tiero - Fotolia

Managing cybersecurity and supply chain risks: The board's role

Cybersecurity and supply chain risks are drawing more attention from senior management and board members, but many companies fall short with accountability.

Security is no longer solely the IT and security department's responsibility. The types of threats alone have changed in recent years, as politically motivated attacks and those seeking intellectual property become increasingly commonplace.

Further complicating the issue is the fact that the number of laws requiring disclosure of customer data breaches -- as well as class-action lawsuits from both consumers and shareholders -- continue to rise.

These factors have pushed the issue of security from IT to the boardroom, changing how the two groups talk about risk management, according to Bret Arsenault, corporate vice president and CISO for Microsoft.

"It's a completely shared responsibility," he said at this year's RSA Conference in San Francisco. "The big differentiators in the maturity of [a security and risk management program] are: Are you holding IT accountable or are you holding the whole company and the supply chain accountable? And how do you go do that?"

But many companies continue to lag behind when it comes to sharing that responsibility.

Cybersecurity and supply chain risks

Take supply chain risk management (SCRM), for example. When making the case to the board regarding the return on investment value of GRC analytics, the supply chain is a good place to start, said Jon Boyens, program manager of cyber-SCRM at NIST.

Jon Boyens, program manager, cyber, supply chain risk management, SCRM, NIST, image, headshotJon Boyens, program
manager of cyber supply chain
risk management, NIST

"Supply chain folks have been fairly successful in showing ROI because supply chain disruptions are expensive," Boyens said during an RSA panel.

Just how expensive? For starters, 55% of supply chain disruptions will exceed $25 million in costs, according to a recent survey by Business Continuity Institute. Furthermore, 24% of these are caused by cyberattacks and 22% by data breaches.

In addition to revenue loss, neglecting supply chain risks when it comes to GRC analytics can be costly in other ways, such as compromising your brand's reputation and losing shareholder value. But the most important of these potential losses, especially to board members, is intellectual property, because that's where the majority of an organization's value resides, Boyens said.

"Valuable intellectual property is not just found within your organization, but often, to do business, you have to share intellectual property with your partners -- and that's what's being lost," he said.

Security has transcended from being an IT issue to a boardroom issue.
Bret Arsenaultcorporate VP and CISO, Microsoft

In his work with NIST looking at SCRM across different sectors, Boyens said he is surprised at how many companies don't do their due diligence when deciding who they're doing business with and how. This includes auditing processes, as well as the development and testing of products. He cited another statistic by BCI: 72% of the companies surveyed reported that they do not have full visibility into their supply chains.

"A lot of folks say, 'I sold my product; that's the end of it. Say [you] sell a product and then that product is breached. [Your] brand is out there in the headlines, but actually it's the product owner that wasn't doing the patching," Boyens warned.

Companies can't afford this lack of visibility into and control of their increasingly complex supply chains, Boyens said. Not only are trends such as 3D printing and the Internet of Things exacerbating cyber-risks related to supply chains, but IT-enabled SCRM technology is built on IT platforms that can be extremely insecure.

"Product and supply chain data run on top of business software that connects supply chains, and weak links abound globally ... and that is going to create huge disruptions," he said. "Your greatest control is inside your organization, starting with controlling the practices within it."

Communicating the value of GRC analysis to the board

It's one thing to bring these statistics and risks to the attention of board members; the challenge is in helping them to understand that information and their role in managing supply chain risks and making use of GRC analytics.

Tackling this challenge starts with getting senior executives more involved in security, said Microsoft's Arsenault. He highlighted CFOs in particular because they understand security from the point of view of operational risk. Unfortunately, there is a gap between how much value c-suite executives place on information security and how involved they are in it. According to unreleased data from field research Arsenault's team conducted last year, 82% of financial executives and 76% of their c-level peers considered information security very valuable to the company. However, only 13% of financial executives and 28% of other senior executives reported being involved in information security decisions.

Bret Arsenault, corporate vice president and CISO, Microsoft, image, headshotBret Arsenault,
corporate vice president
and CISO, Microsoft
(used with permission
from Microsoft)

"This is important because, as you're preparing for the board, for senior management, what involvement level do they have and how often do you [have that conversation with them]?" Arsenault said.

The involvement gap isn't the only disconnect that is hindering security from becoming a shared responsibility, Arsenault has found. According to his team's field research, while most c-level executives (92%) acknowledge the importance of integrating information security with each business department, direct communication with information security leaders is very infrequent: 56% of financial executives and 57% of their c-level peers met with security leaders on a quarterly basis or less, while only 44% of both financial and other executives met with security leaders monthly or more.

Boyens agreed that siloes are preventing effective security and risk management, particularly in the supply chain. In fact, based on his field work with NIST and his experience working in the government sector, he believes these communication breakdowns are the biggest barrier.

"You have CIOs, CISOs responsible for IT; different business lines responsible for their business line -- but there is rarely any intersection between the two," he said.

This stems from not only the lack of intersection between SCRM training and IT management training but also system owners' lack of involvement in information security processes.

"This creates huge, huge blind spots," Boyens said.

These siloes can be problematic when analyzing enterprise risk intelligence and big data, which is key for SCRM, Boyens said. Big data is spread throughout many different areas of an organization, including server event, antivirus and firewall logs; personnel information; and in-scope equipment. With siloes in place, it takes greater effort to break them down to get to all those sources of data and move the information into one central location so it can be analyzed.

Filling the gaps in managing supply chain risks

Arsenault and Boyens offered several suggestions for alleviating these risk management gaps. For one, IT and security leaders should consider whether they are using the right language to communicate risks to the board, and whether it is overly technical. Arsenault advised the audience to avoid using pictures, graphs and three-letter acronyms and stick with simple, short prose.

"It forces you to write like a human," he said.

Second, talk about risk in terms of technical debt, or the liability a technology software or platform accrues over time and how much it will cost to "pay back" that debt. In other words, monetize the risk associated with using certain products by showing costs as they would appear on a balance sheet.

"The audit committee loves to use that language. We talk about technical debt and the things that we're cleaning up," Arsenault said, adding that many audit committee members come from a CFO background.

Third, develop educational sessions for the board. There are a variety of personalities on any given board, and not everyone asks questions during board meetings. Educational sessions, particularly those that involve external experts with an industry perspective, can be beneficial for those less-vocal board members who haven't spent a lot of time in this space, Arsenault said.

Finally, create a supply chain risk council. When conducting workshops with companies that deal with cyber-risks in their supply chain, NIST has found that the more sophisticated ones had supply chain risk councils in place.

"They bring together key players for a holistic and end-to-end SCRM strategy," Boyens said.

The ways these councils are set up varies, and often involve not just supply chain business units but also information security and financial leaders and engineers. Also, it's important to remember that creating a council isn't easy, Boyens warned.

"Even the most sophisticated organization we found was having a hard time dealing with it -- every year they had to switch [the organization of the council] around," he said.

Next Steps

Supply chain risks still widely neglected by the business

Why supply chain analysis is key to business continuity management

How to control third-party security risks in the supply chain

Dig Deeper on Risk management and compliance