Former DHS secretary says corporate boards must manage risks and expectations
Data breaches in the enterprise are no longer just a minor irritant. They have become a fact of life — a situation that brings renewed focus to the role that boards of directors should play in a company’s cybersecurity strategy. But the challenges facing corporate boards are also tough, because the reality of today’s cybersecurity world is that building a secure perimeter around information technology infrastructure simply doesn’t work anymore. Intruders are going to get through, so it becomes more a strategy of risk mitigation, prepared to handle breaches when they occur. This is the kind of message that chief information security officers are bringing to their boards.
As said by the former secretary of the Department of Homeland Security and co-founder and executive chairman of The Chertoff Group LLC, Michael Chertoff, “You’re managing the risk, and you’re not guaranteeing that nothing bad will happen. That sense of managing expectations is critical for the board.”
The Chertoff Group recently conducted a study based on interviews with more than 100 senior executives. The study showed that large, public U.S. companies in the critical infrastructure sectors (finance, healthcare and telecommunications) were well-versed in cybersecurity practices. But directors for companies outside of those critical sectors self-reported that they were not where they should be on cybersecurity education. And their companies, more often than not, did not have the kind of robust plans and knowledge to deal with the rising threat landscape.
“I really sympathize with small and medium enterprises which simply don’t have the money to invest in terms of building up a whole standalone security system,” said Chertoff, who described alternatives such as outsourcing security functions to managed intelligence and information services. “Even if their heart is in the right place, they just don’t have the scale to do what a major bank can do in terms of an operations center.”
This dilemma will force corporate boards to examine security options in much the same way that a patient manages his or her own health. “You don’t go to doctor and say, ‘I want you to guarantee I’ll never get sick,’” Chertoff explained. “The doctor would throw you out of the office, or they’d have you committed.” Instead, the focus should be on how to build a healthy immune system to repel and eliminate attacks. “If the board wants to understand what are the most important parts of our corporate body we have to protect and how to build layers of defense to keep us healthy, then I think you can have an intelligent discussion about how much investment is enough,” said the former DHS Secretary.
That level of investment has become a key focus of board-level cybersecurity discussions and is leading many executives to talk openly about the correlation between IT spending and reducing business risk. Boards know they must protect the company, but they need guidance from the CEO or CISO on where to make the best investment in technology.
Reference: Security Management Magazine