Managing risk is at the forefront of responsibilities that C-level executives deal with on a daily basis. Yet, it would seem that many executive committees are still ignorant of security risk due to a lack of understanding or an unwillingness to take the time to learn the risks. What are the key questions executives, board members, audit committee members should ask themselves with regard to how security risk is managed within their organization?
This post first appeared on CSO Online on December 11, 2017.
What do we see?
Over the past 10 years there has been a dramatic increase in the number of security incidents. To give just one example; in just 10 years (2006-2015), the US government saw a 1300% increase of cyber security incidents. 2016 and 2017 have only confirmed this trend with a staggering number of data breaches, ransomware attacks, phishing incidents, etc. Not surprisingly, security risk has claimed a top spot in the top business risks in many, if not all, industries. Company boards and executive committees can no longer ignore the fact that just one serious security incident could significantly impact the bottom line and future growth of their company, and potentially even cost them their jobs.
The good news is that managing risk is at the forefront of responsibilities that C-level executives deal with on a daily basis. Managing business risk, and even firefighting, is part of the job description, and planning to prevent the fires is what successful companies do. Hence, CEOs and other members of the C-suite should be well versed in dealing with risks, including security risks.
Yet, both the security incidents as research seem to indicate that many executives are not ready, nor set up to manage security risks:
- A recent report by F5 Networks found that although 65% CISOs say they report to senior executives, most often that reporting is limited to incident and crisis reporting. It also indicates that 35% is not even reporting on that.
- A 2016report from Nasdaq and Tanium states more than 90% of corporate executives say they can’t read a cyber security report and aren’t prepared to handle a major attack.
- Severe data breaches already cost the jobs of CEOs (e.g. Equifax and Target). However, it is more likely (though less reported) that the CISO takes the fall. After all, isn’t the CISO responsible and accountable for security? While this may seem a logical reasoning, it negates the fact that security is a shared responsibility across the company and that there are many times that the security requirements and the CISO are ignored. Additionally, I would like to quote a question of Wim Remes, Chairman of the Board of the International Information System Security Certification Consortium, or (ISC)²: “You don’t fire your general counsel when you get sued, so why would you fire your CISO when you get breached?” So, without looking into the individual cases, but just at the trend, blaming and even firing the CISO seems to be one other indication that there is still a major disconnect between the CISO and the CEO.
Basically, it comes down to this: when the CEO (and by extension the executive committee and the board) is ignorant of security risk due to a lack of understanding or an unwillingness to take the time to learn the risks, then:
- Important decisions about security do not get made
- The CISO is not enabled, nor empowered to successfully help protect the company
- The company is not prepared for the many and ever increasing security risks it is facing
6 key questions executives should ask themselves
As C-level executive, board member or audit committee member there are a number of key questions you should ask yourself about the manner in which security risk is managed is in your company.
1. Does your CISO have both the organizational and positional power to escalate issues that they feel strongly about to the appropriate C-level or even board position?
- Your CISO will not be successful unless he or she has the buy-in and engagement of the executives. Without this, your CISO will simply be perceived as a business blocker and his or her efforts circumvented. Your CISO needs to have the organizational power and position to effectively challenge business risk decisions that are not good for the company.
2. Are you a passive listener to what your CISO has to say or do you actively engage in the conversation? Are you demanding the latter also from the other execs?
- An involved CEO meets regularly with the CISO, reviews reports, asks questions, and provides encouragement and support in front of the other executives and board.
3. Do you know what your security policies are about, what their objectives are, and do you understand that they help to define the level of risk you are willing to take as a company.
- As executive you must actively endorse and support the security policies, and not just passively agree to them as a mere formality. If you don’t bother or don’t believe in enforcing the security policies that were put in place to protect your company’s information (systems), if you don’t help to enforce the policies that you let down your company, your employees, your suppliers, your customers, …, then you probably deserve the security incidents that will inevitably occur.
4. Are you considering security as a responsibility and accountability that is shared across the company or are you attributing it completely to your CISO and his or her security team?
- Controlling security can’t be relegated to one person or one team. It’s an enterprise risk and business problem, not just a CISO problem to resolve. It should not be the CISO making all the decision as to how much investment and what the right thing to do is. That actually needs to be in the hands of the Executive Committee. The CISO obviously plays a facilitating role and you can make a CISO responsible for particular security tasks, but a CISO can never be held accountable for security tasks and responsibilities of others. You should therefore – with the help of your CISO – institute a security program that engages all different stakeholders in the company. Clear assignment of responsibilities is vital. Groups who are responsible for protecting crucial data, like IT, HR, procurement, and marketing, must become cyber-conscious and accountable too.
5. Are your discussions on executive and board level driven by front page news and incidents?
- As information security breaches continue to make the front pages, organizations need to ensure that headlines don’t drive the information security program. Ensure your CISO has regular interactions with executive leadership to create clear visibility into all areas of security risk, i.e. a structured form of risk reporting allowing you to manage security risks in a forward looking and business strategy-aligned manner.
6. Do you believe security problems can be solved by simply investing in the right security tools and solutions?
- Incident driven security risk discussions tend to result in throwing money at the issue and investing in new security solutions. However, and to quote Tim Holman, past president of the Information Systems Security Association in the UK (ISSA-UK): “The cyber threat cannot be solved by buying products. A common-sense approach of reducing the amount of sensitive data stored, booting out insecure suppliers, restricting access to information and getting cyber liability cover will often be ten times as effective and ten times cheaper than the next generation security appliance with flashing lights sold to you by expert salesmen. All these require support from the lines of business and the executives.”
Not sure where your company currently stands?
Did the previous questions make you realize it is time to talk to your CISO? Good, then here are some questions that you should ask him or her to trigger a critical discussion about the state of security risk within your company:
- Do you understand our wider business strategy?
- (How) have you aligned our security approach to our organizational strategy?
- What are the biggest risks?
- What are the gaps?
- How are you evolving our security approach to match the changing risk landscape?
- Are sufficient resources available, and are they being used wisely?
- Are you being heard? If not where and why are people ignoring you?
Based on the answers you are getting, you will be able to see where the lines of communication between CISO and executives are obscured, where the CISO may not have been given the tools and resources in line with his or her responsibilities, and – most importantly – if and where you need to improve your understanding of security risk to the same degree as any other business risk.