The Boardroom Needs To Take Cyber Seriously



Dan Gunderman
03/01/2018

On Feb. 21, the U.S. Securities and Exchange Commission (SEC) released updated guidance on breach disclosure policies for publicly traded companies – updating verbiage that had been in place since 2011.

This update, coupled with the imminent rollout of the General Data Protection Regulation (GDPR) in the European Union (affecting those handling EU data) and other global measures on disclosure, have made governance, risk management and compliance (GRC) an unquestionably crucial topic. Enterprises with lax security controls could be subject to class action lawsuits or penalizing measures from the SEC.

The issue is compounded by the evolving threat landscape, sophisticated solutions on the market and an overabundance of malicious actors.

This melting pot of security variables creates an ecosystem that is quite complex and expansive. Today’s chief information security officer (CISO), then, has a lot on his or her plate. With guiding frameworks laying ground rules for bolstered security postures, and international law ramping up security efforts within the enterprise, security – and IT – duties now fall even out of the (complete) purview of the CISO.

For example, stipulations of the SEC’s new guidance suggest that outside entities – brokers, dealers, investment advisers and others – require notification of a security breach. Another focus says that board directors and company executives must review controls and procedures so that disclosure is properly administered. This also applies to companies who may be at risk but have not experienced a cyber-attack. Further, should there be any foul play with regard to the breach notification, financial penalties could ensue.

See Related: 'Not Going To Automate Our Way Out': FBI's David Wallace

Because of this new document – and various other headlines and analysis – it’s clear that IT and security issues now expand beyond the security operations center (SOC). One could argue that at a base level, line-of-business and C-level executives are just as important to “sound” security posture. Further, the wider employee base is equally as crucial. This means education and awareness for both incident response and general guiding principles flows evenly from the CISO, to the board, and to the ground floor (etc.).

Board directors, specifically, must ensure that the right disclosure controls and procedures have been implemented. Yet, how can board members spearhead security initiatives if they don’t have the proper technical or overarching cyber knowledge? This is why governing documents and the NIST Framework are key to progress in the cyber space – they’re notifying mechanisms that remind the CISO or the C-Suite to be diligent.

In the case of an incident, the responding team as well as the board must be duly informed, so that all stakeholders can be notified appropriately. But with the old ways of “shadow IT” and the security silo, how can information flow seamlessly across departments and to stakeholders? It’s impossible. In the ways of “new” IT, executives and board members across the spectrum must be intimate with the security protocols in place.

What’s more, the SEC has said that the board of directors must also be involved in risk oversight, meaning the directors must now communicate regularly with the C-Suite to facilitate business growth and sound perimeter defense.

According to IBM’s Security Intelligence, the new SEC document could prompt boards to review: a CISO’s standing within the organization, as well as the enterprise risk management (ERM) framework.

This increased level of discourse will likely mean that the CISO role also gets bolstered, or intensified, as they are tasked with translating security risks to the board. Moving forward, it could also mean increased contact with chief risk officers (CRO), to ensure that the profile is fleshed out accordingly.

See Related: 'Cyber Security's Not An Install Process': Q&A With Kayne McGladrey

On the new guidance, SEC Chairman Jay Clayton said in a statement, “I believe that providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cyber security risks and incidents, resulting in more complete information being available to investors.”

He continued: “In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.”

Conversely, the conversation has also helped keep afloat the continued argument of a more interconnected security operation within the enterprise.

Outside of the board and the CISO, the chief financial officer (CFO), specifically, may be called upon for heightened IT and cyber security activity. This comes with the territory of digital transformations, ongoing migration to the cloud and the unforgiving threat landscape.

In fact, according to a survey from McKinsey & Company, CFOs are taking a larger role in IT operations – 38% of respondents indicated they have IT responsibilities. Some of these CFOs manage cyber security and digitization. This means that as the CISO role evolves and becomes communicative, so too does the CFO, whose budgetary control could spell success or doom for the enterprise.

Essentially, today’s cyber security ecosystem demands due diligence from everyone from the employee base, to the CISO, to the board of directors. This dynamic will continue to solidify as well.

Be Sure To Check Out: Budgets Used To Comply, Not Secure? How Cloud Is Changing Cyber