“Security has transcended from an IT issue to a boardroom issue.” This was how Microsoft corporate vice president and CISO Bret Arsenault opened his panel discussion at last month’s RSA Conference in San Francisco. He made it clear that security is no longer solely the responsibility of the IT department; it’s one that’s shared with business units, users and members of the supply chain.
Yet other than a very few edge cases, the types of security compromises of the past two years that have hit high-profile retail brands and other companies aren’t really that much different from those of the past, argued Arsenault. So why has the security conversation changed? Namely from the convergence of these three factors: the scale of compromises, laws that require the disclosure of breaches related to customer data, and the political motivation of malicious actors.
“We absolutely see [these factors] creating a different news cycle … and a different level of interest for the board,” Arsenault said.
These factors, combined with increased regulatory attention from agencies such as the Federal Trade Commission and the Securities and Exchange Commission, as well as increasing class-action lawsuits filed by consumers and shareholders, have caused today’s boards of directors to pay greater attention to cybersecurity questions.
“One of the big questions I see most boards asking — one of the big differentiators in the maturity of the security program — is, ‘Are you holding IT accountable or are you holding the whole company and the supply chain accountable? And how do you go do that?'” said Arsenault.
The board’s duty now includes determining previously unimagined cybersecurity risks, but balancing this with its other, more pressing responsibilities is no small feat.
“Cybersecurity really isn’t the most important thing in the grand scheme of things — strategic risk, financial risk, operational risk and legal risk — until something goes wrong,” he said.
Arsenault advised boards to focus on the following cybersecurity issues when scoping potential risks:
Security strategy and budget review. It’s not the board’s job to produce a detailed, 40-page budget review, but it does need to make sure it’s aligned with management on the security budget, Arsenault said. A good board will ask one key question during a discussion on cybersecurity with the IT and security teams: Do you have everything you need? “The answer to that would be, ‘Yes, yes I do. Or, I do, but here are the things I see coming,” he added.
Security leadership. “Most companies now list CISOs as a critical role relevant to the performance of the company,” said Arsenault. Questions the board should ask regarding senior leadership include who security teams report to, and whether the right person is employed for the job.
Incident response plans. Look at whether the company has adequate firewalls and intrusion detection tools in place, as well as how to allocate resources between detection and response tools.
Ongoing assessment. This doesn’t mean the board needs “a ton of KPIs,” said Arsenault, just enough to show them trends and developments in the security industry.
Internal education. Ask about how frequently employees are educated about cybersecurity risks and the steps they should take if the company is breached. “Enlightened boards will ask about this,” Arsenault said. “Users are in control, so what is the user effectiveness of that control?”