Embed Size (px)
Citation preview
1
Educating The Board of DirectorsInfoSec SummitCentral Ohio ISSA
Bob West, Managing Director
March 29, 2016
22
Agenda
• Board of Directors Role• Historical Issues • Impact• CISO Role and Communication• Guiding Principles for The Board• Questions Boards of Directors Should Ask• Summary• Q&A
3
Board of Directors Role
• “A primary responsibility of every board of directors is to secure the future of the organization. The very survival of the organization depends on the ability of the board and management not only to cope with future events but to anticipate the impact those events will have on both the company and the industry as a whole…
• It is imperative that the board not relegate the cybersecurity topic to the IT department. Directors need to take an active role in the organization’s cybersecurity or face the possibility of potential shareholder lawsuits, and even the possibility of being removed from the board. ”
Cybersecurity: What the Board of Directors Needs to Ask, Institute of Internal Auditors
44
Historical Issues
• Reporting level• Business prevention unit• Lack of clear communication• Black magic• CSO dysfunction – target on their back
55
Characteristics of a Highly Effective CISO
• Executive teams understand business value, impact to brand and image, how their investments relate to top and bottom line growth
• For Security and Risk to be effective in their roles, they need to translate security and risk into business value
• Similar to a general counsel, security and risk need to come to the table as partners and counsel the business on what risks are acceptable
• All other parts of an organization are measured on their performance and yet security in many instances is still considered black magic
• Mature security and risk organizations need to have clear metrics to help the executive team understand whether they are performing effectively or not
• A comprehensive, enterprise approach is necessary for security and risk to align with business and technology strategy
• Security and risk need to be integrated into fundamental business process
6
Guiding Principles for the Board
• Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
• Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.
• Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
• Directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget.
• Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
7
Six Questions the Board Should Ask
Does the organization use a security framework?• ISO 27001, NIST Cybersecurity Framework or 800-53 (U.S. Federal
Government comprehensive framework) COBIT framework (Governance, Risk, and Control)
• HIPAA or HITRUST (for health-care industry) • PCI-DSS for credit card acceptance (retail industry, finance
industry) • NERC, FERC (Electric Sector)
8
Six Questions the Board Should Ask
What are the top five risks the organization has related to cybersecurity? • Proliferation of BYOD and smart devices • Cloud computing • Outsourcing of critical business processes to a third party (and lack
of controls around third-party services) • Disaster recovery and business continuity Periodic access reviews• Log reviews • Advanced persistent threats
9
Six Questions the Board Should Ask
How are employees made aware of their role related to cybersecurity? • The organization should have a security awareness training
program, and each employee should be required to review the training and pass the test annually. The CEO (or other top executive) must communicate the importance of safeguarding the organization’s critical assets.
• Project Managers• Infrastructure administration• Developers
10
Six Questions the Board Should Ask
Are external and internal threats considered when planning cybersecurity program activities? • Although external incidents tend to receive more media exposure,
the likelihood of an internal incident causing a major cyber incident is actually greater than the external threat.
11
Six Questions the Board Should Ask
How is security governance managed within the organization?• Understanding the three lines of defense as they relate to the
organization is important. There can be a gray area of security governance between the CISO and internal audit. It is important for the board to understand how the governance activities of the CISO complement those of internal audit.
12
Six Questions the Board Should Ask
In the event of a serious breach, has management developed a robust response protocol? • Incident response program• Crisis management program• Crisis management team and their responsibilities
1313
References
• Cybersecurity: What the Board of Directors Needs to Ask, Institute of Internal Auditors
• National Association of Corporate Directors• Information Security Governance: Guidance for Boards of
Directors and Executive Management (ISBN 1-933284-29-3)
