by Edward Stroz and Carl S. Young

Those of us who are board of director members and who also advise boards on cyber security risk management have been subjected to a steady drumbeat regarding our responsibility to ensure appropriate board oversight. Recent cyber risk management guidance from the US Securities and Exchange Commission (SEC) is just one of multiple examples of enhanced requirements regarding security disclosures by public companies.

Boards of directors are certainly capable of assessing cybersecurity risk when each member is appropriately informed on the relevant issues. Unfortunately, communications about cybersecurity risk are frequently neither informative nor clear to the intended audience. To fulfill their governance responsibilities and to overcome this communication gap, boards must identify cybersecurity priorities in the near term while ensuring the underlying drivers of cybersecurity risk are addressed in the long-term by the risk management strategy. In our view, to accomplish these near and long-term objectives requires three areas of focus.

First, boards must always keep the fundamentals of risk in mind. Specifically, they need to consider all three components of risk for a given threat, which means understanding the likelihood a threat will be attempted and its likelihood of success, the potential loss or vulnerability should a successful incident occur, and the impact to the organization if it experienced such a loss. A fulsome examination of risk can help guide governance efforts since these three components in aggregate form the basis for security risk management.

For example, consider any publicized cybersecurity incident.  The likelihood your company might also be targeted should be assessed based on risk factors such as the type of business you operate and your company’s internet profile. Equally, the risk factors for attack success should be evaluated.  You should also understand your company’s vulnerability or potential loss if a similar attack were successful.  Finally, consider whether the potential losses incurred would have a significant impact on your organization. Understanding all three issues yields the magnitude of risk associated with the particular threat of concern.  Although it might not be possible to quantify the results, an accurate if qualitative assessment of risk will often suffice.

Second, boards must understand the precise nature of the data at risk and how it must be protected. Ultimately all cyberattacks attempt to gain unauthorized access and somehow compromise information, but the modus operandi will vary depending on the attacker’s objectives. These objectives will always relate to compromising data confidentiality, data integrity and/or data availability.  Cyber defenses must be appropriately constructed in such a way so as to thwart a specific objective(s).  

For example, ransomware is designed to affect the availability of data. There will be no difficulty detecting a ransomware attack because it is designed to be evident. In contrast, an attack designed to undermine data confidentiality will almost certainly be conducted in secret, and importantly, will not appear to interfere with day-to-day operations.

Boards must be confident that efforts to protect data are viewed from all three vantages in part because shareholders and/or regulators will focus on these elements following a breach. We next address each element of data protection separately given their significance and how their differences dictate the approach to security risk management.

It is necessary to ascertain the steps taken to detect whether confidential data have actually been compromised. Historically this has been a source of confusion because colloquial expressions can obscure the true nature of the crime. For example, cyberattacks are frequently described as having stolen data. In actuality, confidential data have “merely” been viewed and copied by an unauthorized entity. The fact is that data need not be missing to be considered stolen, a point that has important security implications. In contrast, in a physical theft of property the victim is deprived of that property, which makes its loss more readily evident.

It goes without saying that protecting sensitive or confidential information from reading and/or copying by unauthorized entities should be an organizational priority. We note that the need for protecting confidential information extends to individuals inside and outside an organization. Confidentiality is perhaps the most important data characteristic requiring protection. Because information often must be widely (if selectively) shared, protecting confidentiality is a significant and ongoing challenge. Although there are tools designed for this purpose, the specific tool and its configuration can be unique to a particular organization and it must be tailored to a specific environment.

It is important to recognize that attacks on company assets often begin when the adversary has illicitly gained access to internal company communications, most notably email. For example, in the case of unauthorized wire transfers of funds, the attacker typically reads emails pertaining to how funds are handled within the organization, which in turn informs the adversary’s attack strategy.  The point is to recognize that information which should be treated as confidential can take many forms, and the need to protect a given document should be based on the reputational, operational and/or financial damage that could result if unauthorized access to that document is achieved.

Threats to data “integrity” involve attacks that seek to change or alter data thereby compromising business operations. There can be multiple motivations for such an attack although revenge is likely high on the list. Workers and the company at large depend on data accuracy, and therefore both entities could suffer from unauthorized changes to work-related information. Issues associated with preserving data integrity are an important reminder of the nexus between the Human Resources Department function and cyber security as well as the more general problem of insider risk.

The third area of focus required to accomplish near and long-term cybersecurity objectives is that boards must reorient their view away from a technology-centric perspective. Although implementing robust security technology controls is clearly important, it is equally important to acknowledge that the root causes of cybersecurity risk often originate in business practices and operations. In summary, security technology is necessary but not sufficient to address systemic cybersecurity risk.

Boards of directors must determine the organizational features that most contribute to cybersecurity risk. The juxtaposition of security and convenience is always a significant concern since it directly relates to the organizational tolerance for risk.  This tolerance ultimately represents a tradeoff between convenience and security with significant business implications that must be managed on an enterprise scale. The tolerance for risk is itself a reflection of the organizational culture, whose importance to cybersecurity risk management cannot be overstated.

There are also specific actions that relate to the above areas, which organizations can take to improve their approach to cybersecurity risk management. In our experience, companies that have implemented one or more of the following actions are better prepared to meet the technical, organizational and legal challenges that increasingly accompany cybersecurity risk.

The first is to adopt a strategic approach to security risk management. In this context being strategic includes preparing for a cybersecurity incident as follows:

1. Assess the security risk profile, which is then delivered in an understandable format.
2. Select and conform to an appropriate cybersecurity framework, g., from NIST.
3. Develop a clear and coherent set of security policies that remain current.
4. Work to achieve a culture of security that is not undermined by regularly tolerated bad practices.
5. Reduce complexity by enforcing uniformity wherever possible but not at the expense of table stakes security controls.
6. Initiate practice exercises, i.e., “table tops,” where an organization rehearses how it would detect, respond, and recover from a cybersecurity Ideally, a multidisciplinary approach would be used that brings together tech, legal, and HR with CEO oversight.

Second, consider advice obtained from outside cybersecurity experts be placed under an “attorney-client work product privilege” to protect documents from discovery during litigation. Be sure to raise this point with legal counsel early in an engagement because it might not be possible to put such a privilege in place after the fact.

Third, establish a dialogue with law enforcement preferably before an incident occurs. Agencies like the FBI often provide speakers that can help reinforce cybersecurity messaging and further solidify the relationship with your organization.

In addition to opining about security risk management principles and practices, we are often asked to comment on a range of issues that affect cybersecurity risk. The remainder of our discussion will focus on some of the most popular and pressing trends and topics.

Organizations are frequently interested in knowing how their security posture compares to peer organizations. To that end, market trends in security can provide benchmarking insights. Understanding the security market can also reveal specific services and tools that are potentially risk-relevant.

For example, the market has an ongoing interest in cybersecurity risk metrics and for good reason. Measuring risk is a subtle but critical exercise, and a well formulated internal risk assessment can yield informative metrics. Conversely, inaccurate and/or irrelevant security metrics can readily obscure risk-relevant phenomena. It can be helpful to integrate security metrics with an established cybersecurity risk framework, e.g., the aforementioned US National Institute of Standards and Technology (NIST), thereby establishing a common frame of reference for assessing security risk.

Examining the security market will reveal commercial services that utilize public data to grade a company’s cybersecurity risk profile as seen by the outside world. Some of the more popular versions are offered by the companies Bitsight and Security Scorecard. The implication is that customers, investors, and/or partners can purchase a purported snap-shot of your security risk profile even if your company has never engaged that service. Although these snapshots can sometimes be misleading, the subtleties will likely be lost on most subscribers. In addition, these services include benchmarking results, which are also publicly available to anyone willing to pay the subscriber fee.

In addition to cybersecurity metrics, one of the most significant trends we observe in the marketplace is a broadening appreciation for what can go wrong beyond data availability, i.e., protecting more than the computer. With respect to specific security controls and processes, there is continued interest in so-called “zero trust” security architectures, multi-factor authentication (MFA), VPNs and virtualized security applications (e.g., Citrix, for remote access), minimizing the number of administrator accounts, insider risk management, and integration with legal obligations in the US and overseas.

In terms of trends in attacks and attack responses, as IT technologies have become increasingly hardened, hacking is accomplished more through tricking individuals possessing authorized access rather than via brute-force intrusions. There is also an increased focus on third-party cloud providers sharing risk-relevant information with customers in the event of a data breach.

Attorneys are an important part of the cybersecurity “ecosystem,” and legal issues are clearly within the purview of boards of directors. Attorneys understandably advise clients to save as little information as possible, but such a policy can conflict with business objectives. In that vein, we have seen regulators weaponize chat logs that discussed internal security control issues. The result is a tension with respect to the information that should be saved versus discarded.

Unfortunately there is no ready prescription on how to achieve the appropriate balance. Each company must make a reasoned decision that on one hand doesn’t jeopardize its ability to manage cybersecurity risk and on the other hand doesn’t overly expose the organization to legal peril. Our strong recommendation is that decisions regarding this issue include input from technologists, business representatives, and attorneys.

Organizations are also reconsidering their risk transfer strategy. This strategy has historically relied on cyber insurance, the value of which is now being questioned given the rising cost of premiums and concern about the success of large claims. We see a trend by companies to re-evaluate the cost versus benefit of the cyber insurance products currently being offered – is it worth it and how does one determine its value?

We are frequently asked for “Starter Pack” guidance for smaller and/or newer companies that lack significant resources to devote to cyber risk management. The first element of our Starter Pack would be to examine the company’s security policy, which is indicative of its security culture. Risk-relevant questions about this policy include: Is the policy current? Is it clearly written? Is it readily available to authorized users? If it is readily available (often by its posting on the corporate web site) does it contain company-confidential information? Are areas of intersection between physical security and cyber security addressed? If the policy is only internally accessible, consider the effect if a hacker gained access to its content.

Our Starter Pack would also include the following elements:

• Ensure the responsibility for cyber security governance is pursued at the highest level, i.e., board/CEO.
• Obtain cybersecurity expertise through internal staff and/or external
• Select an appropriate cybersecurity framework and document the reasons that framework was selected.
• Periodically conduct a security risk assessment that includes technology and risk-relevant organizational features.
• Establish a statement regarding the organization’s cybersecurity risk tolerance or appetite and compare it to risk assessment results.
• Prepare a “risk register” for each risk/vulnerability and tie it to the high-level framework categories, e.g., prevention, detection, response, recovery, governance. Each risk should be assigned an “owner” in the organization.
• Utilize the correct tool to measure risk, noting that the cost of an asset is not necessarily indicative of its impact if compromised. For example, a $500 unprotected laptop can lead to an extraordinarily expensive security incident.
• Ensure there are recovery plans that specify the point and time from which recovered data should be restored.

Finally, assessing cybersecurity risk can seem complicated due to the inherent complexity of information technology.  However, any form of risk is simply the integrated product of probability and consequence.  Consequently, assessing cybersecurity risk is ultimately an exercise in evaluating the relative magnitude of those basic elements, which requires no expertise in technology. Therefore, our overarching advice on enhancing cybersecurity governance is to develop a firm understanding of risk fundamentals, and thereafter require that assessment results are presented in those terms as well as to your satisfaction.

Edward Stroz and Carl S. Young are co-founder of Consilience 360, LLC, a security consulting firm that specializes in advising boards of directors, corporate committees and corporate officers on cybersecurity risk management and governance.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).