According to Symantec in their Internet Security Threat Report 2015, there were 317 million new pieces of malware released in 2014, as well as 348 million identities exposed. In a report by security specialists Cyber Edge Group in 2014, across the U.S. and Europe, 71 percent of industries surveyed had suffered a successful cybersecurity attack. And with these increasing threats come increasing costs. The price of a cyber breach can be staggering, as shown in a report by HP and the Ponemon Institute on the Global Cost of Cyber Crime, with the average cost of a security breach being $12.7 million per organization, a rise of 96 percent in 2014.
These types of figures have placed cybersecurity firmly on a seat at the Board of Directors table.
Cybersecurity issues are a companywide problem. They affect not only finances, but also the reputation of the company and the Board members themselves. One of the most high-profile cybersecurity incidents in recent years, the Target breach, has resulted in their Board members facing a lawsuit for being negligent in their fiduciary duties of care of internal processes and protection of consumer data (Civil Action No. 0:14-cv-00266-PAM-JJK). Lawsuits aside, company reputation is often adversely affected by a cybersecurity attack and having to “clean up” afterward is also costly, as exemplified by the recent decision to do a multi-state investigation into JPMorgan’s compliance structure after the company suffered a major data breach in 2014 – something which will be very costly in terms of personnel requirements and general costs for JPMorgan.
This current sweep of data security issues and non-compliance by the law courts has sent ripples through all industries, and according to law firm Akin Gump Strauss Hauer & Feld, “Cybersecurity oversight is the second most important topic for Boards in 2015 — just behind strategic planning.”
But to be insightful in how to tackle an ever increasing cybersecurity threat landscape, cybersecurity and compliance need to be communicated effectively to Board members who may well not specialize in this area. Approaching the often complex arena of cybersecurity and compliance means you need to have a logical approach that’s informative and offers resolutions. Some ideas of where to start in talking to the Board about these issues include:
Defining the Threat
“There are only two types of companies. Those that have been hacked and those that will be.” — Robert Mueller, FBI Director
Definition is the most important aspect of communicating cybersecurity and compliance issues to the Board. As with anything in business or life, clarity is key. To gain a clear picture of the problem at hand, determine the threat landscape for your company; this will be central to your discussion.
Board members are interested in certain areas. They need to understand the risk to the company itself from cyber threats. This needs to be done in clear and understandable language. This is not the time for technical detail. To communicate your company’s cybersecurity efforts, use terms Board members are likely to understand, and ask questions that they see an interest in. Questions which can set the scene for creating this landscape are:
- An overview of the current trends in security, including the security threat landscape and security tool availability. Use your imagination and make this overview accessible to a non-technical person.
- What is the business risk to the company? Perhaps use a traffic light system or similar to highlight the criticality of each risk area.
- What could have the most significant impact on the company’s revenue stream?
- What areas within the company are protected?
- Does your company have cybersecurity insurance?
- Has the company addressed compliance standards and laws surrounding privacy and security of data, including SOC examinations, ISO 27001 certification, PCI-DSS validations and HIPAA assessments? Noncompliance can result in fines and even imprisonment for directors.
- What areas are vulnerable? This should include discussions around insider threats and employee education on cybersecurity.
- Will the company brand be adversely affected by a breach?
- How can any issues be fixed?
Providing Metrics or a Progress Report
Progress reports are vital to communicate the changing situation of security concerns and remedies within an organization. They can inform security strategy going forward. Board members are likely to want to see how the company’s cybersecurity policies are implemented and progressing. For example, if you’ve explained your company’s vulnerabilities, the Board will want to see the progress in closing off those vulnerable areas.
If possible, provide the Board with regular metrics on vulnerability scans, the network of known and authenticated devices and software or business measures. CIO Magazine suggests communicating these metrics with the Board every quarter.
The SANS Institute has an excellent paper on what type of detail should be included in security metrics for Board members.
Know the CEO
The CEO will often be the person who delivers information about cybersecurity to your organization’s Board. Keeping the CEO (or whomever relates this information to the Board) abreast of cybersecurity issues and company vulnerabilities is a vital part of the communication channel; hold regular forums where you can discuss security trends and threats.
Get Everyone Involved
Cybersecurity protection needs to be handled in a holistic manner. The problems we face as organizations when managing the challenge of security and compliance do not just fall on the shoulders of one employee or department — it’s a companywide effort, with employees across the organization playing an important role in security. When communicating this to Board members, make sure stakeholders from your legal, risk and PR departments understand their respective roles and can proficiently execute them both to prevent a breach and to mitigate the loss experienced when there is one.
Concluding Thoughts: Communication as a Form of Security Mitigation
As the cyber crime landscape continues to increase in scale and as criminals use more sophisticated and often more targeted techniques to attack our organizations, communicating effectively with the Board about security and privacy threats becomes ever more important. Cybersecurity is no longer the sole domain of the IT department; it affects the company at all levels, across all layers of infrastructure. The points outlined above go some way toward helping you develop a plan to communicate the challenges of security and compliance with your Board. Getting Board members on board with security policy and strategy will ultimately help to mitigate security breaches.