Rob Swystun, Pristine Advisers
Cybersecurity is something that companies can’t think and talk enough about. Just when you’re getting sick to death of hearing about cyber vulnerabilities, the conversation is only getting started.
Recently, the National Association of Corporate Directors brought together Suzanne M. Vautrinot, a retired U.S. Air Force major general who was commander of the 24th Air Force, Air Forces Cyber, and Air Force Network Operations, and who currently sits on three different corporate boards, and Mary Ann Cloyd, the leader of PricewaterhouseCooper’s Center for Board Governance, to talk about cybersecurity.
First off, Vautrinot, who sits on the boards for Symantec, Ecolab, and the private engineering, construction, and services company Parsons Corp., identified three different kinds of cyber risks:
- human error,
- system vulnerabilities, and
- direct attacks.
The first two represent the greatest risks and apply to all businesses, she said. Fortunately, they can be addressed with policy changes and technology upgrades.
The third is a targeted attack by someone specifically after your business or sector. Based on your business, geography and other factors, you’re going to look at these threats differently.
How you consider cyber risks will be influenced by how dependent your business is on network and automated systems, and what parts of your business are dependent on them.
“An R&D organization, a manufacturer, a retail company, a financial institution, and a critical utility would likely have different considerations regarding cyber risk,” Vautrinot said.
The first step in addressing cyber security issues, is having the company’s network managers conduct an investigation into how the company’s network is being used by employees.
“This gives them situational awareness and an ability to see what’s happening,” Vautrinot said. “Then management can have a conversation with network managers about what behaviors are acceptable and what are not. Network managers should have the authority to drive policy and see if that policy is being accepted.”
Once you have this information, the next step is to be able to talk about cyber risks comfortably, and this means making sure directors understand the risks in their own terms. Although every company will be having a unique discussion about cyber security, some common themes the retired Air Force major general sees on the boards she sits on are:
- appropriate organizational structure,
- security of systems,
- financial controls,
- employee/vendor interface considerations,
- security of intellectual property, and resilience of corporate data and processes,
- information security and
- protecting confidentiality.
Conversations around cyber security in a company that provides cyber security solutions would likely center around the growing technical capability of hackers and how the company can mitigate those for its clients. A company that builds major infrastructure would have to consider vulnerabilities to the control systems for bridges and dams, etc and a company with extensive research and design would want to talk about how best to protect its intellectual property.
Vautrinot suggests bringing in outside experts to help facilitate conversations about cyber security risks, but even while doing this, it’s important to make sure everyone understands the risks and the onus is on directors themselves to make sure they do.
With other concerns, boards will bring in outside advisors that have the core competencies to address whatever issue the company is having. Cyber security is much the same way. Vautrinot points out that many cyber risks stem from technology that was designed to do a specific thing — perhaps enabling smoother communication or marketing (and probably at the cheapest cost) — that someone has found a way to exploit.
Really, cyber security risks are essentially the same as other business risks, Cloyd points out. It’s just that the technology is different.
“Cyber security is like other risks,” Cloyd said, “so don’t be intimidated by it. Just put on your director hat and oversee this as you do other major risks.”
The only thing that’s different for a board about addressing cyber security is the expertise they bring in, and the conversation they have may involve slightly different technology. But, the board and management need to ask questions and make sure they understand everything.
“Demand that the answers be provided in a way that you understand,” Vautrinot explained. “Continue to ask questions until you understand, because sometimes the words or the jargon get in the way.”
Often, because cyber security usually isn’t a core competency for a company, they are loathe to spend a lot of money on it. However, for many companies, while cyber security may not be central to what a company does, it’s often foundational to whether a company’s systems can operate. Cyber security is integral to their operations and ultimately to their success, so it may require enterprise adjustments.
This is what Vautrinot calls a prioritization dilemma, and a potential source of tension between the board and management.
Policy & Culture Shift
However, it’s not all about money.
It’s also about policy changes, authority and what employees are allowed and enabled to do, Vautrinot says.
“You start to talk about things like BYOD [bring your own device] and mobile systems, and emailing from home into the corporate account or emailing from the corporate account so that you’re able to work at home, and that raises new levels of concern,” she said.
Among the first questions a board member has to ask, Cloyd says, are does the company have the right organizational structure, and what systems are connected to the network?
Along with a potential expenditure of resources and a change in policy, there will also need to be specialized training and considerations about how to measure or observe that there has been a successful change in behavior.
Many employees like to have the flexibility of bringing their own device and connecting to the company network from home, but if it raises undue risk for the company, it may have to put a stop to this and it will need a way to tell if people are accepting the change in policy.
Internal vs External
Often, when considering cyber security, a company will require new expertise or capabilities and the board and management will have to decide if they want to have people trained within their organization or if they want to engage a third party who has those expertise and capabilities as their core competencies.
It’s a matter of trust.
“That decision about internal versus external is tough for some companies, because you know who’s on the inside and whom you’ll trust,” Vautrinot said, “but it may be advisable to trust someone else.”
From the Top Down
Vautrinot also suggests that when making a cultural shift within the company toward a focus on cyber security, it needs to start at the top down to demonstrate resolve and facilitate more rapid adoption.
After establishing and nurturing the new focus, it can then be devolved back into the more standard structure and become an execution responsibility at all levels.
Adopting a focus on cyber security may also be disruptive, she warns. Employees who are used to bringing their own devices or using their own home computers for work may take some getting used to the new system if they are no longer allowed to do that.
“When you start to implement those kinds of policies, you have to make sure everyone’s on board, and that means from the C-suite on down,” she said.
Employees in many organizations, don’t feel personally responsible for cybersecurity, Vautrinot said, believing instead that it’s the CIO’s or IT’s job.
Cyber security is obviously not a fad. It’s something that everyone has to live with and be cognizant of in their personal lives and it’s something companies have to proactively take steps to address, not in one department or with one group of people, but enterprise-wide.