Bridging the Governance Gap
A guide to helping boards and executives better understand cybersecurity issues
By Jack Pelikan, CISSP, CISA, CPA
During a recent industry roundtable, an audit executive solicited advice on how best to address questions from board members regarding cybersecurity, such as “Are the systems secure?” and “What is the likelihood of a breach?” While these questions are common and asked with noble intent, they also may indicate a disconnect between management and the board on cybersecurity matters.
The pervasiveness of this disconnect is evident in various studies including the 2016-17 Ernst & Young Global Information Security Survey, which reports that “87 percent of board members and C-level executives have said they lack confidence in their organization’s level of cybersecurity.” On the other hand, the 2016 Bay Dynamics and Osterman Research report “How Boards of Directors Really Feel About Cyber Security Reports” indicates “only one-third of IT and security executives believe the board comprehends the cybersecurity information provided to them.”
This disconnect not only strains management and board relations, but it can also limit the effectiveness of the governance function. While this article is not a roadmap to management-board harmonization, it offers potential solutions to the question posed earlier by that audit executive.
Connect the CISO and Board
A chief information security officer (CISO) with strong technical and presentation skills can be an invaluable asset to the board. In addition to finding such a qualified CISO, organizations must ensure that person has the necessary access to the board.
That isn’t happening as often as it should. According to a 2015 K Logix CISO Trends study, “more than half of CISOs report to the CIO, and just 15 percent report to the CEO, with the rest reporting to the COO, or risk-related organizations.” Further, the study suggests that while 92 percent of CISOs interviewed reported some level of interaction with the board, “many reported that they have either a quarterly or annual update in front of their board, and others are called in front of their board when incidents within the company, their industry, or the news pique the board’s interest in the security program.”
More direct communication between CISOs and boards is needed, and on a more frequent basis. To maximize the CISO’s role in cybersecurity governance, organizations should consider establishing a direct reporting relationship between the CISO and board that allows for private sessions when needed to ensure candid dialogue.
Appoint a Cybersecurity Expert to the Board
The recent wave of shareholder derivative lawsuits against the boards of Home Depot, Wendy’s and Wyndham, and the proposed Cybersecurity Disclosure Act of 2017 suggest boards face heightened scrutiny regarding their cybersecurity governance practices. While current regulations only require boards to designate a financial expert, the notion of a cybersecurity expert serving on the board is gaining momentum. For instance, Huntington Bancshares and Sally Beauty Holdings recently appointed cybersecurity experts to their boards.
Granted, these appointments followed breaches. But they also indicate a commitment to ongoing cybersecurity governance. Additionally, directors with cybersecurity expertise not only serve as the intermediary between IT management and the board, but they also can continually educate fellow board members.
Leverage the Cybersecurity Capabilities of Internal Audit
A highly competent internal audit function can serve as the eyes and ears of executive leadership and the board. By virtue of their independence, internal audits provide an objective assessment of cybersecurity risks, as well as valuable assurance on the effectiveness of related controls. However, for an internal audit to be fully effective, the team must possess the requisite technical expertise and credibility. Just as important, these members must articulate cybersecurity matters to executive and board-level audiences in terms they understand.
To ensure their audit departments have the necessary cybersecurity skills, employers are placing a premium on candidates with IT audit experience. According to Robert Half’s “2017 Salary Guide for Accounting and Finance,” IT auditor jobs are among the top 10 most-sought positions.
In addition to attracting and retaining audit talent with cybersecurity backgrounds, audit directors can continue to improve their staffs’ technical competency by offering continuing professional education and encouraging certifications (e.g., a CISSP) and on-the-job training.
However, without adequate practice and application, these technical skills are likely to diminish or go unnoticed. As a solution, audit departments with this expertise should conduct cybersecurity risk assessments, operational audits and consulting projects. By performing these projects, audit department staffers not only hone technical skills, but the team enhances its credibility with executive leadership and the board.
Conversely, audit departments that lack such expertise compensate by outsourcing, co-sourcing and bringing in a guest auditor. According to ISACA and Protiviti’s “A Global Look at IT Audit Best Practices” for 2017, 61 percent of North American respondents said they used outside resources to augment their IT audit skills set. While these arrangements provide immediate expertise, audit directors should keep a long-term focus on recruitment, training and development of in-house cybersecurity talent.
Use a Common Language
The inherently complex and dynamic nature of cybersecurity, coupled with the field’s affinity for acronyms, can create a sizable communication barrier between the IT department, management and the board. Since each stakeholder’s background, learning curve and interest in cybersecurity varies, the dialogue between these groups must incorporate a common vernacular.
In the aforementioned Bay Dynamics and Osterman Research report, three out of four IT and security executives surveyed believe the board wants reports with language that does not require them to be cyber experts. Two out of three board members indicated a strong desire for the same.
While the ability to translate complex cybersecurity issues into universally understandable terms can be as difficult as it is important, executive summaries, visualizations and analogies will help. As a caveat, translation should not be confused with simplification. A common pitfall during cybersecurity presentations to executives and boards is oversimplification and omission of highly technical yet important details. In the interest of transparency, technical materials can be included in the appendices or supplementary materials and discussed during the question and answer sessions.
While each organization’s cybersecurity risks and strategies are (and should be) unique, the importance of board-management cohesion and cybersecurity governance is universal. Nonetheless, the aforementioned studies suggest that cybersecurity has been and continues to be a source of disconnect between management and the board.
While regular CISO-board communication, appointing cybersecurity experts to boards, leveraging internal audit and using common vernacular can help narrow this gap, organizations will continue to encounter new cybersecurity risks. Successful management of these risks will require a concerted effort and ongoing dialogue between management and a well-informed board.
Jack Pelikan, CISSP, CISA, CPA, is a director of internal audit as well as an adjunct professor in St. Louis. In addition to academia and internal audit leadership, his experience includes IT audit and advisory services at a Big Four accounting firm. He can be reached at email@example.com.
5 Minutes with Juliette Kayyem
An excerpt of this Q&A appears in the current issue of InfoSecurity Professional magazine.
She’s a homeland security expert, successful consultant, Harvard scholar, newspaper columnist and cable news contributor. Juliette Kayyem also was a keynote speaker at Security Congress last month in Austin.
Given your accomplishments in security, media and academia, how does a focus on cybersecurity help you with the other facets of your work life?
I think we have a tendency in the security world to think of cybersecurity as different than other vulnerabilities, like natural disasters, and we tend to put it on a pedestal. But for the most part, dealing with and addressing cybersecurity is very consistent with other challenges we face: How do you minimize the risk? How do you maximize the defenses? How do you ensure that after something happens, you limit the consequences? How do you build more resilient systems?
In many ways, cybersecurity, while technologically different, is very similar to other disciplines. Don’t isolate cybersecurity so much that you ignore it or don’t include it in an overall risk reduction strategy.
Which is scarier: addressing homeland security officials, Harvard students, Boston Globe readers or CNN viewers?
Definitely the most demanding would be students. It’s not too corny to say people really do try to work together, even in these highly polarized times. When it comes to safety and security, there really is a unity of effort in most instances.
With CNN, most of the time I’m alone in a room with a camera. So that’s relatively easy. But with students, just given their expertise and the anxiety that students face about the world they are entering, they need the most tender love and care.
Your most recent book, Security Mom, talks about ways for all of us to feel safer in our homes and homelands. What is the biggest takeaway still relevant in today’s geopolitical climate?
Each of us has the capacity to own our own safety and security. We should not delegate to the experts like myself. And that begins at home.
My goal is to tell the story of our homeland security that people can relate to because our own sense of preparedness begins at home. The message of that book is you can’t ignore it and you can’t be paralyzed by it.
What’s your view on the value of cybersecurity certifications?
I think it’s absolutely essential. In the absence of strong federal oversight, which is highly controversial and not likely to happen, we need best practices, protocols, common baseline compliance measures that establish the expert from the riffraff. Without that, as anyone in the industry knows, there’s a lot of crap out there and so it’s essential organizations try to create common floors.
What needs to be done to get more people interested in a career in cybersecurity?
I think the first thing companies can do is to empower those in cybersecurity with a sense that they are part of the mission.
Too often, I go into these companies or see from the outside that the cybersecurity teams looking out for the well-being of the business and continuity are not at the table, and that has an impact on people’s career trajectories. From a market perspective, I think companies and boards can do more to empower their teams.
As a lawyer, scholar, terrorism expert, cable news contributor and mother of three, how do you maintain a work-life balance?
I had pretty intense jobs in government, so in some ways nothing compares to the 2 a.m. phone calls or being called on Christmas about a plane someone tried to blow up, or the email about being expected in New Orleans the next day because of an oil spill in the Gulf of Mexico. So that dread of the 2 a.m. phone call no longer hangs over me all the time.
I’m also blessed with a husband who does not travel. It’s good to have someone with an equally demanding but less physically challenging job like I have.
Maybe I’m just speaking as a mother, but one thing you realize when you are in a disaster or crisis situation is how blessed you are when you see people hurting in ways you couldn’t imagine before. That’s helped to mellow me as a mother. I have a sense of the important things: my kids are healthy and happy. I’m not a worrier. I like to joke you can be a helicopter mom or you can be a satellite mom. Either way, we’re both going to be meeting in the emergency room one day.
Tell us about the book you’re working on now?
It’s called The Best Worst-Case Scenario, and I’m hoping to finish it in the next year. What I’ve realized going around the country as an academic and giving speeches and consulting with companies is that the basic tenets of a basic resilience enterprise are not known to those in leadership.
Even the best CEOs tend to delegate this core issue of business preparedness to some elite team. It’s a way for me to communicate to non-experts in the corporate space what it is that needs to be done and how they need to take leadership in building more resiliency into their companies.
We’ve seen a rise in state-sponsored malware and cyberattacks. There’s also growing evidence some countries have successfully exploited vulnerable systems and will continue to do so. What do we as (ISC)2 members and citizens need to do to gird ourselves against these threats?
I think it’s to take a comprehensive approach both to what I call left of boom and right of boom. The boom is the cyberattack. Left of boom is prevention and mitigation. We should spend as much energy on right of boom. Assume the bad thing will happen. Do you have protocols for what your response will be, and how do you control and limit the damage? How do you get the system back up and running?
Each company is going to be different, but too often companies spend a lot of time on prevention, but not enough on the other side dealing with response, recovery and resiliency.
How do you recharge?
I’m a big fitness person. I’ve got the Peloton bike, I run with my dog. I’m a longtime surfer, so if I can sneak out for a couple of hours to get into the ocean, great. I try to put down my phone because the news can get overwhelming. And I try to figure out where my teenaged kids are at any given moment.
If time and money had no limits, where would you love to vacation?
I’m an ocean person. Because I live in New England, I would love to spend serious time at any beach, but in particularly Hawaii. A month in Hawaii every winter would make me the happiest person.