Cybersecurity Perception Is Reality Until Facts Intervene

Facing unrelenting pressure from cybersecurity incidents and regulations that require action to mitigate these incidents, enterprises are now reassessing their approach to cybersecurity. Public companies are also evaluating responses to the US Securities and Exchange Commission’s new Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rule.

Cybersecurity incidents are unavoidable. However, recent incidents, such as UnitedHealth and CDK Global, reveal governance and management weaknesses and disconnects between glowing cybersecurity disclosure language and the substance of cybersecurity processes. After cybersecurity incidents, companies typically overhaul their practices. Why don’t they do this before an incident occurs?

Bringing the Challenge Into Perspective

Perhaps this is indicative of fundamental governance problems; in my experience, I’ve seen that some boards can be both impressed and overwhelmed by management’s cybersecurity presentations, causing them not to effectively govern. If so, are board members pushing cybersecurity governance down to the management team?

Why It Matters

The expression “noses in, fingers out” stresses the board’s responsibility to inquire, but not manage the business. The reverse is also true: governance cannot be delegated to management. Yet, evidence from well-publicized breaches suggests either a lack of governance or a mistaken delegation to management.

Experienced board members are well-equipped to ask insightful questions, assess risk, and govern most issues. However, the complexity of cyber risk has caused many to shy away from fully engaging, understanding, and dealing with the issue. This is unsustainable as incidents  increase in volume and regulatory pressures mount.

Start With the Right Questions

Boards and C-suites that perceive the governance of their cybersecurity programs as adequate must be shocked when incidents demonstrate otherwise. To avoid that unpleasant surprise, boards should ask the following questions to improve cybersecurity governance (the questions are broken down across steps to organize, educate, and drive enterprise-wide culture).

Organize: Establish the right structure, roles, and responsibilities around digital systems and cybersecurity risk.

1. Is the board delegating its fiduciary responsibilities to management?

Indications of adequate governance:

• The board approves cybersecurity frameworks, policies, procedures, and risk appetites, and directs management to deliver periodic reports using business language.
• The board engages advisors to evaluate the efficacy of the company’s cybersecurity organization.
• Ongoing educational programs are established for the board, management, and employees to develop a common contextual understanding of cybersecurity and to instill a culture of enterprise-wide cybersecurity responsibility.

2. Are the board and management properly organized to deal with cybersecurity?

Indications of adequate governance:

• Management institutes a cybersecurity controls process that establishes clear authority and responsibility to make operational cybersecurity recommendations and decisions.
• The board follows best practices and interacts routinely with the cybersecurity management team.

3. Has the enterprise adopted a cybersecurity framework integrated into overall enterprise risk management?

Indications of adequate governance:

• The board approves a cybersecurity framework, and public disclosures match internal practices.
• The cybersecurity framework is integrated into the enterprise’s enterprise risk management policy.

4. What criteria are used to make changes to cybersecurity spending?

Indications of adequate governance:

• The board approves changes to cybersecurity spending-based capital rationing and return on investment.

Educate: Learn to contextualize cybersecurity risk and take actions based on its impact on the organization’s systemic risk profile.

1. Does the board and management sufficiently understand the enterprise’s business systems to contextualize cybersecurity risk?

Indications of adequate governance:

• The board and management demonstrate a holistic view of cybersecurity risk as a systemic enterprise risk. They understand the interaction of system components, both physical and digital, that constitute the enterprise as a system (EAS).
• Management produces a high-level business process map describing the relative importance of EAS components.

2. Does the board understand risk tolerance and risk appetite?

Indications of adequate governance:

• The board makes decisions to mitigate, transfer, or accept cybersecurity risk based on management recommendations.

Drive culture: Stress the importance of shared responsibility for controlling and responding to cybersecurity risks.

1. How do cybersecurity compliance audits relate to governance?

Indications of adequate governance:

• Management sets the expectation that cybersecurity compliance audits are linked to overall corporate governance objectives. The board recognizes that compliance is an important but limited subset of governance.

2. What procedures are in place to respond to, report, and recover from cybersecurity breaches?

Indications of adequate governance:

• The board approves and follows procedures to identify, report, respond to, and recover from cybersecurity incidents.

Bringing It Together

Addressing cybersecurity requires organizational changes to govern and manage complex digital systems, educational changes to develop a contextual understanding of systems among the board and management, and cultural changes to imprint the importance of shared responsibility for cybersecurity.

RSM is a NACD partner, providing directors with critical and timely information, and perspectives. RSM is a financial supporter of the NACD.

Rod Hackman is RSM’s executive advisor for board excellence.