Board Engagement in Cyber Risk Management – NACD BoardVision
One of the key factors that sets companies with the highest performance on cyber risk management apart from the rest is a board that is deeply engaged in dialogue with management on cyber risk issues. NACD Director of Strategic Content Development Robyn Bew sits down with Scott Laliberte, a managing director with Protiviti, to discuss how best to ensure your board is properly engaged.
Robyn Bew: Welcome to NACD BoardVision. I'm Robyn Bew, Director of Strategic Content Development at NACD. We're talking about cyber risk oversight today with Scott Laliberte, Managing Director at Protiviti. Scott, thanks for joining us.
Scott Laliberte: Thank you for having me.
Robyn Bew: So let's start with a look at some of the results from Protiviti's IT security and privacy survey that came out recently. Can you talk a little bit about what you found that differentiates the top performers, so the companies that really have some of the strongest core information security practices?
Scott Laliberte: Absolutely. This year's results were very similar to last years, and the key differentiating factor was clear in both years. That key differentiating factor was having high board involvement. Organizations with high board involvement scored higher across all aspects of the survey, specifically including the key ones of identifying the crown jewels or knowing where your key data and risks are, having effective security policies, and being able to detect, respond, and prevent a breach.
Robyn Bew: So how does active board engagement in these cyber issues, how does it translate into better cyber readiness at the management level?
Scott Laliberte: Having the high board involvement is a key to getting the support and investment that's needed to combat cyber risk. It's an expensive endeavor. It requires a lot of money and resources to do it properly and effectively. Without that board involvement, you have a lot of trouble securing those resources.
Robyn Bew: In the survey findings, you also saw some differences between results from larger and smaller cap companies, and we actually saw this as well in our own public company governance survey where, what we call the cyber risk knowledge gap, was definitely bigger at smaller cap companies. So, what if you have any thoughts or recommendations for -- if you're a board member on a smaller cap company, what are some things you can do?
Scott Laliberte: Smaller cap companies, like all companies, really need to look at what is their cyber risk? You know, there's a risk of overinvesting and over-focusing on cyber risk when there may be other enterprise risks that need to be looked at. I often find smaller companies may have, and the keyword is may have, a lower-risk profile. For example, we had -- I had one client that had a trucking company, and through discussion with him, I started talking about what his risks really were. Did he have a lot of personally-identifiable information about his customers? The answer was no. Did he have any critical information about the goods that they were shipping that would be embarrassing or cause financial damage? And the answer was no. Payroll was outsourced to a third part, and when we got down to it, they had very little cyber exposure. So you really got to know what your risks are. Now, on the flip side, if you do have cyber risks, you need to recognize the limitations that you probably do not have the skills and expertise in house to properly combat this, and then you need to look for outside resources to help, and help design sustainable processes. Too often the controls are designed that require a lot of resources and expertise in house, and the smaller companies don't have the ability to do that, so, looking where they can outsource key functions, like outsourced monitoring or outsourced critical high-risk functions, like acceptance of credit cards or processing of other financial transactions. Those would be the key things for the small businesses to look at.
Robyn Bew: Particularly, in the survey, you also found some kind of concerning or disturbing trends around data security and data leakage policies. Can you talk a little bit about that? What you found?
Scott Laliberte: It's actually been a two year trend. We found the same in 2014 and even a further decline in 2015, and the lack of confidence that organizations have, and their policy's ability to prevent data leakage. What can the boards do? It's really asking those questions as to, are we prepared for the breach? Would we be able to detect the breach if it were to occur? And, really importantly, are we already breached? We started putting together a service after the major breaches last year to help boards answer that question, are you breached? And we bring in some pretty sophisticated tools, we do log analysis and correlation, and we look for signs that would indicate whether they're breached. A high percentage of the time, we find the organization has been breached. There's somebody in there, the bad guy's been in there for a while, then it becomes a point of, did they get to the interesting data? Most people assume that the crown jewels, and we talk about crown jewels a lot, is data on personally-identifiable information about individuals. But...
Robyn Bew: Customer information.
Scott Laliberte: Customer information, those types of things, but there are other key risks out there in cyber. Like you talk about MNA [phonetic] information, financial transactions, shipping and receiving information, logistical information, all things that your supply chain could be attacked, which could really hurt the business. The other one is availability. You know, we saw a lot of attacks around availability where it's preventing the organization's ability to conduct business, which has sometimes even more dramatic impact than losing personally-identifiable information. And ransomware, you know, is becoming a big one as well, trying to hold organizations hostage to pay ransom, either to not interrupt business, to not disclose a breach, or other types of things that could cause financial loss to the organization. And those are the types of things you really have to look at and identify those types of scenarios in your risk assessment, look at the controls you have, and how you want to balance, you know, the controls to combat those risks.
Robyn Bew: Scott, thanks, you've given us a lot of great food-for-thought today, and I think some really practical questions that directors can take into their next board meeting, or into their next conversation with management. So, thanks again for joining us today.
Scott Laliberte: Thanks for having me. I'm glad you found it helpful.
Robyn Bew: For more information, you can definitely visit the Protiviti website, as well as NACD's Board Leader's Briefing Center to see some of our resources and tools around cyber security. On behalf of NACD and Protiviti, thanks for listening in today. I'm Robin Bew and this BoardVision.
View Other NACD BoardVision Episodes by TopicBoard Composition, Evaluation & Director Succession
Strategy & Risk
List all NACD BoardVision Episodes