One of the primary duties of any organization’s board of directors or C-suite executives is to balance risk, whether that is in the form of potential financial threats or actual physical and cyber risks presented by terrorists, malicious insiders and hackers. Today’s threat landscape presents myriad security challenges and organizations must put together a comprehensive risk mitigation strategy to protect themselves on multiple fronts.
In the last few months alone several high-profile security incidents have occurred which stand poised to significantly shape the respective industries that were affected by them moving forward – from the credit reporting and financial industries with the Equifax data breach to hospitality-oriented businesses and concert venues with the recent mass shooting in Las Vegas.
Cybersecurity
Despite the impact that data breaches and other types of cyber-attacks continue to have on all kinds of organizations, Jim Pflaging, principal, technology sector and strategy practice lead at security and risk management advisory firm The Chertoff Group, says the level of involvement many boards have today when it comes to addressing cybersecurity issues is really a mixed bag.
Pflaging, who serves on the board of several technology companies himself and as a board advisor to several others, says that The Chertoff Group set out last year to get a better understanding about the state of maturity in cybersecurity conversations at the board level and subsequently interviewed over 100 leading executives across three different continents in companies ranging in size from Fortune 500 organizations to small, private firms. What they found, according to Pflaging, was a “tale of two cities.”
“The first (group) was the good news and that was Fortune 500 (companies) in what people would call critical infrastructure – transportation, utilities, finance, healthcare and some tech (firms) – they said, ‘yeah, we’ve been talking about cybersecurity for years. It is a mature conversation, we talk about it from a risk point of view and, in some cases, it is beyond risk and in the overall business continuity discussion,’ Pflaging says. “The second group was largely everybody else and this was not a pretty picture. This resonated with me because it reflected the boards that I am on and that is that cyber is rarely or never on the agenda and if it is on the agenda, it’s in response to a breach. The state of the conversation was there really wasn’t one.”
Pflaging says that many of these executives from the first group had learned about cybersecurity mostly from other boards but from personal stories as well. Those board members in the second group reported being confused about exactly what their roles should be as directors when it comes to cybersecurity and what questions they should be asking.
Pflaging says there are really three things that all board-level executives care about: risk, value creation and metrics. The serious financial implications of data breaches as well as recent malware attacks, such as Petya, NotPetya and WannaCry, which impacted numerous companies across multiple industries, have really made more organizations take notice and rethink their security approach.
“When you have to make material changes in a financial forecast, that gets other managers’ attention because it now becomes a material risk at the board and for the C-level executives as it is pay impacting. When you have to do a financial restate then guess what? Your management incentive payout for the year, you’re not going to get it,” Pflaging says. “This is no longer a theoretical/technical issue or one that is really not going to hurt us; it’s going to have a potentially long-term impact on the stock. When you come down and see that this is a significant operating, financial and reputational risk, this is really front and center into a board conversation.”
In addition to monetary losses, board members and other senior executives within organizations that fail to promptly disclose data breaches could soon face more severe penalties. In the wake of the recent Uber breach in which it was revealed the company paid $100,000 to hackers in exchange for not revealing the network incursion, federal lawmakers are renewing efforts to pass legislation that could impose jail time for executives found guilty of concealing a data breach.
Conversely, there are some forward-thinking executives and organizations that now see security as a potential area of value creation in that they can differentiate themselves by becoming more cyber secure.
“We’re living in this golden age of innovation in which executives and boards realizes that you either innovate or die. You’re going to be left behind by more innovative companies who completely obliterate your value proposition and they’re saying if we’re going to embark on these initiatives that cost tens of millions or hundreds of millions of dollars, security needs to be baked in at the core and not an afterthought,” Pflaging says. “By doing it right, it’s a better investment, we’re going to have a better trust bond with our clients and stakeholders because we don’t want to be that guy, the Equifax that for the hundreds of millions they invested in technology, they really didn’t prove themselves to be a trust steward of information.”
Physical Security
When it comes to either physical or cyber threats, Adam Isles, another principal with The Chertoff Group, says that boards have to look at them in terms of business continuity and what matters most to the organization.
“The business continuity process can be a way of unpacking that because, ultimately, through a physical attack or through a cyber-attack, what you really care about is the continued availability, integrity and security around that asset,” Isles explains. “So, if you’re a large shipping company, do you really care if it’s a bunch of Somali pirates or a ransomware attack that renders your ability to move cargo inoperable for a series of weeks?”
With the number of active shooter incidents and terrorist attacks that have occurred in the U.S. and abroad in recent years, Pflaging says organizations and their boards are increasingly challenged with trying to balance having an open and inviting environment within their facilities and on their campuses with the responsibility they also bear for protecting employees and customers.
“It presents a very interesting business cultural issue... and it is something that’s on everyone’s mind that we didn’t think about that much about before. From an anecdotal perspective, I definitely think it is top of mind for a lot of business leaders these days,” Pflaging adds.
Isles agrees with Pflaging sentiments and says much in the way that government security officials have to be concerned with ISIS fighters returning from the battlefields in Iraq and Syria that private organizations too must think about their exposure to attacks from these and other radicalized individuals. “We have to be cognizant of that and I think we’re blessed with the cream of the crop in terms of law enforcement and intelligence agencies in this country as well as, to some degree, geographic distance they don’t enjoy in Europe,” he says.
Whether it is addressing physical or cyber threats, Pflaging encourages CSOs, CISOs and other senior security leaders within companies to use stories as a way of getting their points across as they can leave a more indelible impact on people that technical measurements just can’t sometimes.
“If you want to bring your CEO and your boards along, make a regular habit of explaining stories in the context of the business,” he says. “That’s advice that I give to technical execs all the time: Don’t underestimate the power of a good story to get people to be more sympathetic to what you’re trying to achieve.”
About the Author:
Joel Griffin is the Editor-in-Chief of SecurityInfoWatch.com and a veteran security journalist. You can reach him at [email protected].
