Corporate governance mandating cybersecurity board oversight aligns strongly with the culture of checks and balances by ensuring that all responsible parties carry out the organization’s cybersecurity strategy, preparedness, and execution.
Moreover, by maintaining this formalized check-and-balance culture, including oversight of cybersecurity risk, oversight board engagements help organizations’ cybersecurity strategy by holding management accountable for failed asset protection and reducing future potential risks
Why Corporate Boards Should be Involved in Cybersecurity Oversight?
Privacy regulations and compliance mandates require board oversight of cybersecurity risks. Specific to cybersecurity concerns, the board of directors’ responsibility to engage in an active oversight role becomes required for public companies.
Additionally, many private organizations also mandate that their board take an active role in effectively validating their cyber risk management plans, cybersecurity security awareness programs, and communicate their findings to other board committees. Failure to meet various compliance and privacy mandates becomes a joint responsibility of the board oversight committee and the office of the Chief Information Security Officer (CISO).
Who Within the Organization is Ultimately Responsible?
The question of responsibility and accountability becomes the focal point for the oversight and cybersecurity audit committees.
- Did the cybersecurity team have access to the correct security tools to help prevent the attack?
- Have other organizations been affected by a similar attack?
- Did the board of directors oversight committee complete the annual and semi-annual audit of the organization’s cybersecurity procedures and capabilities, evaluate the human capital resources, and document any shortcomings or areas of concern?
- Were any recommendations or directives passed down from the board oversight committee to senior management not implemented by the security operations cybersecurity teams within the organization?
Answers to these questions become part of the root-cause analysis and additional communication to shareholders, employees, and the general public.
What are Some Key Performance Indicators (KPIs) for Measuring Board-Level Oversight?
Measuring the effectiveness of the board oversight is critical to ensure this activity delivers the expected awareness specific to cybersecurity readiness and execution. Organizations leveraging the Iron Triangle KPI focus on three measurement factors:
- Cost
- Schedule
- Scope
As organization defines their oversight KPI strategy for cybersecurity, here is how the Iron Triangle KPI could become used:
- Cost: What is the cost of supporting the oversight activities, including human capital resources?
- Schedule: What is the impact on normal business operations when an oversight audit engagement has started?
- Scope: What is the scope of the oversight engagement? Does the scope align with the cost of the activity, along with a clear understanding of the impact on operations to support the auditing engagement?
What is the True Cost of Board Oversight for Cybersecurity and Risk?
If the oversight is costly, affects normal business operations, and has constant scope creep, it will adversely affect the organization financially and operationally.
Fact: “Heidrick & Struggles International Inc., a leading executive search firm based in Chicago, reported that 84% of directors of the 2,000 largest publicly traded companies in the United States agreed that “they are now spending more time on monitoring and oversight and less on strategy.”
How Does Board Oversight Shape the Organization's Approach to Cybersecurity?
Because of the increasing frequency of cyber-attacks and the evidence that companies of all sizes are at risk, boards of directors must prioritize cybersecurity measures and technical expertise. Board oversight ensures cybersecurity risk management, risk tolerance, and dangers from cybersecurity threats never become just an annual audit review event.
Organizations facing constant cybersecurity attacks are incurring millions of dollars in non-budgeted response costs. They also suffer from negative publicity and increased legal liability. Therefore, these organizations need to empower their oversight board. This empowerment can help validate changes in organizational risk. It is particularly crucial when departments fail to execute the required security measures.
Boards that become less focused on material risks and cybersecurity metrics do so at the risk of unmeasurable and unpredictable loss of value capital resources. When a gap exists between an organization’s board oversight and the CISO, the ability to manage a functional cybersecurity program becomes very challenging to cope with the ever-changing cyber threat landscape and regulatory compliance obligations.
What is the Relationship Between the Board of Directors and CISO Regarding Cybersecurity Oversight?
The responsibilities between the board oversight committee and the CISO should be separate. This separation is needed to maintain the status of the separation of duties and comply with auditing requirements.
However, CISOs do maintain other board-level relationships specific to cybersecurity. The cybersecurity sub-board helps define the strategy, sets expectations for the CISO to meet, and becomes the main focal point for all public reporting, including the SEC. The board oversight becomes the CISO’s evaluator.
What are the Most Critical Legal and Regulatory Requirements Governing Board Cybersecurity Oversight?
Legal issues benefit from an active oversight board, including shareholder lawsuits, fines from failure to comply with security mandates, and other business events. The oversight boards must stay abreast of the constant changes in local, state, federal, and global security and privacy mandates.
To create an appropriate oversight strategy, the board of directors must know what cyber threats exist within their organization today. They must also understand the legal implications of these attacks. On the other hand, CISOs will create a security operations (SecOps) team, including experts in threat modeling, incident response, and automated response. These teams, then, report material incidents to the board to meet SEC reporting requirements.
How Critical is the Board Regarding Oversight Into Cybersecurity and Compliance Audits?
The oversight board should actively audit these processes and capabilities to ensure the CISO’s investment effectively stopped attacks and assisted the organization in meeting various compliance and privacy mandates.
Having a functional incident response, monitoring, and reporting capabilities become mandated by several security and compliance mandates:
PCI: Section 12.10 of the PCI DSS requires organizations to have an incident response plan, regularly test it, and maintain a log of all security incidents.
GDPR: GDPR requires notification to the appropriate GDPR supervisory authority within 72 hours of learning about the incident.
DORA: Financial entities must comply with DORA by updating their incident response procedures, including early warning indicators, incident tracking, logging and categorization systems, and assigning roles and responsibilities. In our podcast discussion featuring cybersecurity expert Pierre Noel, he emphasizes the importance of DORA not only in implementing effective incident response strategies but also in ensuring regulatory adherence by the board of directors and senior executives.
NIS2: Organizations must report incidents to the National Centre of Cyber Security within 24 hours and provide a final report within one month.
HIPAA: HIPAA security incident procedures must include preserving evidence and mitigating the situation.
Validating the SecOps capabilities is one of many oversight engagements the board should focus on during the fiscal year. Lack of board oversight of these capabilities could lead to fines from regulatory bodies. The board of directors may also face litigation from stakeholders, particularly investors, for failing to identify the lack of preparedness and effectiveness of the SecOps resources.
Fact: “Delaware Supreme Court’s 2019 Marchand v. Barnhill (known as Blue Bell) decision has increased allegations that a board did not attend to key risks, even where companies had published corporate policies regarding risks.”
Increasing Oversight for Cyber Resiliency To Meet Future Security Challenges and Mandates.
Oversight boards looking into the near future must align with the organization’s transition from a cyber protection mind space to a more cyber resilience model. CISOs working with the board subcommittee for cybersecurity will help develop transition strategies. The oversight board will develop an auditing process. This process ensures the needed adaptive control, policies, and procedures are implemented and performed as expected.
The oversight board should acknowledge that resilience encompasses more than just protection. It involves having a plan for recovery and business continuation. Being resilient means taking measures to prevent and detect cyber incidents and ensuring the ability to operate when such incidents occur. Companies must manage the risks associated with avoiding and recovering from cyber incidents.
The Importance of Board Feedback Regarding Risk and Cyber Incidents.
The oversight board should provide feedback if the transition cannot meet the organization’s goals. Failure of this transition could result from a lack of funding. It could also result from a poor assessment of current protection capabilities to support better resilience. Additionally, the lack of qualified security operations engineers with expectations in residence could contribute to this failure. This feedback should go from the oversight board to the cybersecurity subcommittee and the office of the CISO.
This workflow will help organizations learn from their mistakes and ensure greater accountability and responsibility. The oversight board contributes critically to the organization by maintaining its objectivity and stout governance towards its charter.
Similar to business engagements, board-level oversight needs to evolve as the threat landscape and global business models change. Relying upon existing board members with a lesser background in cybersecurity to serve in an oversight role will deliver less valuable insight as more organizations adopt new technologies, including artificial intelligence.
As DORA and NIS2 go into effect, the board of directors should prioritize the need for an updated oversight charter. Organizations adopting and deploying high-risk and unproven technology like AI need an oversight board with experienced members. This ensures the audits and other validation processes can identify, evaluate, and recommend constructive and valuable changes.
Should you need help or advice at the board level, please contact Cubic Consulting at https://cubic.consulting. Help involves personal training, risk meeting preparation, cybersecurity strategy review etc.
- Executive Board Members Seeking Greater Security Discussion with CISOs
- Virtual Workforce and Workplace: The Role of a vCISO in a Post-Pandemic World
- How Can the Board of Directors Increase Their Knowledge of Cybersecurity, Risk and Compliance?
- Security Standards with Benoit Heyndrickx
- What are the Top 2024 Cybersecurity Predictions Surrounding Ransomware and Generative AI Attacks?
- What is the Python-based Legion Credential Attack?