Of top director issues for 2015, cyber security is the No. 2 concern behind strategic planning.
— Kerry Berchem, Head of Corporate Governance practice, Akin Gump Strauss Hauer & Feld, based upon an extensive survey of corporate directors
If you’ve been paying any attention at all to business headlines, you’re aware of how critical a concern cybersecurity breaches have become. Home Depot, Adobe, Ebay, JP Morgan Chase, Target, Sony, and a host of lower profile organizations have suffered expensive losses during the past several years. If the threat of such losses weren’t putting pressure on businesses, recent comments by SEC Commissioner Luis Alvarez have set board rooms abuzz, e.g.:
Board members cannot expect to avoid personal responsibility for [cybersecurity] losses that might have been prevented by the application of “reasonable business judgment.”
— Luis Aguilar, SEC Commissioner, September 2014
Translation: for losses incurred due to cybersecurity breaches, corporate directors are no longer safe behind the “corporate veil” protecting their personal assets from shareholder lawsuits. Boards who can’t demonstrate that they’ve exercised considerable oversight (“reasonable business judgment”) to ensure that their companies are taking appropriate measures to protect their information from hackers are now exposed.
Does this mean directors must become internet security experts? Of course not, but they should become conversant enough to understand what their companies are doing to minimize the danger and impact of a breach. One place to start is a framework developed a couple of years ago by NIST (“Framework for Improving Critical Infrastructure Cybersecurity,” National Institute of Standards and Technology, February 12, 2012).
The framework comprises three major components:
- the Framework Core identifies “the key cybersecurity outcomes identified by industry as helpful in managing cybersecurity risk,”
- the Framework Implementation Tiers provide “context on how an organization views cybersecurity risk and the processes in place to manage that risk,” and
- the Framework Profile aligns the other elements with “the business requirements, risk tolerance, and resources of the organization.”
The Tiers illustrate how a company can grow its ability to deal with breaches by assessing its current state and upgrading its infrastructure and processes where appropriate in the context of the specific business. I’ve summarized the Tiers in the table below.
Companies can evaluate themselves in three key areas: (1) the risk management processes currently in place, (2) how integrated those processes are across the organization, and (3) the extent to which the company shares information and collaborates with its business partners and other external organizations. While NIST suggests using the framework to create a unique plan for improvement rather than employ it as a maturity model, it nonetheless offers a good way to assess a company’s readiness to deal with breaches.
The vertical scale outlines increasingly sophisticated stages of cybersecurity implementations, from Partial through Risk Informed and Repeatable to Adaptive. Examining each column reveals the relative strength within each of the three areas (Risk Management Process, Integrated Risk Management, External Participation). Viewing the company through the lens of these tiers empowers a board member to ask the right questions as they add “cybersecurity governance” to their responsibilities as a director.