A board should take ultimate responsibility for oversight of their organization’s cyber risk and resilience, says a new security toolkit for directors from the World Economic Forum.
Issued last week at the annual conference of business and political leaders in Davos, Switzerland, it gives boards another tool to help guide them in stiffening their organization’s cyber security.
The 39-page document was developed in partnership with Hewlett-Packard Enterprise and the Boston Consulting Group, lists 10 principles boards should adopt including
–ensuring one corporate officer is accountable for reporting on the organization’s capability to manage cyber resilience and progress in implementing cyber resilience goals;
–ensuring that management supports the officer accountable for cyber resilience by the creation, implementation, testing and ongoing improvement of cyber resilience plans;
–ensuring that management integrates cyber resilience and cyber risk assessment into overall business strategy and into enterprise-wide risk management;
–annually defining and quantifying business risk tolerance relative to cyber resilience and ensures that this is consistent with corporate strategy and risk appetite;
–holding management accountable for reporting a quantified and understandable assessment of cyber risks, threats and events as a standing agenda item during board meetings;
–and ensuring that a formal, independent cyber resilience review of the organization is carried out annually.
For each principle the report helpfully lists a number of questions board members can ask themselves to reach decisions.
The report also includes the forum’s updated cyber risk assessment framework a board can use to periodically check on risk as reported by the executive team. (Risks might include, for example, loss of integrity and accountability of financial data.)
As Internet technology spreads there is “an urgency that cannot be ignored” to manage cyber risk, wrote Rick Samans, a member of the forum’s managing board, in the report. “In the coming years, several billions of everyday devices will be connected. As our virtual and physical worlds merge, the stakes are increased.
“This will require two things: 1) a significantly increased number of organizations adopting, sharing and iterating current leading practices; and 2) cross-sectoral collaboration to develop the new practices that will be required to deal with the unique attributes of managing cyber risks of physical assets. The second will be difficult without an informed body of leaders leveraging common tools and language.”
To effectively deal with cyber challenges, organizational leaders need a mindset that goes beyond cybersecurity to build a more effective cyber strategy and incorporate it into overall strategic thinking, the report emphasizes.
“Cyber resilience is more a matter of strategy and culture than tactics,” says the report. “Being resilient requires those at the highest levels of a company, organization or government to recognize the importance of avoiding and proactively mitigating risks. While it is everyone’s responsibility to co-operate in order to ensure greater cyber resilience, leaders who set the strategy for an organization are ultimately responsible, and have increasingly been held accountable for including cyber resilience in organizational strategy. For businesses, this means that cyber strategy must be determined at the oversight board level.”
Speaking only about cybersecurity is insufficient if the challenges of digitalization are to be effectively met. Protection is important, but organizations must also develop strategies to ensure durable networks and take advantage of the opportunities that digitalization can bring.
To buttress its argument the report notes the October, 2016 distributed denial of serivce (DdoS) attack on the U.S.-based domain name system provider Dyn, which blocked access to a number of Web sites,
The authors blame in part “junior” managers, who failed didn’t discuss the risks before deciding not to spread resources across a number of DNS providers and instead relying on Dyn for DNS reflection. The report also blames hardware makers for not hardening Internet of Things devices that were leveraged in the attack.
If decisions like these aren’t set at the governance level an enterprise cannot ensure its own cybers ecurity or resilience, concludes the report.
The report also makes it clear that the board’s decisions on risk tolerance levels have to be made with the executive team. Only then can the board evaluate the appropriateness of risk mitigation strategies such as risk controls (for example, employee training), organizational/procedural risk controls (for example, contractual provisions, policies, governance and sharing of intelligence across industries), technical controls (firewalls, intrusion detection etc.).
The report also lists frameworks organizations can use for risk assessment such as the ISO/IEC 27k series of standards, the Control Objectives for Information and Related Technologies (COBIT) by ISACA, an association of information systems auditor and controllers, and the special publication 800 series by the U.S.-based National Institute of Standards and Technology.
The WEF cyber resilience framework “is an important building block, but still just the first step towards implementing operationalized defenses against cyber security risks,” said Torsten George, vice-president of global marketing and products at RiskSense. “Ultimately, a proper oversight program can help companies streamline board reporting, integrate multi-department activities required to mitigate operational cyber risks, and ensure that reasonable security protocols and procedures are in place. Furthermore, it can help all stakeholders gain a better understanding what assets might be at risk, how to estimate potential losses, and how to mitigate threats using new security practices, investments, and cyber security insurance.”
It pushes cyber risk management over cyber security, he also pointed out, “which progressive security professionals have proven to be the approach that provides the biggest probability in finally being able to stand up to today’s sophisticated cyber adversaries. Only when organizations contextualize internal security intelligence with external threat data and then correlate the findings with business criticality are they then able to focus on the needles in the haystack and assure timely orchestration of remediation.”