Boardroom and Cybersecurity Oversight
View(s):Computer security, Network security, Information security and Cybersecurity are used to describe the protection of information assets. In current discussions of security, there are references to both “cybersecurity” and “information security.” The objective of information security is threefold, involving the critical components of confidentiality, integrity and availability. All three components are concerned with the protection of information. Confidentiality means protection from unauthorised access, while integrity means protection from unauthorised modification, and availability means protection from disruptions in access. The terms are often used interchangeably; cybersecurity is a part of information security. The interconnected nature of critical infrastructure systems has introduced a host of new vulnerabilities with far-reaching implications. All of these factors have influenced the shift from information security to cybersecurity.
In general, cybersecurity refers to anything intended to protect an organization and individuals from intentional attacks, breaches, incidents and consequences. More specifically, cybersecurity can be defined as “the protection of information assets by addressing threats to information processed, stored and transported by internetworked information systems.” Additionally, concepts such as nation-state-sponsored attacks and advanced persistent threats (APTs) belong almost exclusively to cybersecurity. It is helpful to think of cybersecurity as a component of information security.
Although the cyberattacks on public and private organization have not made national headlines in Sri Lanka. The risk of cyberattacks directly affect both operations and the brand or reputation of a company, often resulting in significant financial repercussions. Cybersecurity practices of several organizations are heavily weighted toward measures, such as firewalls and passwords, aimed at limiting access to the organization’s network. Even though these are essential controls, they are not good enough. Further, the cybersecurity can be more difficult to control when third parties are involved, especially when different entities have different security cultures and risk tolerances.
Cybersecurity is often referred to as an information technology (IT) risk, and management and oversight is the responsibility of the chief information or technology officer, not the board. With the rapid advancement of technology and adoption automation, cybersecurity has become an increasingly challenging risk that boards need to address. Not all boards undertake key oversight activities related to cyber risks, such as reviewing budgets, security program assessments and policies; assigning roles and responsibilities for privacy and security; and receiving regular reports on breaches and IT risk. However, the programme on “Cybersecurity Changing Role of Board” organized by the Sri Lanka Institute of Directors indicate that cybersecurity is a must in a boardroom for organisations of all sizes.
The need to establish an organisation-wide approach to preventing and responding to such attacks has required increasing attention from boards of directors and executives across the C-suite. The risk committees and organisations address across a broad range of areas from financial risk, reputational risk, regulatory risk and others. When it comes to cyber risks, however, the term “cyber threat” is often misunderstood or a cyber threat is under estimated. Hence, the audit committee can be delegated with the task to oversee the risk programmes and policies, including cybersecurity. Ultimately, the whole board is accountable for risk oversight. The cybersecurity should be discussed at the full board level rather than left solely with a committee. Hence, a primary responsibility of the board should be to provide risk oversight with respect to cybersecurity.
Cybersecurity is a significant risk that will have a material impact. The boards should proactively ask questions of management, education and awareness programmes organisation-wide, and treat risk as a priority. As cybersecurity issues increase and become more visible, boards should take an active role in understanding the risks associated with those issues. Many boards hear from the chief information officer, chief technology officer or others who are tasked with monitoring the cyber risk. In addition, some company boards engage third-party specialists to speak with them about the risk, how to mitigate it and signs that may signal a breach. The full board takes necessary actions to stay informed on management’s risk practices so it can effectively oversee cybersecurity.
Cybersecurity should be a top-of-the-mind issue for boards, and directors should become more pre-emptive in evaluating cybersecurity risk exposure as an organization-wide risk management issue and not limiting it to an IT concern. Following are questions the boards can ask to help raise awareness of cybersecurity issues:
· Is there someone on the board who serves as an information technology expert and understands cyber risks?
· Is there a committee assigned to address cybersecurity?
· Does the organization have a chief security officer who reports outside of the IT organisation?
· How do we track what digital information is leaving our organisation and where that information is going?
· How do we know who’s really logging into our network, and from where?
· How do we control what software is running on our devices?
· How do we limit the information we voluntarily make available to someone who could potentially pose a cyberthreat?
· Do the outsourced service providers and contractors have controls and policies in place and do they align with the organisation’s expectations and comply with cybersecurity policies?
· Is there an ongoing organisation-wide education or awareness programme established around cybersecurity?
· Does the organization have cyber insurance?
The following can provide a high-level guide for establishing a cyber threat risk governance programme, and the approach discussed above can provide a start toward understanding an organisation’s capabilities for managing and mitigating the risks cyber threats pose today. However, neither is intended to substitute for a formal, rigorous IT security assessment performed by specialists.
A security programme to stay informed about cyberthreats and their potential impact on the organisation.
Institute a process for cyberthreat risk intelligence.
Hold a C-level executive accountable for cyber risk management.
Provide sufficient resources for the organization’s cyber risk management efforts.
The management should submit regular substantive reports on the organisation’s top cyber risk management priorities.
Establish continuous monitoring methods that can help the organization predict and prevent cyber threat.
Evaluate cyber risk management effectiveness as part of Internal audit reviews.
Track and report metrics that quantify the business impact of cyber risk management efforts.
Monitor current and potential future cybersecurity-related legislation and regulation.
Cyber threats will eventually equal or eclipse the terrorist threat. There are only two types of organizations: those that have been hacked and those that will be and it is important that boards ask themselves what type of an organisation they are and what are they doing about it. (The writer is a Governance, Risk and Compliance professional and Director at Layers-7 Seguro Consultoria (Pvt) Ltd. He is the founding member and Secretary of the (ISC)2 Chennai Chapter, Founder/President of Information Security Professional Associates (iSPA), a board member of the (ISC)2 Colombo Chapter and ISACA Sri Lanka Chapter. He can be emailed at sujit@layers-7.com)