Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

6/15/2016
11:30 AM
Chris Veltsos
Chris Veltsos
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

What CISOs Need to Tell The Board About Cyber Risk

To avoid devastating financial losses, boards and the C-suite must have a deep understating of the cyber risks their organizations' face. Here's what they need to hear from the security team

There should be little doubt about cybersecurity’s importance in 2016 given the amount of attention the topic has garnered in the past decade. Board directors and top leadership are under pressure from all sides: from federal and state regulators, from business partners seeking to tackle third-party vendor cyber risks, and from shareholders and their class-action lawyers ready to sue the moment a breach is announced.

The SEC’s leadership has been crystal clear about the responsibilities of board directors for proper cybersecurity governance. In his 2015 ABSPE speech, SEC Commissioner Luis A. Aguilar put it very clearly: “In the end, boards have a fiduciary responsibility to ensure that they possess the necessary skills, experience, and judgment to be competent stewards of their companies.”

In 2014, at the New York Stock Exchange on June 10, 2014, Aguilar had also declared that “board oversight of cyber risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks. There is no substitution for proper preparation, deliberation, and engagement on cybersecurity issues.”

For those still needing convincing, “Chapter 8: The risks to boards of directors and board member obligations” of the New York Stock Exchange’s book, “Navigating the Digital Age,” contains dire warnings for directors about their obligations and responsibilities for adequate governance of cybersecurity risks.

Board directors have a fiduciary responsibility for cybersecurity. So the question is no longer whether board directors should do something about cyber risks, but instead what should board directors do to not only show that they are governing in this area, but also demonstrate that they are making the most effective decisions to ensure that cybersecurity risks are within acceptable levels.

Check out the Black Hat CISO Summit Aug 2 at the fabulous Mandalay Bay in Las Vegas. Click for more information on the conference schedule and to register.

How are board directors supposed to make the best possible decisions about cyber risks when the information they receive is full of technobabble about attacks, firewalls, malware, and the like? How are board directors to be adequately prepared, to have adequate deliberations, and adequate engagement on cybersecurity issues if the information reported to them doesn’t translate into the business impact of various risks? How can they make use of a subjective top-5 or top-10 list of cyber risks the organization is currently facing, or worse, a laundry list of color-coded controls that belongs in a risk register better suited for auditors?

Are Cyber Risks Adequately Reported?

If oversight of cybersecurity risks has become a strategic business issue, how are board directors supposed to oversee this issue if it isn’t translated and related to areas of the business? As a Deloitte report on risk puts it, “Is my Risk team giving me the confidence I need to make high-stakes decisions?” Based on a recent report by BayDynamics, the reality on the ground is far from that goal. The report found that “only two in five IT and security executives agree or strongly agree that the information they provide to the board contains actionable information. As a result, only 29 percent of respondents believe they get the support they need from their boards.”

Risks, Quantified

A quantitative approach to measuring and reporting cybersecurity risks can empower the board and top management to make well-informed cyber risk decisions. By relying on cyber risk data in financial terms, boards can ensure that they are properly informed and understand cyber risks, and thus ensure that the organization is making cost-effective decisions regarding its handling of cyber risks. In other words, board directors, armed with quantified cyber risk data, can make a strong statement about their oversight of this critical domain.

While this concept is relatively new in the cyber area, financial institutions and insurers have relied on risk quantification for decades. Using “Value at Risk” (VaR) to measure cyber risks is a concept whose time has come. In 2015, the World Economic Forum (WEF) released a special report entitled “Partnering for Cyber Resilience — Towards the Quantification of Cyber Threats.” In the report, the WEF describes that cyber value-at-risk models are “characterized by generic applicability across industries, scalability, ease of interpretation and ability to support executives’ investment and risk management decisions. Building the complete cyber value-at-risk model and having a comprehensive outlook on the organization’s assets under threat, organizations can also make decisions with regard to the appropriate amounts of investments in security systems.”

Similarly, Deloitte, in its CIO Journal section of the Wall Street Journal blog, writes that “cyber value-at-risk ultimately seeks to help them make more informed, confident decisions about their organizations’ risk tolerances and thresholds, cyber security investments, and other risk mitigation and transfer strategies.”

A standard cyber Value at Risk model has since emerged (FAIR). To ensure that board directors are provided with actionable data about cyber risks, organizations should look for a quantified cyber risk solution that can:

  • Quantify cyber risk in financial terms
  • Understand where cyber risks are concentrated to be able to quickly focus on high risk areas
  • Assist the organization in prioritizing areas where cyber risks can be quickly reduced
  • Visualize the impact of cybersecurity initiatives (amount of risk reduced/shifted, impact on exposure surface)
  • Assess the efficacy of cyber risk programs by comparing to previous time frames (last quarter,versus last year)

Such a platform would provide board directors with the necessary skills, experience, and judgment to be competent stewards of their organizations’ cyber risks. This would also ensure that boards, together with management, can properly prepare for, properly debate, and properly engage on cybersecurity risks. Ultimately, it would give board directors the confidence they need to make the high-stakes cyber risk decisions that are so critical to the business today.

Related Content:

 

 

 

 

 

 

Chris, aka Dr.InfoSec, is passionate about helping organizations take stock of their cyber risks and manage those risks across the intricate landscape of technology, business, and people. Whether performing information security risk assessments, working alongside CIOs & CISOs ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BobChaput
50%
50%
BobChaput,
User Rank: Apprentice
6/19/2016 | 9:34:26 AM
Very well done - What CISOs Need to Tell The Board About Cyber Risk
Chris, we share the same passion about cyber risk management.  You did a great job with this article; thank you for your insights.
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5162
PUBLISHED: 2020-02-25
An exploitable improper access control vulnerability exists in the iw_webs account settings functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted user name entry can cause the overwrite of an existing user account password, resulting in remote shell access to the device as t...
CVE-2019-5165
PUBLISHED: 2020-02-25
An exploitable authentication bypass vulnerability exists in the hostname processing of the Moxa AWK-3131A firmware version 1.13. A specially configured device hostname can cause the device to interpret select remote traffic as local traffic, resulting in a bypass of web authentication. An attacker ...
CVE-2020-9383
PUBLISHED: 2020-02-25
An issue was discovered in the Linux kernel through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2.
CVE-2019-5136
PUBLISHED: 2020-02-25
An exploitable privilege escalation vulnerability exists in the iw_console functionality of the Moxa AWK-3131A firmware version 1.13. A specially crafted menu selection string can cause an escape from the restricted console, resulting in system access as the root user. An attacker can send commands ...
CVE-2019-5137
PUBLISHED: 2020-02-25
The usage of hard-coded cryptographic keys within the ServiceAgent binary allows for the decryption of captured traffic across the network from or to the Moxa AWK-3131A firmware version 1.13.