BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Boards Can Surmount The Cybersecurity ‘Intimidation Factor’: 10 Questions Directors Should Discuss With C-Suites

Following
This article is more than 2 years old.

Many corporate boards have made significant progress about understanding the importance of cybersecurity to the competitive health, operational resilience, investment appeal, and customer loyalty and attractiveness of the companies they oversee.

They’ve certainly gotten the message that enhancing cybersecurity is not just an IT issue. It lies at the core of state-of-the-art corporate governance practices. It is part of the “G” in ESG.

And, within the portion of board meetings devoted to risk assessment, cybersecurity is almost always one of the top items on the agenda—in no small way because increasingly the litigation risks emanating from cyber vulnerability are growing substantially.

But most board directors have yet to move far enough along to become as effectively equipped as they should be to intelligently gauge the extent to which their firms’ management teams are at the top of their games in the war on corporate cyber-attacks.

Few directors—even those who serve on board Risk Committees—engage C-suite executives in meaningful dialogue on the specific strategies they’re undertaking to reduce vulnerabilities to hacks and why particular approaches rather than others are being employed.

In fact, boards who effectively devolve full oversight of cybersecurity to their Risk Committees are myopic. Of course it is boards’ Risk Committees who should take the lead for cyber issues. But as in some other “newer” issues becoming the focus of corporate governance today — think sustainability and supply chain management — cyber risks are truly cross-cutting. Mistakes — in all three areas — can threaten the life-blood of the company, its workers, its reputation and its long-run growth.

Where boards’ assessments of the impact of cyber risks on business operations most assuredly should not take place is the Audit Committee. After all, audits are necessarily backward-looking. Cyber threats are largely contemporaneous and forward-looking dangers to the enterprise.

I know this firsthand: both from the corporate boards on which I serve and from the boards I advise on business growth and risk-mitigation strategies, including cyber threats.

Given my long-term career focus on international corporate finance, cross-border private equity investing, and ways in which multinational businesses from advanced countries can best compete against their counterparts from emerging markets, much of my attention on cybersecurity has been with respect to the conduct of boards of companies where international transactions are important. To be sure, such a feature is hardly a unique characteristic of many firms in today’s global economic ecosystem since almost all businesses make such decisions affected by international elements one way or another.

Suffice it to say that cyber risks know no geographic boundaries; so whether domestically or internationally oriented, boards of all firms need to be both better educated about these threats and able to engage in a robust dialogue with the C-suite about them, including how to evaluate the performance of the relevant executives who are responsible for their mitigation.

The bald fact is that many board members are intimidated to ask the members of their C-suite executive teams who are most centrally responsible for cybersecurity—traditionally Chief Information Officers (CIOs), but increasingly Chief Information Security Officers (CISOs)—all but the most general technical questions.

Even then, the issues that board directors raise with the C-suite almost always focus on the magnitude of the problem and the degree to which the CISOs believe they have existing threats contained.

And, for the CISOs, they tend to have an incentive to give briefings to their boards about cybersecurity in relatively dumbed-down language.

It’s been my experience that it is a rare CISO that discusses with his or her board the nitty gritty of the actual solutions their teams have either already rolled out or are contemplating doing so.

Most members of a corporate board become well-versed to ask their firms' Chief Financial Officers (CFOs) technical questions about financial reporting and related details. Yet when it comes to cyber, intimidation seems to kick in. It doesn’t have to be this way. And it shouldn’t.

Of course, as many of us board directors in the U.S. know well, in the wake of the Enron and WorldComm accounting scandals, the U.S. enacted the Sarbanes-Oxley Act that mandated public (and some private) companies to disclose to the Securities and Exchange Commission (SEC) which of their directors are “qualified financial experts.”

It’s not a herculean feat for board directors to become sufficiently educated and facile in understanding the sources and variety of cyber threats, as well as the types of solutions available to reduce such risks to which enterprise communications (including those internal to the firm) have been exposed or to prevent them from being so.

Boards should be able to equip themselves with the knowledge necessary to have meaningful exchanges with CISOs to discuss the practical pros and cons of various remedies, including how various options can affect internal governance, employee productivity, and document retention among other dimensions.

Indeed, perhaps the time has come for the U.S. to mandate that boards disclose to the SEC who are their “qualified cybersecurity experts.” To this end, in 2021 a bipartisan group of Senators and Representatives introduced “The Cybersecurity Disclosure Act of 2021” (S.808) in Congress.

The real irony in all of this is that it’s often the communications within the boardroom and within the C-suite themselves where the most sensitive corporate issues are being discussed.

These are where the payoff for cyber penetration is highest. It’s therefore no surprise these are the prime targets for hackers.

They are the highest value targets for two reasons.

The most obvious is these locales are at the pinnacle of a business’ decision-making apparatus and thus where the most closely held commercial information is expected to be internally communicated.

In the boardroom, such communications can range from details of negotiations over the share value of a bid made for the acquisition of the company (or a bid made by the company for an acquisition target) to polling among board members about the degree to which there remains confidence for retaining (or firing) the company’s CEO who has been accused of engaging in an egregious business practice.

Within the C-suite, they might pertain to topics such as an in-house assessment of the bottom-line impacts of the company’s proposed new pricing strategy vis a vis its competitors or information on the extent to which a dangerous safety defect has just been discovered internally in the manufacturing process of the firm’s best-selling product.

The second reason is even more pernicious: these are where the internal communications take place about the specific methods the firm is employing to fix the hardware and/or software vulnerabilities that exposed high valued communications in the first place.

If the hackers can determine the exact solutions being applied by say, the chief information security officer, not only does vulnerability remain, but the firm has now unwillingly provided information about its internal decision-making process on how it is handling cybersecurity.

This is the grand prize for hackers.

Considering this, one might ask what is the general tenor of the conversations underway and the actions undertaken about cybersecurity in corporate boardrooms today, especially interchanges between directors and members of C-suites?

While loads of surveys have been taken to get at the answer to such a question—indeed rarely does a month go by when there aren’t several corporate board-related publications reporting on such surveys—few surveys, if any, have been large enough to systematically capture a representative cross-sectoral sample to provide meaningful results.

Worse still, the survey instruments generally utilized pose perception-based questions rather than incorporating a data-driven, fact-based methodology that is, one that quantifies empirically the actual number of times specific actions have or have not actually taken by board members.

From my own and others’ observations—to be sure an admittedly a small and not purported to be a representative sample and thus not necessarily true for all corporate boards—the “typical” conversation on cyber at the board level tends to focus on the following types of broad questions posed by directors to CISOs:

· Are we secure?

· How do we know if we've been breached?

· How does our security program compare with industry peers?

· Do we have enough resources for our cybersecurity program?

· How effective is our security program, and is our investment properly aligned?

These are certainly important questions to be asked (and answered). But they should be seen only as conversation starters.

Why? Because in and of themselves, they do not provide the basis for board directors to make well-informed judgments about comparative solutions for intra-enterprise communications systems to reduce vulnerability to cyber-attacks.

I emphasize “comparative” because there is an array of communications solutions and most involve tradeoffs of one type or another.

And such solutions need to incorporate both cyber-secure email and messaging, the latter being particularly important as Millennials climb the corporate ranks. They have grown up in a messaging-only world and that is the way they will continue to communicate even in the workplace whether one likes it or not.

There is an emerging consensus that an ideal solution would likely be one that:

· throughout the company—from the “factory floor” to the boardroom—a firm’s email and messaging communications, telephone conversations, videos and files would be subject to bona fide end-to-end encryption, employing state of the art protocols (both those currently available with provisions for continuous updating)

· there is an inviting, productive user experience,

· agile document permission and retention controls exist, and

· sound yet flexible internal governance practices can be easily employed (for example, the ability to segregate access to certain communications within the firm, to avoid the risk of the “in plain view doctrine,” among other risks).

Against this backdrop, here then are 10 of the most fruitful types of questions board directors and C-suite executives, especially the CISO and his/her team, should be directly discussing as starting points about communication system solutions to enhance a company’s cybersecurity:

1. Do both the email and messaging systems used by all the firm’s employees, including the C-suite and the board of directors, embody best-in-class end-to-end encryption?

2. Is there any way that the company’s internet service providers (ISPs) can decrypt the company’s communications on their servers?

3. What is the process by which the company regularly benchmarks the communications software being used compared with alternatives coming on the market?

4. How automatic and complex is the system’s security update process?

5. Is the system currently in place an app and cloud-based solution, or does it require expensive infrastructure or proprietary hardware?

6. Does the system work across all operating systems and with all mobile devices, tablets, and desktops?

7. Is the system fully deployable globally? What steps are utilized to reduce exposure to hacks for the company’s employees working in the world’s most cyber risky markets?

8. Does the C-suite routinely deploy firm-wide surveys to assess the extent to which there are employees who don’t find the current system’s user experience friendly? How widespread is any negative feedback? What are the specific steps employed to address it?

9. How agile is the system’s ability to compartmentalize internal communications and documents?

10. How robust is the firm’s communications software in terms of providing for systematic enterprise-wide information life cycle controls, including both destruction and retention of high-risk or proprietary internal documents and data?

Follow me on Twitter or LinkedInCheck out my website