's Reputation: What the Data Says
IT's Reputation: What the Data Says
InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.