The exponential growth of cyber risk has impacted roles for the CISO and the CEO, among others, but it has also left board members a little in the dark when it comes to understanding the risks associated with cybersecurity.
The National Association of Corporate Directors, NACD, who represents 88 percent of the Fortune 1000, recently released a Cyber-Risk Oversight Handbook. In an effort to set standards for corporate board leadership, they surveyed corporate board members and found that only 11 percent of today's directors have a high understanding of cyber risks.
As a result, the NACD decided that perhaps it is time to revaluate how they look at cybersecurity from a corporate board's perspective. In addition to the handbook, NACD partnered with Ridge Global, and the CERT Division of the Software Engineering Institute at Carnegie Mellon University to create an online learning platform for board members.
The NACD Cyber-Risk Oversight Program for corporate directors, confers the CERT Certificate in Cybersecurity Oversight, intended to increase cybersecurity literacy as well as educate boards on their role in overseeing the company's cyber preparedness.
Former Gov. Tom Ridge, chairman of Ridge Global and former US Secretary of Homeland Security, said that the extent of the issue stems from the majority of board members not having a full appreciation of the range of risk and the different kinds of malware that can impact the business.
"They need to deal with financial risk, but the 21st century risk is digital, and many of them don't understand how vastly their reputation or profitability can be impacted," Ridge said.
Because malware changes all the time, the risk gets worse and worse every day. "Joining together with the standard setters (NACD), we’re going to improve their understanding of the risk, whether it's nation states, hacktivist, or who has access to what in their infrastructure," Ridge said.
More and more, conversations involving cybersecurity are intertwined with governance, risk, and compliance. Where technology had traditionally been cordoned off, the entire organization now needs to be risk aware in order to more effectively do their jobs.
The board of directors can no longer rely on reports from executives in order to make decisions that directly impact their share holders. They need to know not only how much money needs to be spent, but -- more importantly -- how to best invest those resources.
"It’s not just the money they invest but where they are investing it," Ridge said. "It’s an awareness that the malware changes. What kind of digital requirements do they have of their suppliers? Do they limit access within the enterprise? What are the risks, their greatest vulnerabilities? Who are the actors? They need to understand how to be matching resources with needs."
[ ALSO ON CSO: Should your board of directors include a cybersecurity expert? ]
Hundreds of millions of dollars are still being lost because of hacks, which suggests that just because an enterprise spends millions doesn’t mean that money is well spent. Ridge said, "If you give board members a place to be able to ask questions about malware, regulators, threats, incident response, and disaster recovery, they can make informed decisions."
The board members have a responsibility to provide efficient and effective governance, but Ridge said, "Not enough attention has been paid to the digital realm and the level of risk."
Tom Ridge, former US Secretary of Homeland Security
In this online platform, participants are informed about the types of questions they need to ask, and the 20-hour program culminates with their watching a simulation of a cyber crisis.
The catalyst for this CERT, said Ridge, has been NACD because they set the standards for responsible board leadership. "They look at boards of directors, shareholders, regulators and hold them accountable. The goal is to reduce risk to the business. NACD decided that cyber risk needs to be a part of the boards’ agenda," Ridge said.
Peter Gleason, CEO of NACD, said the digital world is a very rapidly changing environment as it pertains to cybersecurity. "Most board members are not technologists themselves. They may understand the risks, but they may not be as comfortable with the lexicon and key issues. That’s where the whole uncomfortableness comes from," Gleason said.
For those who haven't had the in-depth training around technology issues, playing catch up seems like a formidable task given that even if they learned the technology now, two years from now, it may not be relevant.
The roles of everyone from the CISO or the CTO to the directors have also evolved because of a need for a common language. "When the CISO or CTO is talking about the steps a company has taken in technology to secure key assets, they tend to speak a different language than most people speak," Gleason said.
The language of risk is becoming more common across all facets of the enterprise so that the conversations are not about why they are using an application in this fashion. Gleason said, "Unless you’re steeped in that, you don’t know whether 6 million or 3 million is the right answer."
Risk-centric conversations are morphing the language of technology and attacks in a way that is comprehensible for different players across the field. Understanding the risks of cybersecurity means understanding how technology changes risk so that everyone knows how the enterprise is securing its assets.
"The board members oversee the management of the organization," said Gleason. "Because cybersecurity is a relatively new field, they may not know the right questions to ask. That's why the beginning section of the course is designed around cybersecurity."
Before they even get into the oversight, the participants are presented with the issues and the key elements they should be able to talk about. "They have to be able to ask the right questions to address cyber risk as they would geopolitical issues or fraud," Gleason said.
Many companies make the mistake of thinking they have nothing of value to anyone else. "They don't know what a criminal is after. A hacker might not get customer data, but he can go after their marketing information. People don’t realize the information they have that may be of value," Gleason said.
The CERT program offers a baseline understanding of key issues in cybersecurity to help directors better understand the security systems they need to put in place which will allow them to provide more effective oversight on how to prepare for incidents as well as the responses they should expect should a breach occur.
"It’s not a question of whether they’ve been hacked. They have. It's whether they know it or not. The bad guys are already in their system. Every company is vulnerable," Gleason said.
Recognizing this reality has created a market demand for programs like this that are directly geared toward board members who are hungry to understand more about cyber as a business risk.
"The circumstances over the last three to four years have raised awareness. As companies have watched their peers go through breaches, they all recognize that their understanding of cyber is not where it needs to be," said Gleason.