Cybersecurity and the Board of Directors

Similar documents
Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Sage Data Security Services Directory

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Think Oslo 2018 Where Technology Meets Humanity. Oslo. Felicity March Cyber Resilience - Europe

GEORGIA CYBERSECURITY WORKFORCE ACADEMY. NASCIO 2018 State IT Recognition Awards

Emerging Issues: Cybersecurity. Directors College 2015

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

BREAKING BARRIERS TO COLLABORATE WITH THE C-SUITE

Cyber Risks, Coverage, and the Board of Directors.

Cyber Security and Cyber Fraud

Cyber Resilience. Think18. Felicity March IBM Corporation

THE POWER OF TECH-SAVVY BOARDS:

Why you should adopt the NIST Cybersecurity Framework

INTELLIGENCE DRIVEN GRC FOR SECURITY

Institute of Internal Auditors 2019 CONNECT WITH THE IIA CHICAGO #IIACHI

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

Cybersecurity in Higher Ed

Cybersecurity and Data Protection Developments

IBM Security Systems. IBM X-Force 2012 & CISO Survey. Cyber Security Threat Landscape IBM Corporation IBM Corporation

Security and Privacy Governance Program Guidelines

SWIFT Customer Security Programme

Cybersecurity and Examinations

Advising the C-Suite and Boards of Directors on Cybersecurity. February 11, 2015

NERC Staff Organization Chart Budget 2017

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Canada Highlights. Cybersecurity: Do you know which protective measures will make your company cyber resilient?

Cyber Risks in the Boardroom Conference

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Risk Advisory Academy Training Brochure

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.ca

NERC Staff Organization Chart Budget 2017

RSA Solution Brief. Managing Risk Within Advanced Security Operations. RSA Solution Brief

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

SOLUTION BRIEF Virtual CISO

Larry Clinton President & CEO (703)

Chapter X Security Performance Metrics

Bringing Cybersecurity to the Boardroom Bret Arsenault

Cyber Risk A Corporate Directors' Briefing Webcast Q&A Summary

CYBER RESILIENCE & INCIDENT RESPONSE

The Evolving Threat to Corporate Cyber & Data Security

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Building a BC/DR Control Library and Regulatory Response Program

NERC Staff Organization Chart Budget 2019

Brussels. Cyber Resiliency Minimizing the impact of breaches on business continuity. Jean-Michel Lamby Associate Partner - IBM Security

Building a Resilient Security Posture for Effective Breach Prevention

Data Protection. Practical Strategies for Getting it Right. Jamie Ross Data Security Day June 8, 2016

Cybersecurity, safety and resilience - Airline perspective

M&A Cyber Security Due Diligence

Cybersecurity for Health Care Providers

Background FAST FACTS

Must Have Items for Your Cybersecurity or IT Budget in 2018

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Turning Risk into Advantage

Gujarat Forensic Sciences University

CISO as Change Agent: Getting to Yes

Rethinking Information Security Risk Management CRM002

SOC for cybersecurity

Mastering The Endpoint

The Resilient Incident Response Platform

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

Key Findings from the Global State of Information Security Survey 2017 Indonesian Insights

NERC Staff Organization Chart Budget 2018

Higher Education Privacy Update

Les joies et les peines de la transformation numérique

REAL-WORLD STRATEGIES FOR MEDICAL DEVICE SECURITY

What It Takes to be a CISO in 2017

NERC Staff Organization Chart Budget 2019

Incident Response Services

The new cybersecurity operating model

Security in India: Enabling a New Connected Era

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Birmingham Community Healthcare NHS Foundation Trust. 2017/17 Data Security and Protection Requirements March 2018

On the board s agenda US Cyber risk in the boardroom: Accelerating from acceptance to action

BHConsulting. Your trusted cybersecurity partner

PONEMON INSTITUTE RESEARCH REPORT 2018 STUDY ON GLOBAL MEGATRENDS IN CYBERSECURITY

Vice President and Chief Information Security Officer FINRA Technology, Cyber & Information Security

Governing cyber security risk: It s time to take it seriously Seven principles for Boards and Investors

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

MITIGATE CYBER ATTACK RISK

SECOPS: NAVIGATE THE NEW LANDSCAPE FOR PREVENTION, DETECTION AND RESPONSE

Department of Management Services REQUEST FOR INFORMATION

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

Incident Response and Cybersecurity: A View from the Boardroom

Engaging Executives and Boards in Cybersecurity Session 303, Feb 20, 2017 Sanjeev Sah, CISO, Texas Children s Hospital Jimmy Joseph, Senior Manager,

The University of Queensland

Chapter X Security Performance Metrics

InfoSec Risks from the Front Lines

To Audit Your IAM Program

The Business Value of including Cybersecurity and Vendor Risk in ERM

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Cybersecurity and the Board of Directors

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

Cybersecurity and the role of internal audit An urgent call to action

A Global Look at IT Audit Best Practices

Transcription:

Cybersecurity and the Board of Directors Key Findings from BITS/FSR Meetings OVERVIEW Board directors are increasingly required to engage in cybersecurity risk management yet some may need better education and knowledge to effectively oversee the risks. At the same time, the dynamic nature of cyber threats, combined with the proliferation of regulatory frameworks and the lack of welldefined metrics makes it a challenge for C-suite executives to succinctly contextualize information and demonstrate progress to the Board. To address this challenge, BITS conducted primary research including holding two regional meetings in 2016 (February 12 in Atlanta and April 21 in New York City) and an in-person meeting (June 9 in Washington, DC) for Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) to discuss various approaches to presenting cybersecurity risk information to the board and how best to facilitate an effective dialog. The following provides a summary of key topics that were discussed during these meetings. KEY THEMES What are Board Directors Looking For? During the June 9, Washington DC meeting, George Anderson who leads Spencer Stuart s Board Effectiveness practice discussed trends in corporate governance and noted that board directors with technology expertise are increasingly in demand. For various reasons, however, there has been a period of reduced turnover in the boardroom and when board positions do open, there is often pent up demand for other qualifications that may surpass technology expertise. Overall, many boards continue to lack directors with a background in cybersecurity or technology and may rely on the CISO, executive management, or other external advisors to help them understand cyber risks. Anderson, along with Tucker Bailey from McKinsey and Company and Marc Loewenthal from Promontory Financial Group, shared what they hear most often from board directors when it comes to cyber risk management, including the following: board directors receive too much data with insufficient insights into what the data means for the company; that it is difficult to tell where to focus attention; and that progress is difficult to measure. What the board wants is a conversation around actual risk as related to risk tolerance. For CISOs and CIOs in financial services firms, the challenge can be translating the board s moderate risk tolerance to the operator level and giving the statement meaning. Many meeting participants noted that they use frameworks like the NIST Cybersecurity Framework to demonstrate and help visualize the firm s 1

cyber maturity level. Others noted their board s desire to compare the company s cyber practices to those of their peers. On the whole, based on this research and related discussion, the primary interests of board directors appear to be: The threat landscape and trends in the industry For example, what does the Swift breach mean for the industry and the firm in particular? Response and recovery Is the company prepared to respond to a breach? How are these response and recovery plans evolving to remain effective? How are they exercised (e.g. comprehensiveness, frequency) to find gaps and make modifications? Board responsibilities Board directors want to ensure they are fulfilling their responsibility to oversee cyber risk management programs, and that the firm has a framework for prioritizing cyber efforts and effective planning and executing on key issues. Technology tools Does the company have the technology necessary to protect against threats? If not, what will it take to improve technologies? Talent Does the company have the right people with the right skills to protect against threats? Communication with the Board Over the last five years, the board s involvement in cybersecurity has evolved and grown in importance. The combination of high-profile breaches at major companies, combined with increased regulatory requirements has led many financial firms to reorganize board reporting around cyber risk. Some firms have created an enterprise risk committee or a technology committee to oversee cyber risk management. As this has occurred, the reporting relationship between CISOs, CIOs and Chief Risk Officers has also evolved with CISOs and CIOs, in particular, spending more time interacting with the board. For most firms, CISOs and/or CIOs provide quarterly briefings to the board on cybersecurity, including at least one or two to the full board. In between meetings, some firms provide a written cyber update, particularly when an incident occurs either within the firm or the broader industry. At least one firm provides a weekly report that covers events happening globally, their impact on the firm and what the firm is doing to address it. Others provide memos to the board to address or respond to issues at other firms when reported in the media. In these conversations, board directors often focus on issues of recovery and resiliency. This may stem from events in the news such as the widely publicized Target attack, ransomware attacks or the Swift interbank payments system breach. In looking at the event, the board needs to be informed on how vulnerable the company is to that type of attack including operational, client and reputational risk and the preparation to respond and recover should it occur. 2

Typical contents of a board report include: Executive summary (2-3 pages) issues management is currently dealing with, regulatory or legislative activity, information security incidents. Outcomes of risk assessments and internal audits many companies use third parties to assess their cyber programs against frameworks like NIST or the FFIEC Cybersecurity Assessment Tool or, when operating internationally, with similar frameworks such as ISO. Internal roadmap progress against the company s cyber risk management program. State of the world firms are more actively including information for educational purposes, providing an overview of what s happening with fraud, DDoS attacks, destructive malware, etc. and helping boards develop a more comprehensive understanding of the state and nature of cyber risk. In communicating with the board, many highlighted that using business language rather than techspeak is important to fostering an effective dialogue. Another common suggestion was to use vignettes or stories to help provide context and to dimensionalize the types of attacks by explaining how they fit in the overall threat landscape and their impact on the industry and other firms. For example, cyber incidents affecting large banks may be a form of retaliation against U.S. sanctions and the indictment of international hackers by the Department of Justice for crimes going back several years. This ability to put events in context and tie them together can facilitate better understanding and awareness among board directors. Board Education Many CIOs and CISOs highlighted the importance of providing regular education sessions to board directors on technology and cybersecurity risks. A number of executives reported concerted efforts to educate directors over a number of years and stated that the conversation today with their board has evolved and is now quite robust. Some of the tools and methods used to help board directors understand cybersecurity threats and the company s risk management procedures include: Annual education sessions Many companies schedule annual education sessions for board directors, separate from regular board meetings. Often times, companies bring in a third party expert (e.g., legal firm or network security company) to provide training on board responsibilities or what happens in the event of a breach. Videos Using a video showing how a hacker attacks the company and how the company responds can build a narrative and provide helpful context for board directors. Tour of operations center Providing a tour of the cyber operations center during which directors can hear and see how an attack works and how the company responds can further their understanding. This can allow directors to see how investments in cybersecurity tools are used in day-to-day operations. Attend board dinners Attending board dinners provides an informal opportunity to build relationships and dialogue with directors on cyber risks. 3

Informal one-on-one meetings Private lunch meetings with individual directors provides an opportunity for informal discussion around cyber risks. Use of Frameworks and Metrics The number of frameworks and regulatory requirements to assess financial services firms cybersecurity operations has expanded dramatically in recent years, leading to concern that a disproportionate amount of time and scarce cybersecurity expertise is devoted to regulatory compliance tasks as opposed to identifying and addressing actual risks and operational needs. How best to present the company s performance as measured against varying frameworks, has become quite a challenge during board presentations. Many firms have reported organizing board presentations around the NIST framework and are now seeking ways to also incorporate the FFIEC CAT Tool. Larger firms with more complex businesses or global footprints have resourced efforts to create their own set of metrics that blend aspects of multiple sources (e.g. NIST, FFIEC, ISO, internal) to provide the most accurate and complete picture of the company s cybersecurity program. A common question of board directors is how the company s performance compares to the rest of the industry. To address this question, some CISOs reported using an outside firm to conduct an assessment against the NIST framework or the CAT Tool and then compared the aggregated or anonymized results against other companies for which that firm had also done work (often across multiple industries). To address the possibility that a third party assessment firm might skew the results in order to create further business opportunity, one CISO recommended prohibiting that firm from doing any additional business with the company for 18 months. Challenging topics to address Another discussion point during the cybersecurity board governance meetings was topics that are difficult to address with board directors. For example, the question Are we secure? can be challenging because it requires a nuanced response that may seem unsatisfactory. Similarly, measuring and demonstrating progress to the board can be difficult. While a firm may be making progress against its cybersecurity improvement plan, the board needs to understand that there could still be a breach. Additional topics reported as difficult to address with the board include: Are we spending enough on cyber? For some companies the more important point is not cyber investment but managing its implementation without disrupting the business. One way to address this is to have an executive committee or steering committee composed of key members of management (CIO, COO, etc.) determine priorities and manage the implementation of investments. Providing an accurate assessment of risk due to third party relationships The reliance on third parties can make it more difficult to provide a current assessment of company cybersecurity risks due to the inability to have real-time access to vendors facilities and networks. 4

Strong third party risk management programs and programs to ensure company data is going to the right place at the right time and is properly secured, can help address third party risk concerns and meet oversight requirements for regulated firms. The role of the CISO The complex role of the CISO the need to balance multiple priorities quickly during an event, determine when to engage law enforcement, what to tell customers and when may not be well understood by some directors and may contribute to questions that are difficult to answer or that elicit an unsatisfactory response. Engaging board directors through education sessions, the use of videos or operations center tours could provide a better understanding of the CISO and cyber risk management programs. Next Steps BITS plans to host a meeting for board directors to discuss many of these same issues in early 2017. The board-level meeting will focus on helping directors deepen their understanding of cyber risk management practices within the industry and engage in a dialogue with peers to share experiences. The meeting will incorporate the feedback we have received from CISOs, CIOs and our research with advisory and consulting partners. In addition, we will hold another meeting for CISOs and CIOs in the spring or summer of 2017. That meeting will focus on industry trends in cybersecurity board governance and provide a forum for sharing experiences and best practices. If you have any questions or would like additional information on BITS cybersecurity board governance program please contact Heather Hogsett, Vice President of Technology & Risk Strategy at Heather. Hogsett@fsroundtable.org or (202) 589-1930 or Chris Feeney, President of BITS at Chris.Feeney@ fsroundtable.org or (202) 589-2437. 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback