The 6 Questions for Understanding Cybersecurity

Sep 19th 2014
Share this content

Cybersecurity is no longer the domain of an organization's IT staff. It's moved to the boardroom, and in a big way. Accountants and financial managers may have been thinking it's just the province of the tech guys, but now it's a financial concern as well.

Consider: Proxy adviser Institutional Shareholder Services (ISS) has told Target shareholders to overhaul the board after last year's massive data breach. ISS recommended the ouster of seven of 10 directors for inadequate risk oversight.

In a recent report issued by  ISACA and Institute of Internal Auditors Research Foundation, titled  "Cybersecurity: What the Board of Directors Needs to Ask", it's clear that board directors consider cybersecurity risk a key concern.

In the IAA's "Pulse of the Profession" 2014 survey, 65 percent of almost 1,900 respondents said cybersecurity risk was at a high level or had increased. Yet only 14 percent said they were actively involved in cybersecurity preparedness during the last fiscal year and just 58 percent said they should be actively involved.

"This new report captures the theme on which the [Governance, Risk and Control] conference is built by inviting yet another stakeholder—the board—to become involved in accessing and mitigating cyber risks", said IIA president and CEO Richard Chambers in a prepared statement. "It provides the practical guidance that board members need to become active partners in battling cybercrime."

So what should board members do?

There are five guiding principles, according to the National Association of Corporate Directors, the American International Group and the Internet Security Alliance. Here are the highlights.

  • Approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. Require annual audits of the risk management program, conducted by an outside security company or internal audit department. The board must monitor where risk levels are deteriorating or improving. And Sarbanes-Oxley provides little assurance of an effective security program to manager cyber threats.
  • Understand the legal implications of cyber risks as it relates to a company's specific situation. Outsourcing of IT work is increasingly common, but board members need to be aware of cybersecurity risks in using third-party service providers. Audits should be performed on the provider, and the "chain of trust"—other providers that the provider may use--should operate under similar agreements. Understand the data breach laws in the company's state and how a data breach is defined. Directors should know of data breach attempts made against the organization. Keeping track of that proves that the company has an effective intrusion detection and response program.
  • Have adequate access to cybersecurity expertise and discuss cyber-risk management regularly at board meetings. Meet with the chief information security officer (CISO) at least annually. The CISO is the "heart and soul" of the information security system in most organizations.
  • Directors should expect management to establish a risk management framework with adequate staffing and budget. Staffing levels depend on the risks identified for an organization. For example, security has a bigger allotment in the IT budgets in the finance and insurance industries, which are regulated.
  • Board and management discussion of risks should identify which risks to avoid, accept, mitigate, or transfer through insurance, and plans for each tactic. Review at least annually which risks were avoided and accepted. Ensure that the cyber risk insurance is adequate.

Once the board has considered the principles, directors should ask these six questions:

  1. Does the organization use a security framework?
  2. What are the organization's top five cybersecurity risks?
  3. How are employees made aware of their cybersecurity role?
  4. Are external and internal threats considered when planning a cybersecurity program?
  5. How is cybersecurity oversight managed in the organization?
  6. If a breach occurs, is there a strong response protocol?