Executive Summary
The National Association of Corporate Directors says that directors do not feel adequate in terms of mitigating cybersecurity issues. The problem is that we have led ourselves to believe that cybersecurity risk is somehow different from all the other risks that directors deal with daily. This is incorrect. The same risk strategies apply: acceptance, avoidance, mitigation and/or transfer. The needed change is that directors must insist that their technical C-level executives transform technical risk into business risk. The board needs to help them with this because many are not comfortable doing it. But once done, all that is left to do is for the board to learn and understand at a high level some of the technical issues involved in these strategies. Start with the Cybersecurity Canon Project: a collection of network defender-recommended books about all aspects of security. As a priority, read these three books first: "Navigating the Digital Age," "How to Measure Anything in Cybersecurity Risk," and "Measuring and Managing Information Risk: A FAIR Approach."
Introduction
Based on a recent survey conducted by the National Association of Corporate Directors, only 19 percent of board directors feel confident that they grasp the nuance of cybersecurity risks well enough to make well-informed decisions. A whopping 59 percent of directors surveyed by the NACD say that they feel inadequate to oversee these risks. [1] Those are shocking numbers since most every business today has some sort of cyber component. As the world sprints into the digital age, you would be hard-pressed to find a business that has no digital component helping to drive the efficiency and innovation of the company.
How Did We Get Here?
This situation is largely the fault of the network defender community: your CIOs, CSOs and CISOs. From the first CISO who was hired back in the mid-1990s [2] until the present day, the network defender community has insisted that the risks associated with cybersecurity were somehow unique compared to the myriad of other risks that directors deal with every day. They said that, because this kind of risk is mostly associated with computers, the internet and hackers, it belongs in some sort of risk category that requires special handling. This is wrong.
Cyber Risk Is Not a Special Kind of Risk
Risk is risk, whether it manifests from employee injury, property loss, business interruption, liability or a cybersecurity breach. Directors deal with this cyber risk the same way they deal with all other risks: they find ways to alleviate or eliminate potential material risk to the business. They use basic risk management strategies like acceptance, avoidance, mitigation or transfer. [3] From these strategies, all that is new to the director in dealing with cybersecurity risks are the potential technical mitigation strategies you might choose. But that is why you have the technical C-staff working for you. The CIO, CSO and CISO will understand the technical details. What you should be asking them to portray is the potential risk to the business.
This is hard for most technical C-levels. They understand the technical details, but many have trouble transforming that technical risk into business risk. They will need your help with understanding the business risk strategies that directors already understand and separating all the “scary” risks – because they come from hackers – from the potential-material-impact risks that threaten the company. In other words, there are many alarming scenarios that we all can manufacture when it comes to hacker stories, but articulating the scenarios that will have high impact to the business if they occur and, at the same time, have a high probability of occurring in the short term is the key. This is a conversation with which many technical C-level executives do not have a lot of experience. Once done, the last thing to do is for the director to gain a high-level understanding of the technical solutions your technical C-level executives recommend.
Director Homework
When learning about a new knowledge domain, the thing to do is to check the literature. Fortunately, there is a community project at your disposal on which directors can rely, called the Cybersecurity Canon Project. [4] Think of it as the Rock and Roll Hall of Fame for cybersecurity books. This is not just a book list. In order to get on the list, some network defender has to write a book review justifying why a particular book should have been read by all of us by now. There is a committee that consists of all types of network defender experts who read all of the submissions and decide which books make it onto the candidate list, and which books ultimately get put into the canon. For directors, I recommend two books that are currently on the candidate list and one book that is already in the canon.
"Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers," published by the New York Stock Exchange and Palo Alto Networks
"Navigating the Digital Age” is the first comprehensive book specifically designed to enlighten and educate corporate directors and officers in terms of cybersecurity. The book includes more than 30 contributors, so it is meaty; and while there is some overlap in the material covered, it contains a dense collection of information around fundamental principles for the board members to do their jobs; board standards to consult; the executive on whom they should rely – the CISO; which committees they should create to support their efforts; what they should worry about in terms of fiduciary responsibility and the potential for litigation; the perceived cybersecurity disconnect between shareholders and board members; and finally, how they should think about disclosing breach information to the public. [5] This is a free-to-download book published in partnership by the New York Stock Exchange and Palo Alto Networks. Since the publication of this book, Palo Alto Networks has published companion books in France, Australia, Japan, Singapore and the U.K. We plan to publish books in Germany and Holland this year too. [6]
"How to Measure Anything in Cybersecurity Risk," by Douglas W. Hubbard and Richard Seiersen
“How to Measure Anything in Cybersecurity Risk” is a book anyone who is responsible for assessing risk should read. It is grounded in classic quantitative analysis methodologies and provides a good balance of background and practical examples. The authors lay out a solid case for why other industries with the similar challenge of a lack of quantifiable, standardized or historical actuarial table-like data are able to use classic statistical modeling and methodologies to measure risk in a qualified, repeatable way. [7]
"Measuring and Managing Information Risk: A FAIR Approach," by Jack Freund and Jack Jones
"Measuring and Managing Information Risk" is a book that not only describes what risk is but also teaches you how to measure it quantitatively so that practitioners can demonstrate to their leadership that they understand the problem. It shows how to deliver financially derived results tailored for enterprise risk management and is intended for organizations that need to either build a risk management program from the ground up or strengthen an existing one.
It covers key areas, such as risk theory, risk calculation, scenario modeling and risk communication within the organization. [8]
Conclusion
Cybersecurity risk is no different from any other kind of risk that directors normally handle in their day-to-day jobs. In the early internet days, we let the technicians convince us otherwise. Now we are trying to re-learn what the real truth is: that we can use the same traditional risk strategies for cybersecurity as we do with all other business risks: acceptance, avoidance, mitigation and/or transfer. Many of our technical C-level executives need help transforming technical risk into business risk. The director can help with that. Insist that your technical C-levels sort out the “scary” risks from the probable high-impact risks. To gain a high-level understanding of some of the issues, directors should refer to the Cybersecurity Canon Project and read the literature that the network defender community recommends, beginning with these three books: "Navigating the Digital Age," "How to Measure Anything in Cybersecurity Risk," and "Measuring and Managing Information Risk: A FAIR Approach."
Sources
- [1] "In Cyber, Who Do We Trust to Protect the Business?" by Peter Gleason, http://www.darkreading.com/risk/in-cyber-who-do-we-trust-to-protect-the-business-/a/d-id/1328245.
- [2] Evolution of the CISO and the Confluence of IT Security 7 Audit," by Thomas Borton, ISACA (March 13, 2014), https://goo.gl/ocM6RL (last visited April 15, 2017).
- [3] "4 Ways to Handle Risk (Only One is Bad)," by Ken Stasiak, SecureState Blog (July 7, 2015), https://www.securestate.com/blog/2015/07/07/4-ways-to-handle-risk-(only-one-is-bad) (last visited April 16, 2017).
- [4] “The Cybersecurity Canon: Books Every Cybersecurity Professional Should Read," Palo Alto Networks, /threat-research/cybercanon.html (last visited April 18, 2017).
- [5] "Book Review: Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers," by Rick Howard, Palo Alto Networks CSO (January 2016), /blog/2016/01/the-cybersecurity-canon-navigating-the-digital-age-the-definitive-cybersecurity-guide-for-directors-and-officers/ (last visited April 16, 2017).
- [6] “Navigating the Digital Age Download,” Security Roundtable, https://www.securityroundtable.org/wp-content/uploads/2015/09/Cybersecurity-9780996498203-no_marks.pdf (last visited April 17, 2017).
- [7] "How to Measure Anything in Cybersecurity Risk," by Douglas W. Hubbard and Richard Seiersen, published by Wiley (April 25, 2016), https://www.goodreads.com/book/show/26518108-how-to-measure-anything-in-cybersecurity-risk?ac=1&from_search=true (last visited April 16, 2017).
- [8] "Measuring and Managing Information Risk: A FAIR Approach," by Jack Freund and Jack Jones, published by Butterworth-Heinemann (January 1, 2014), https://www.goodreads.com/book/show/22637927-measuring-and-managing-information-risk?ac=1&from_search=true (last visited April 16, 2017).
Book Reviews
- "Book review: Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers," by Rick Howard, Palo Alto Networks CSO (January 2016), /blog/2016/01/the-cybersecurity-canon-navigating-the-digital-age-the-definitive-cybersecurity-guide-for-directors-and-officers/ (last visited April 16, 2017).
- "Book review: How to Measure Anything in Cybersecurity Risk," by Steve Winterfeld, Cybersecurity Canon Committee Member (December 2, 2016), /blog/2016/12/cybersecurity-canon-measure-anything-cybersecurity-risk/ (last visited April 16, 2017).
- "Book Review: Measuring and Managing Information Risk: A FAIR Approach," by Ben Rothke, Cybersecurity Canon Committee Member (September 10, 2015), /blog/2015/09/the-cybersecurity-canon-measuring-and-managing-information-risk-a-fair-approach/ (last visited April 16, 2017).
References
- "The 6 Fundamental Techniques of Risk Control," by POMS & Associates (April 21, 2014), http://www.pomsassoc.com/6-fundamental-techniques-risk-control/ (last visited April 16, 2017).
- "The Library," The Security Roundtable (September 16, 2015), https://www.securityroundtable.org/library/ (last visited April 16, 2017).
Register for Ignite ’17 Security Conference
Vancouver, BC June 12–15, 2017
Ignite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear from innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach prevention is changing the security industry. Visit the Ignite website for more information on tracks, workshops and marquee sessions.