Why It's Time For A Board-Level Cybersecurity Committee

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.forbes.com/sites/frontline/2014/12/27/why-its-time-for-a-board-level-cybersecurity-committee/

Just the past 12 months have seen one massive corporate security breach
after another. Major retailers (Target, Home Depot, Neiman Marcus, Sony
Pictures), e-commerce sites (eBay), and financial institutions (JP Morgan)
have all been victims.

Taken individually, digital security breaches serve as a warning for
executives and security professionals to remain vigilant. However, when
every major breach shares the same telltale strategy, it is a sign that
there is something more fundamentally broken in enterprise security that
must be addressed.

There are several important similarities in these attacks, all suggesting
that your company’s data security protections need stronger oversight:

- Security looks for the first step, but misses the lifecycle of an attack.
Traditional online security structures attempt to detect and block
malicious payloads (either a piece of malware or vulnerability exploit). In
a modern attack, the initial compromise is just a means to a much larger
end. The vast majority of security technologies are not designed to see the
so-called “long con” of an attack. Even though the security industry
continues to develop more and more advanced methods of detecting individual
pieces of malware, there is still too little ability to see the larger
attack that follows after the malware.

- There are infinite opportunities for security systems to fail. As
computing and business has evolved, the “attackable” areas of the
enterprise have become nearly impossible to secure. Employees use mobile
devices that are routinely outside the corporate firewalls. Corporate
applications and data are increasingly both inside and outside the
perimeter.

Online security has become incredibly complicated, and corporate directors
may not even know the fundamental distinctions between the various types
and motivations of online intrusions.

Step one for every board is to understand that it is supposed to be
offering oversight on these risks as part of its fiduciary duty. The board
needs to assure there are internal controls in place to protect the
corporation’s cyber assets. The stakes are high. A study found that up to
$21 trillion in global assets could be at risk from cybercrime. What is
needed is a solid board structure for monitoring and managing cyber risk in
the company. To begin, I recommend is a series of committee briefings so
“cyber security” is demystified and better understood. However, given the
complexity and dangers involved, I think the time has come for boards to
create a dedicated cybersecurity technology committee.

It is crucial that the board require management to present their policies
on cyber security. Request that management write up their security
practices and standards, and their protocol for responding to a security
breach. The board should be able to identify the manager responsible by
title, and in what time frame they are to respond to an intrusion. In the
event of a cyber-breach, the board should schedule an update from the
security committee on any forensic review. The company may need to disclose
any data breach in SEC filings if the breach was material. Your board might
be surprised to find out that a court considers failure to disclose a
cyber-attack as a “material omission,” according to some interpretations of
new SEC guidance on disclosure.

Here are some action items for shaping a cyber-board team:

- Management needs to encourage the board to fully embrace cybersecurity as
a governance oversight responsibility. The board needs information and
training on cyber security issues so they are not seen as too complex and
technical, outstripping the board’s ability to exercise oversight.

- The board should consider whether a change needs to be made in the way
cybersecurity oversight is currently handled at the board level. Is there a
need for a new security compliance committee?

- The board may require new candidates with computer security background in
the director nomination process.

-  Given the risk exposure involved, the board should work with the general
counsel to determine the extent to which existing directors and officer’s
insurance coverage provides protection.

- For the board to exercise effective oversight, they will need an
understanding of what matters are properly reserved to the CIO, what
matters require board awareness, and what matters require board/committee
oversight, action, and/or approval.

Boards must get out in front of cybersecurity and create clear policies to
proactively address this very real risk.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!