Secure Digital Solutions, LLC
20 Mar 2017

Cyber Risk is a Key Focus for Corporate Boards

March 20th, 2017
By Adam Stone, Principal

For organizations across industry sectors, digital commerce is the dominant vehicle to transact business and improve efficiency. Groundbreaking innovations in computing potential accelerate the speed of change for business, and the risks that naturally follow. A key risk that is often highlighted is cyber risk. Cyber risk is a key focus for corporate boards. According to the Institute of Risk Management cyber risk is defined as “any risk of financial loss, disruption or damage to the reputation of an organisation from some sort of failure of its information technology systems.”

Board members of the digital economy need the knowledge to ask the right questions of corporate executives. Without a reasonable degree of technical fluency, board members lack important tools to ensure a professional standard of care for the organizations they serve. Board members face a business imperative: adapt, today, to the disruptive changes of digital commerce by adopting a new dialect based in cyber risk.

Recently, the National Association of Corporate Directors (NACD) published the 2017 Cyber Risk Oversight Handbook. The message of the Handbook is clear: to assert meaningful oversight in the digital economy, board members must treat cyber-risk as an issue of strategic import and operational significance for the organization. Cyber-risk ought not be written off as an “IT issue,” since this sort of thinking creates a hazardous blind spot for professionals charged with corporate governance responsibilities. To prepare board members for discussions about cyber risk, NACD recommends the following:

  • Understand the legal ramifications for the company, as well as the board itself.
  • Ensure directors have sufficient agenda time and access to expert information in order to have well-informed discussions with management.
  • Integrate cyber risk discussions with those about the company’s overall tolerance for risk.

These recommendations emphasize the need for proactive (rather than reactive) identification and analysis of cyber risks, as well as clear direction on cyber-risk management strategies. Importantly, the board’s treatment of cyber-risk ought to reflect the firm’s culture and capacity for change.

In support of an effective cyber risk strategy for the board, the Handbook outlines five cyber risk oversight principles fundamental to an effective risk management program.

Information security leaders play a crucial role in cyber risk governance. Board members depend on current, meaningful data to support the effectiveness of the firm’s information security controls and processes. For over a decade, Secure Digital Solutions (SDS) has provided solutions to elevate the language of information security by focusing on process maturity mapped to risk categories. Our award-winning TrustMAPP® platform leverages the powerful MAPP™ (Maturity Assessment, Profile, and Plan) methodology to quickly identify, measure and understand the performance of the business processes that support a security program and inform risk decisions.

Using process maturity as the key performance indicator for program effectiveness, TrustMAPP provides security leaders with readily available tools to effectively communicate the business value of cybersecurity and cyber risk. Executives and board members reap the benefits of TrustMAPP analytics via improved clarity in the organization’s information security posture and its impact on cyber risk strategies.

Want to learn more? Visit TrustMAPP.com for information about TrustMAPP®, powered by the MAPP™ methodology.

16 Feb 2017

Investors’ Top Five Cyber Security Questions

February 16th, 2017

In the wake of numerous high profile cyber attacks against global businesses, including Sony, Target, and eBay, investors and boards alike are realizing that data breaches are an ever-present threat. Investors expect that company boards will assume a leadership role in addressing risks and controlling damage from these cyber incidents. Information security leaders should also understand what boards and investors expect from them in translating the business value of security
An article from the Council of Institutional Investors called “Prioritizing Cybersecurity” explores investors top five cyber security questions they are asking company boards, and how the board can effectively respond.

 

 

  1. How are the company’s cyber risks communicated to the board, by whom, and with what frequency?

With this question, investors want to learn how well informed the directors are regarding the company’s cyber risk profile. Investors are best reassured when the board is updated frequently about information security risks.

  1. Has the board evaluated and approved the company’s cybersecurity strategy?

Investors expect the board to have a full understanding of the company’s strategy for minimizing the financial and material impact of a cyber incident. A good strategy includes protecting the most critical data and assets from operational, financial, reputational, and legal harm. It should include preventative, detective, and corrective measures. The board must also be familiar with management’s incident response procedures, including simulation drills and a strong communications plan.

  1. How does the board ensure that the company is organized appropriately to address cybersecurity risks? Does management have the skill sets it needs?

Cyber security often requires a multi-disciplinary approach across multiple management levels. Board members are responsible for reviewing the backgrounds and qualifications of everyone accountable for cybersecurity. Investors look for an organizational structure with clearly delineated responsibilities and sufficient management oversight.

  1. How does the board evaluate the effectiveness of the company’s cybersecurity efforts?

The board has the authority to establish standard performance metrics based on the company’s size, industry, and risk profile. An additional benchmark is to compare performance to that of similar companies. Investors want to know how the company’s security efforts perform according to the company’s own metrics, as well as how they compare to other companies.

  1. When did the board last discuss whether the company’s disclosure of cyber risk and cyber incidents is consistent with SEC guidance?

Investors want the board to fairly and accurately report on the company’s cyber risk profile and security performance. The SEC asks that companies disclose cyber incidents, but provides few guidelines regarding when such a disclosure is required. The board can proactively communicate the process used to assess damage from cyber incidents on the company’s data and assets. Transparency about this process reassures investors of the company’s cyber health.

Boards and investors can develop a more productive partnership through better communication. Board members should seek to understand the investors’ concerns, and the investors should make equal effort to understand the board’s decisions and actions.

Secure Digital Solutions offers TrustMAPP®, a platform that facilitates this type of communication and information sharing with boards by information security leaders. Contact our team to learn more about TrustMAPP® solution.

21 Dec 2016

Five Popular Initiatives of Cyber Security Leaders in 2017

cybersecurity-initiativesWith the new year approaching, now is a great time to celebrate the successes (and
failures) of information security leaders and reflect on the challenges these leaders face in 2017. With this we’ve condensed the list to five popular initiatives of cyber security leaders in 2017. After experiencing massive ransom ware attacks, large-scale data breaches and other adverse cybersecurity events of 2016, we anticipate another demanding year.

Recently, we asked security executives how they plan to address cybersecurity in 2017. What lessons did they take from the past year? What do they anticipate are the issues needing the most attention in 2017? Additionally we collaborated with Fortium Partners to gain the perspective of the CIO office.

What we learned from these conversations is a summary of similar initiatives highlighted in 2016 with the addition of a few new priorities.

  1. Third-party security risk grows as we continue to outsource critical functions and migrate systems to the cloud.
    • Assessing third-party risk became a top priority after high-profile data breaches in 2013-2014. Third-party risk management initiatives finally made the project list across many security teams and C-suite leaders in 2015 and 2016 and will continue to improve with additional automation, scope expansion and improved metrics in 2017. Third-party risk management will become a core function of security and compliance operations and move off of the special projects list in 2017.
  2. Influencing employee behavior and company culture around cyber security is challenging without top-level support and remains a top priority.
    • Security awareness training is still a critical component to maintaining policy compliance and information security best practices. Security leaders will continue to sharpen and hone the messages and content to end users throughout 2017, because security is everyone’s role not just the security team. This is a theme the security industry has been focused on for several years. Although the topic is not new, take this as a reminder that user security awareness training is still as important as ever. In our experience, many successful attacks involve human-error. Training is one key mechanism to reduce these errors to an acceptable level of risk.
  3. Threat actors continue to adapt their tactics faster than we can build or adapt our defenses.
    • Hardening the perimeter is an old concept and nearly inapplicable in todays connected landscape. Thus, security leadership is taking the position that all connected devices are untrusted until otherwise vetted. This approach is also driving improvements in third-party risk management where connectivity is often involved between two organizations. There are some promising new solutions in the marketplace that can perform real-time detection and stop questionable network traffic at the door. As the industry continues to improve upon attack prevention we will see the sophistication of attacks evolve . The industry will always be in an arms race to build a better mousetrap as the attackers’ devise methods to subvert the traps over time. In a nutshell, the leadership to whom we speak and our own observations do not see this initiative slowing down, or moving off the top five list in the near term.
  4. Resources remain slim and do not line up with the demand for effective controls.
    • The demand for skilled talent in cyber security has never been greater. We’ve spoken to a couple of solution providers who have a unique take on this by developing training programs that within 1-2 years can develop individuals into effective cyber security analysts. Accelerated training programs, coupled with trusted third party partnerships, provides the best near term solution to meet the demands of today’s security needs. Companies are growing tired of bidding for talent and instead look to partners to augment specific functions of their security operations, governance and compliance efforts.
  5. Information security remains an afterthought which, in turn, feeds the perception that security is a barrier to innovation and speed to market.
    • Reducing release cycle times and speed to market will continue to be top of mind for many CIOs and their business partners. Pressure will continue to build to skip past anything that could slow that process. However, the consequences of failing to catch vulnerabilities are clear, such as: incurring regulatory fines, reputation damage, customer data theft, and the list goes on. Over the next few years there will be emphasis on building security into the software development life cycle (SDLC). The good news is that automated testing and source code analysis tools will continue to mature, enabling incorporation into an organization’s SDLC.

It’s clear that security executives have their work cut out for them. How will they accomplish their objectives? We believe that the answer is simple: better communication. Too often, we observe information security leaders speak a language foreign to executives, board members and peers. The result is predictable. Security leaders experience perception issues connected to a lack of credibility among those in the C-suite. Without the trust and confidence of company executives, information security leaders find themselves swimming upstream with a flimsy paddle.

Make 2017 the year that you build credibility for your program. Speaking the language of business and develop a business story around cyber security program priorities and successes is critically important to maintain credibility. Collaborate closely with the CIO and internal audit/risk management functions to educate management and gain support for critical initiatives. Express your ideas, recommendations, and proposals in ways that engage and energize executives and board members. Use business-focused metrics to tell a compelling story. Focus on process over controls.

Secure Digital Solutions wishes our customers and all business leaders a successful and productive 2017. May you earn the credibility needed to advance your business objectives for the new year!

Contact our team to learn about methods to communicate with executives and board of directors using our MAPP™ (maturity assessment, profile and plan)™ methodology enabled by the cloud-based TrustMAPP® platform.

16 May 2016

How much information security is enough?

By Chad Boeckmann & Adam Stone
May 16th, 2016

Let’s talk about benchmarking. It’s a question our team receives from clients both large and small. When discussing our information security-focused MAPP methodology and our TrustMAPP (formerly, Accliviti) platform, our clients (and their board members) want to know how they stack up, maturity-wise, to their peers. The common belief among this audience is that benchmarking data will help answer the question “how much information security is enough?”

This approach makes sense at a certain level; knowing how mature your organization’s security program is relative to your peers seems, on its face, to suggest that you are meeting (or not meeting) the standard defined by your industry. Like many statistics however, context plays an important role in deciphering benchmarking data. And it probably wouldn’t surprise the reader that without the benefit of context, the value of benchmark data diminishes. This is especially true for a topic such as information security program maturity.iStock_000019293901_Small

How much information security is enough? When do we find confidence that the organization has invested the right amount of time and resources to reasonably safeguard our information assets? Fair questions. Based on our experience over the last ten years, knowing your maturity benchmark provides an incomplete answer. The reason is simple: each organization is different. The diversity of organizational cultures and risk appetites within a given industry – even in highly-regulated sectors – virtually guarantees that the results of a maturity assessment will yield an interpretation unique to the organization under review.

Looking at this from a practical view, consider Bank A and Bank B (organization size doesn’t matter in this case). Let’s say that Bank A conducted an assessment that yielded an average information security program maturity score of 3 (out of a scale of 1 Low – 5 High). Bank B underwent a similar assessment that returned a score of 3.75. Benchmarking one against the other, it appears that Bank B is more mature than Bank A. Does this mean that Bank A needs to invest into security more to catch up to Bank B?

Not necessarily. Though these two scores provide some information about the effectiveness of each organization’s information security program, the scores provide little insight into the culture and capacity that drives process maturity. This leads us to the core question: does knowing the maturity of your peers provide meaningful, actionable information with which a security leader can leverage? Our answer is a resounding “maybe.”

We recommend that companies look inward versus outward. Instead of focusing on the comparison of your security maturity to your peers, consider a more introspective approach. What is your company’s security program maturity goals? What drives these goals? How does our organization’s culture impact our ability to achieve these goals? What does it mean to score a maturity level of 3 versus 4 or 2?

Since many organizations have yet to conduct an information security program maturity assessment, we suggest that you use the results of your first assessment to set a baseline for your organization. Communicate the baseline to your executives and board members. Ask this audience to draw a line in the sand based on, of course, an understanding of organizational culture and capacity. Work to improve information security program maturity based on the goals defined by these key stakeholders. Doing so, security leaders will find that, despite the constantly shifting business priorities, focusing on your own maturity goals will produce far greater dividends than worrying about your peer’s security maturity.

To learn more about information security program maturity, you can request a copy of our popular white paper on MAPP (Maturity Assessment, Profile and Plan).

 

05 Apr 2016

Bringing Focus and Clarity to The Issue of Cyber Risks

By Christophe Veltsos, PhD
April 5th, 2016

Board directors and top leadership are under pressure to get a handle on cybersecurity risks. While the “security problem” isn’t new, it has ballooned into a top agenda item for most organizations today. On a positive note, it means that boards, management, and senior security staff are having conversations around cybersecurity risks, and how to align those with the needs of the business. However, the ongoing list of data breaches making headlines almost every day implies that those conversations are not being as fruitful as they need to be.

Establish security objectives, policies and roles.
Establish security objectives, policies and roles.

A large gap exists between what those in the cybersecurity trenches know, and what management and the board are told about those activities and projects. In today’s environment, it is no longer acceptable to have a Chief Information Officer (CIO) or Chief Information Security Officer (CISO) to simply give us their “word” that security is under control. Boards and management are asking more probing questions, and it’s about time. In response, CIOs and CISOs need to be better explain how money and resources are being spent. In making the case for their budgets and proposed risk mitigation activities, however, CIOs and CISOs need to steer clear of techno-babble or risk losing their executive’s and board’s attention and support.

To assist management and board directors, a Spencer Stuart article entitled Cybersecurity: The Board’s Role defined key questions for how board directors can assess their organization’s current handling of cybersecurity risks:

  1. Does management have “a clear and consistent understanding of cybersecurity relative to the business?”
  2. Does management understand its responsibility in this domain, and particularly whether management has “an adequate system of controls in place?”
  3. Is the cybersecurity budget appropriately funded?

The problem that boards and management face is understanding a fairly foreign topic to them, about which they are supposed to make decisions to ensure the continued cyber health of their organization. In the past, security could ask for and receive sizeable security budgets without being able to show the impact of this funding on the organization’s ability to handle risks. In today’s environment, management and the board are eager to show that they are not ignoring their responsibilities to customers, shareholders, and even government watchdog agencies, but also show that they understand a right size approach and budget to protect the business from risks.

How can management communicate to the board that it has “a clear and consistent understanding of cybersecurity relative to the business?” How can management demonstrate that it has “an adequate system of controls in place” and that the cybersecurity budget is adequately funded?

In a report entitled Cyber Risk ‐ Getting the Boardroom Focus Right, Deloitte outlined a key attribute of organizations deemed to be at the highest level of cybersecurity risk governance: that “cyber risk management and reporting become ‘business as usual.’”

How can we have engaging, challenging conversations about the organization’s cybersecurity activities? How can we make sure the topic of cybersecurity becomes part of “business as usual” for management and the board?

We shift the conversation away from individual cyber-related projects (such as perimeter defenses or antivirus) and towards an approach that is understandable, logical, repeatable, reliable, and robust. This approach exists – it’s called MAPP: Maturity Assessment, Profile, and Plan. We first group similar security controls and activities into processes, or a high-level business view of a group of related security activities (such as user access control or governance). From this perspective, an organization looks at the maturity of its security processes, and then tracks, reports, and has engaging conversations on its handling of security risks. Security management can show the C-suite that it’s doing the right things the right way. The C-suite can be on the same page, without having to go to cyber school.

For board directors and top leadership, there is no escaping from their responsibilities to tackle cybersecurity risks. What is needed is an approach that will bring focus and clarity to the discussions about cybersecurity to ensure that the right decisions are made. The organization’s future depends on it.

Don’t delay, download and read our MAPP approach today.

04 Feb 2015

Engaging the Board on Security & Privacy

A Moment of Opportunity for Security and Privacy Leaders

By Adam Stone, Privacy Practice Lead, SDS

Following numerous major security breaches in the news in 2014, corporate boards of directors are increasingly interested in understanding information security and what it means to their business. As a data security leader, use this opportunity for engaging your board of directors on information security by honing your message in a way that resonates with the board.

Given the fever pitch of breach reporting in 2014 (culminating with the recent SonBoD-roomy hack), data security has finally found its way into board meeting agendas for organizations across the spectrum. This is a business moment that many have been waiting for. Ask any battle-weary data security leader who’s struggled to gain corporate credibility and visibility and they will utter an exasperated “It’s about time!”

How does a data security leader leverage the board’s newfound interest in data protection and keep members engaged for the long run?

First, a bit of introspection. Data security continues to grapple with how the organization perceives where it fits in the corporate hierarchy (and this perception is often at odds with how data security leaders believe it should be). Traditionally, the Board has perceived data security as an IT issue relegated to a cost-of-doing-business versus a contributor to strategic, sustainable growth and long-term shareholder/stakeholder value. As a result, data security topics are often bundled with operational IT matters and filtered up to the board via established proxies, such as inside of audit or the chief information officer (CIO).

For years, thought leaders[i] have promoted data security as a business issue worthy of its own pulpit. Until recently though, evidence to back the truth of this claim was missing or mixed. With the Sony event, we can reflect on what happens when the board is not adequately exposed to data security topics. Sony is not alone; recent surveys suggest that a majority of corporate boards are minimally involved in cybersecurity preparedness[ii] and remain largely unprepared to deal with a security breach[iii] despite board members’ increasing interest in addressing this subject[iv].

This lack of engaging board of directors on information security, is in part, a branding problem linked to several causes; among these may be the wonky, technocratic way practitioners who try to communicate the benefits of safeguarding data along with reasonable solutions for making this happen. Let’s face it: data security is not a particularly sexy topic for most.

Security industry leaders risk making an already poorly-understood subject less engaging by not clearly, consistently and relentlessly communicating its purpose, objectives and goals in terms of money saved and/or money earned. Board members are rarely inspired to action with heavy-handed, compliance-focused messages and even fewer are motivated by technobabble.

Boards understand risk. They understand that risk (an inherent negative) is a key part of doing business (that’s why data security functions exist). Undesirable, or at least indifferent board perceptions of data security should be countered with positive “opportunity” messages focused on the long view. Board members want to know how data security investments will bolster (or repair) public confidence, and make the organization’s current and future products and services desirable and efficiently produced. Successful data security leaders ensure that their communication strategy lines up with the board’s needs.

To accomplish this task, simply communicate using a dashboard-like approach to reflect, through colors, the areas of the information security program that require the most focus.  Use this simple concept to achieve buy-in then deliver the answer to the forthcoming question “how much effort and capital will that take?”  BE PREPARED!  When engaging the board of directors on information security you will have just 3-5 slides and a maximum of 5-7 minutes.  Create one slide to communicates the state of the union and the next slides that describe the costs of going from “red to yellow” and “yellow to green”.

For more help and information to developing an information security dashboard presentation you may contact our team here: http://securedigitalsolutions.com/contact/

Some references worth noting for further reading on this subject:

[i] One organization assisting board members on how to address cybersecurity issues is the National Association of Corporate Directors (NACD). We recommend accessing their materials on this subject at http://www.nacdonline.org/.

[ii] “Cybersecurity: What the Board of Directors Needs to Ask.” The Institute of Internal Auditors Research Foundation (IIARF). 2014. 10 January 2015. <http://www.theiia.org/bookstore/product/cyber-security-what-the-board-of-directors-needs-to-ask-download-pdf-1852.cfm>.

[iii] “Cyber Incident Response: Are Business Leaders Ready?” Economist Intelligence Unit (EIU) sponsored by Arbor Networks. 2014. 13 January 2015. <http://www.arbornetworks.com/ciso/eiureport>.

[iv] “IT and Cybersecurity Oversight: PwC’s 2014 Annual Corporate Directors Survey.” PricewaterhouseCoopers, LLP. 2014. 13 January 2015. <http://www.pwc.com/us/en/corporate-governance/annual-corporate-directors-survey/information-technology-cybersecurity-oversight.jhtml>.

15 Sep 2014

Cyber-Risk Handbook Issued for Boards

Breaches Are Enterprise-Wide Risk Issue

By Chad Boeckmann, CEO, Secure Digital Solutions

This summer (2014), the National Association for Corporate Directors (NACD) acknowledged something we have long contended at Secure Digital Solutions: Company boards—not just IT departments—share responsibility for preventing cyber-attacks.

Prompted by a rash of high-profile breaches, which now includes Target, Michael’s, Super Valu and Home Depot, the largest association for corporate board members has acted. NACD teamed up with insurance giant AIG and the Internet Security Alliance to develop and publish security oversight guidelines for executives at the very top of American corporations.

The resulting Cyber-Risk Oversight Handbook spells out five excellent principles for boards to follow:
1. Directors need to understand and approach cyber-security as an enterprise-wide risk management issue, not just an IT issue.
2. Directors should understand the legal implications of cyber-risks as they relate to their company’s specific circumstances.
3. Boards should have adequate access to cyber-security expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
4. Directors should set the expectation that management will establish an enterprise-wide, cyber-risk management framework with adequate staffing and budget.
5. Discussion of cyber-risks between boards and senior managers should include identification of which risks to avoid, accept, mitigate or transfer through insurance as well as specific plans associated with each approach.

The question of “where the buck stops” is finally getting the buzz it deserves. Even the Department of Homeland Security has endorsed the guidelines. Too often, IT and security have been viewed as cost centers, rather than partners, of the C-Suite. Now that boards are advised to forge a better alliance with IT security, how will the two communicate on an issue that can be densely technical, and work together to build corporate cultures of security?

Our advice is to focus on the last two guidelines, were the rubber meets the road: Companies need to set up a healthy information security program, then systematically develop a plan to address identified risks. These are the first steps we counsel in every client engagement at Security Digital Solutions.

The best program starts with a healthy Information Security Council with defined roles, membership, and a definition of scope. Because security is a technical, cultural, and communications issue, it’s vital that a company-wide team representing finance, human resources, marketing, and operations co-develop an information security plan and share accountability for its success.

The second priority for boards is to commission an unbiased information security program assessment—one everyone understands, including the board and the Information Security Council. Too many audit reports today are laundry lists that paralyze decision-makers. At Security Digital Solutions, we translate assessments into a concise, one-page Information Security Dashboard that ranks priorities red, yellow or green based on their level of threat to the bottom line. With our dashboard, clients can convey the big security picture to upper-level management in a form that clarifies and motivates investment.

We applaud the Cyber-Risk Oversight Handbook. It’s a big step by the National Association of Corporate Boards. Information security professionals everywhere are grateful for leadership on a topic where corporate governance has too long been silent or shifted blame. Let’s put and end to silos and work together to protect consumers and the companies they trust.