Cybersecurity: How Involved Should Boards Of Directors Be? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Government // Cybersecurity
01:25 PM
Connect Directly

Cybersecurity: How Involved Should Boards Of Directors Be?

Security audit groups ISACA and IIA weigh in on what role the board of directors should play in an enterprise's cybersecurity strategies.

Eavesdropping On A New Level
Eavesdropping On A New Level
(Click image for larger view and slideshow.)

Members of corporate boards feel they should be much more actively involved in ensuring the organizations they oversee are adequately addressing cybersecurity. That doesn't mean members of the board of directors want to personally configure firewalls or procure intrusion detection systems -- just that they should make sure someone is doing so. The question is how to do that.

IT security audit organization ISACA and the Institute of Internal Auditors (IIA) are trying to provide answers on the proper role of board members with their report, "Cybersecurity: What the Board of Directors Needs to Ask," available at no charge through the IIA bookstore. The paper was published in conjunction with their jointly sponsored 2014 GRC Conference in West Palm Beach, Fla., a gathering of professionals concerned with governance, risk, controls, and compliance.

While IIA, which has traditionally focused on financial auditing, is the more established organization, the two have teamed up "because cybersecurity and other technology-related risks have taken on such inflated importance that our traditional sweet spot is down to 20% of the total audit plan," IIA president and CEO Richard F. Chambers explained in his opening remarks at the conference.

[It's time to take a more cohesive approach to enterprise security. Read Cybersecurity Demands New Framework.]

The report builds on an IIA survey that found 58% of board members felt they should be actively involved in cybersecurity preparedness. Only 14% said they were actively involved, although 65% said their perception of the risk their organizations faced had increased in the last one to two years. "It is clear from this survey that the board would like to be strategically involved in the cybersecurity initiatives," the report concludes, "but now the question becomes, 'What should the board do?' "

IIA usually talks about three lines of defense for cybersecurity risks, starting with a base level of controls, overseen by a governance structure typically headed by a chief information security officer (CISO), with internal audit as the backstop third line of defense. But cybersecurity and the consequences of failing to adequately secure the organization's systems and data have become so important, the report argues, that the board should act as a fourth line of defense: actively investigating whether those on the lower tiers are doing their jobs.

"If the board is still not convinced, consider this: Proxy adviser Institutional Shareholder Services (ISS) has urged shareholders to overhaul Target's board in the wake of last year's data breach. In a recent report, ISS recommended a vote against seven out of 10 directors 'for failure to provide sufficient risk oversight' as members of the audit and corporate responsibility committees. Cybersecurity is no longer simply another agenda item for IT; it is an agenda item for the board as well," the report says.

In a keynote speech, Robert E. Stroud, VP of strategy and innovation at CA Technologies and ISACA's international president this year, also made the case with a coy reference to last year's breach at the retailer with a big red target in its logo. The credit card and personal data obtained by the attackers, he said, "are a very resalable item on the black market, which is why in cyber you can't take a defensive posture and think of security as just another moat around the castle. You have to take a proactive approach, looking at attackers."

Meanwhile, risk managers need to stay a step ahead of new threats and complications posed by new technologies, from Google Glass and 3D printing to marketing programs that use big data analytics to create new classes of personally identifiable information by correlating web clicks and other consumer actions.

A firm's executive and IT leaders should be addressing those challenges directly, with auditors to check up on them. The board's role is necessarily at a higher level, but members of the board audit committee in particular should be scrutinizing the quality of cybersecurity planning. For example, the board should require that internal auditors perform an annual "health check" of the organization's cybersecurity program. In addition, board members should meet with the CISO at least annually. The board should also be aware of any dependencies on any third-party IT service providers, such as data center operators and cloud services, and the measures taken to ensure they are adequately protecting sensitive data.

IIA and ISACA recommend that boards ask the following six questions:

1. Does the organization use a security framework? Examples include COBIT and regulatory frameworks such as HIPAA in healthcare and PCI-DSS for credit card acceptance.

2. What are the top five cybersecurity risks the organization faces? How is it addressing new challenges like mobile devices, the bring-your-own-device trend, or cloud computing?

3. How are employees made aware of their role related to cybersecurity? Does every employee receive some basic cybersecurity awareness training?

4. Are both external and internal threats considered when planning cybersecurity program activities? Although external incidents tend to receive more media exposure, the report notes, the likelihood of an internal incident causing a major cyber incident is actually greater.

5. How is security governance managed within the organization? The board should understand how the three lines of defense are implemented and make sure there are no gaps between them, such as confusion about the responsibilities of the CISO vs. the auditors.

6. In the event of a serious breach, has management developed a robust response protocol? What incident response and crisis management approaches are in place?

IT leaders who don't embrace public cloud concepts will find their business partners looking elsewhere for computing capabilities. Get the new Frictionless IT issue of InformationWeek Tech Digest today.

David F. Carr oversees InformationWeek's coverage of government and healthcare IT. He previously led coverage of social business and education technologies and continues to contribute in those areas. He is the editor of Social Collaboration for Dummies (Wiley, Oct. 2013) and ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Author
8/19/2014 | 1:56:14 PM
New day
I would think the Target experience revamped how many board members view this topic. Did that come through in your conversations at the conference, Dave?
David F. Carr
David F. Carr,
User Rank: Author
8/19/2014 | 4:16:13 PM
Re: New day
Target was certainly mentioned frequently as an example of how an organization can get stung, but board level officers weren't necessarily represented at the GRC event (or if they were, I didn't meet them).

One other example that came up was General Motors, not for cybersecurity but for the reputational risk associated for failing to act on vehicle safety problems. The couple of GM risk management specialists at the conference said they couldn't talk much about that example, other than to say that they no longer have a chief risk officer. After getting called on the carpet in front of Congress, GM CEO Mary Barra told staff she considered herself the CRO -- because it was ultimately her neck that was on the line if the company suffered another embarrassment like that.
User Rank: Ninja
8/19/2014 | 3:39:03 PM
The Board
How about if at least one member of a Board is the IT contact person/middle man. This person knows something about IT and can talk to IT while explaining the IT issues to the Board.
User Rank: Ninja
8/19/2014 | 3:41:31 PM
Re: The Board
58% of board members felt they should be actively involved in cybersecurity preparedness

Well, yes and no. If too many Board members that don't understand the IT issues get involved, the company could have a too-many-cooks scenario. Thus the suggestion for a contact person/middle man.
David F. Carr
David F. Carr,
User Rank: Author
8/19/2014 | 4:22:35 PM
Re: The Board
Good point. The board should be involved as an institution, which doesn't mean every member should be involved or at least "actively involved." All should have a level of understanding of the risks they are incurring through IT operations and understand the judgments about what risks are acceptable.
User Rank: Ninja
3/13/2016 | 3:11:02 PM
Re: The Board
@David could not agree more with security is always risk...
User Rank: Strategist
8/19/2014 | 3:45:16 PM
Board members should be able to ask simple questions and get honest answers.
Great article!!
Often, I get engaged in security discussions with people who are on corporation boards or steering commitees.  Your article touches on the common concerns I often hear from them.  When they ask me for any guidance on what to watch or ask about, I tell them to first look into the organization infrastructure regarding security.

If the organization does not have the necessary infrastructure necessary to implement and properly maintain security controls, no security control will function as it should.  Security is not a one man shop and installing a security relevant application alone does not ensure security risk is mitigated.  It takes a team of people, each with training and appropriate accesses and resources, to ensure a security program is implemented and maintained properly.

Often, to keep things simple, I provide these folks a list of the PM controls from NIST 800-53.  For those of you not familiar with this control family, here is a quick summary list

PM-1 Information Security Program Plan
PM-2 Senior Information Security Officer
PM-3 Information Security Resources
PM-4 Plan of Action and Milestones Process
PM-5 Information System Inventory
PM-6 Information Security Measures of Performance
PM-7 Enterprise Architecture
PM-8 Critical Infrastructure Plan
PM-9 Risk Management Strategy
PM-10 Security Authorization Process
PM-11 Mission/Business Process Definition
PM-12 Insider Threat Program
PM-13 Information Security Workforce
PM-14 Testing, Training, and Monitoring
PM-15 Contacts with Security Groups and Associations
PM-16 Threat Awareness Program

Other than PM-15 any board member should be able to ask about how the above control items are implemented within the organization.  Always remember that any security framework is subject to consideration for the organization business model, maturity, size, and any regulatory requirements.  Where a control makes sense, it should exist.  Where it doesn't make sense, it should be documented as to why that is.

There is much more to each control, so if you are a board member or on a top level steering committee, I suggest you visit the NIST site and get a copy of 800-53 (currently release 4) and look through the PM family of controls for specifics.  If the CEO or CISO cannot provide answers to questions regarding PM controls, then there may be an opportunity for improvement, or at least an opportunity for enlightenment.

Is the NIST 800-53 framework the end-all, beat-all approach? 
No...  not likely.  But it isn't a bad start.
User Rank: Apprentice
8/19/2014 | 11:12:45 PM
Quite, according to the SEC
Please see SEC Comisioner Aguilar's speech to the NYSE given June 10, 2014.
User Rank: Apprentice
11/18/2014 | 7:25:32 AM
Board members play major role in securing organizations information and privacy.
Good advice, the board typically managed risk of a fiduciary nature now  IT security and privacy concerns are now an expansion of the traditional role of the board and present complex challenges. I work with McGladrey and there's a whitepaper on our website that was about this very topic that may interest readers of this article.
User Rank: Apprentice
3/12/2016 | 5:49:45 AM
Board's involvement a must
Edgar Perez is teaching a 3 Day Masterclass in Cybersecurity designed for C-level executives and senior managers. Furthermore, he offers cyber security workshops for boards of directors and CEOs worldwide. He is the author of The Speed Traders and Knightmare on Wall Street, and his comprehensive training programs have been widely recognized by the media for his independent and non-biased approach.
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
Flash Poll