This article was originally posted on the ISACA website and is an interview conducted by Jay Schwab of ISACA
Editor's note: Dottie Schindlinger, VP/Governance Technology Evangelist with Diligent and a panelist on the importance of tech-savvy leadership at ISACA's CSX North America conference last October, recently told Forbes that cybercriminals target organizations perceived to be low-hanging fruit. Schindlinger visited with ISACA Now to discuss how organizations can avoid falling into that category and other key board-level cybersecurity considerations. The following is an edited transcript:
ISACA Now: How do board directors and executive leaders go about ensuring hackers don't consider their organizations to be low-hanging fruit?
Board members and executive leaders of organizations are ultimately responsible for ensuring the long-term health of their organizations ' and this responsibility extends to mitigating cyber risk. That doesn't mean they have to be deeply involved in the day-to-day operations of cybersecurity programs, but they can't be complacent.
The simplest thing directors can do to mitigate cyber risk is to ask questions and hold themselves to a higher standard. First, boards should ensure their organizations are providing the right set of tools to ensure the board's communications are kept secure ' for example, moving away from email in favor of a more holistic 'Enterprise Governance Management' solution.
Additionally, boards should receive a quarterly high-level summary from the organization's IT/data security team explaining the main components of the organization's cybersecurity program. This should include a review of the current threats and thwarted hacking attempts, and a review of the training and education taking place across the organization. The CIO or CISO should be present at every board meeting to deliver the report, answer questions, highlight concerns and discuss ongoing investments in cybersecurity.
Furthermore, board members and senior executives should be required ' along with anyone granted access to the organization's sensitive data ' to receive cybersecurity training and support. Far too often, senior leaders are prime targets for hackers because they have access to highly sensitive data with little IT oversight.
ISACA Now: Are boards becoming more sophisticated about providing cybersecurity leadership?
Yes and no. When asked, most directors voice strong concerns about data security ' they are clearly worried about the stories they hear about in the news. But that concern doesn't necessarily lead to action. For example, far too few directors are required to receive cybersecurity training on a regular basis. Our last survey ' conducted in 2017 ' showed that fewer than one-third of directors receive regular cybersecurity training and, even then, it's most likely to be conducted very infrequently.
We also learned how heavily directors rely heavily on email for communication. More than two-thirds use email as their primary form of communication about board business. This is worrisome in light of the explosion of ransomware and malware attacks targeted at high-ranking individuals throughout 2017. If directors are using unsecured, unencrypted email to share sensitive data, the directors themselves become sources of cyber risk, rather than stewards of cybersecurity.
I believe the needle is finally beginning to move in a positive direction. Fear is a strong motivator, but so is the potential for revenue growth that comes when an organization's leaders are more tech-minded.
ISACA Now: Given the growing understanding of the importance of cybersecurity, why are many organizations still reluctant to invest in training, both for board members and for their staffs?
Partly I think this has to do with a lack of understanding of the immediacy and severity of the threat. Considering that it typically takes a few months for a breach to even be detected, it's highly likely more organizations have been breached than we know. I think many organizations want to believe they aren't as vulnerable as they really are. In my conversations with directors, I've heard the phrase, 'Our IT team is top-notch and we have cyber risk insurance.' Those two statements might be absolutely true ' but neither one can prevent an organization from being hacked 100% of the time.
I think it's fair to say that some complacency is born from a lack of familiarity. The vast majority of directors and senior leaders are not digital natives. The average age of directors is still north of 50, meaning senior leaders are much more likely to have grown up using typewriters than mobile devices. This means that technology can feel like a foreign topic (and a sore subject) for many directors, causing them a good deal of discomfort. I think that when CISOs approach technology discussions from the perspective of enterprise risk and business growth ' and don't stray too deep into the technology 'weeds' in their reports ' they will find directors and senior leaders are much more open to engaging deeply in the issues.
ISACA Now: What role should CISOs play in working with the board to elevate an organization's security protocols?
Ideally, the CISO or other data security leader collaborates with the board and other senior leaders in the following ways:
- Ensure the board and senior leaders have secure communication tools available and know how to use them appropriately;
- Provide an update at each board meeting on the current state of cybersecurity programs, changes in the threat landscape, updates on cybersecurity investments, and highlight of any technology developments worth the board's attention;
- Answer the board's questions and provide support on cybersecurity questions;
- Work with the general counsel or audit committee to develop secure communication policies for the board, and brief the board on these policies ' and any recommended changes ' at least annually;
- Arrange for cybersecurity training for directors and senior executives ' ideally conducted at least annually (but more frequent is better);
- Coordinate an annual tabletop exercise for the board, simulating a cyber event and testing the board on their response prowess;
- Conduct a periodic review of the board and senior leadership's communication methods and norms ' to ensure adherence to policies and reduce reliance on any unsecured communication channels.
If a director has had personal exposure to a cyber event, he/she suddenly has a much greater level of awareness about the risk and a greater desire to learn how to ensure security. I don't believe this 'personal experience' has to be an actual cyber-attack ' rather, a good simulation exercise, deep discussion at the board table, or a guest speaker who can share some 'horror stories' should be enough to spur greater action. I'd recommend any activity that gets leaders asking questions like: Do we know which branch of law enforcement to call, and who is our main point of contact? What sort of cyber risk coverage do we have, and what services will our insurance carrier provide to help us during the breach notification period? What is our level of personal legal liability in this case? Do I need to wipe any of my own personal devices or drives and change any of my passwords?
At the same time, many CISOs do themselves a disservice by not focusing on the right issues in their reports to senior leaders. The CISO's report should remain high-level and jargon-free (or with easy-to-comprehend explanations). Keep the focus on the enterprise risk and business growth side of cyber risk, not on the nitty-gritty of the CISO's day job.
Bottom line, if a board doesn't seem to have much motivation to discuss these serious issues, then the C-suite team should find a way to provide that motivation. The stakes are far too high to just hope for the best.