What Today’s Boards of Directors Are Missing About Cyber Security

Ewen O'Brien

Ewen O’Brien

Cyber attacks have increased significantly in recent years, bringing vital conversations about cyber security into the Boardroom. As Board oversight of cyber security has increased, so Board members (even those without technical expertise) have had to become rapidly acquainted with IT risk and security concepts. As Ewen O’Brien observes, in the past few years, frameworks and Best Practices have emerged to help these Boards come to terms with their organisations’ cyber security postures.

However, while there are many lists of what Boards of Directors need to ask about cyber security, the more important thing might be what they’re not asking. Each organisation has a unique risk profile. When Board members rely too heavily on pre-determined frameworks and checklists, they risk passing over the most urgent risks.

When there’s incongruity between the extent of the Board’s cyber security knowledge and the level of decision-making authority they hold, that’s a recipe for bike-shedding.

Bike-shedding occurs when a team spends an unnecessary amount of time on trivial details, neglecting the bigger picture. It usually happens because the most important issues are so complex that teams focus instead on simpler, more solvable problems. The term originates from the story of a committee that approved flawed plans for a nuclear power plant because they wasted time discussing details about the plant’s bike shed.

Pressing cyber threats

Here’s an example. Let’s say that a Board of Directors has learned about a recent ransomware attack on a competitor. Each Board member has a decent understanding of how ransomware works and how dangerous it can be and, in the next Board meeting, they discuss different ways their organisation might be targeted, possible ransomware prevention initiatives, and whether or not the company’s firewall and detection tools are sufficient. After discussing and voting on those details, they quickly run through the rest of the cyber security agenda items.

Meanwhile, there are several much more pressing cyber security threats facing the organisation, none of which receive adequate attention from the Board. While important, malware prevention is receiving too large a share of resources because it’s more visible and easier to digest than these other issues. The Board is hung-up on one tactical detail rather than assessing the organisation’s overall cyber security strategy. This is bike-shedding in action.

Let’s look at some cyber security issues that might need more attention from the Board of Directors and outline tips for addressing them.

Third party risk

Rather than emanating directly through an organisation’s systems, many cyber attacks originate in the systems of third parties. Third party data breaches are among the most expensive, so a solid understanding of supply chain risk is essential for many enterprises.

Regulators are increasingly targeting third party risk. Wide-reaching laws like the General Data Protection Regulation provide specific requirements for managing third party risk, but this type of risk is complex. When an organisation has hundreds or thousands of third parties with access to sensitive data and systems, keeping the company secure becomes extremely difficult.

Thankfully, there are tools on the market that make this task more manageable. Security Ratings, for example, can help you gain an understanding of your supply chain’s strengths and weaknesses, continuously monitor third party risk and set measurable security expectations for vendors and partners.

Fourth party risk

As challenging as it can be to keep track of your own third parties’ cyber security, things become even more complicated when those partners also share access to important data and systems with other parties. Third parties’ third parties (ie your fourth parties) have the potential to impact your business, so it pays to know what kind of standards your partners have in place for their own third party connections.

Fourth party risk is especially problematic when it comes to software and cloud services. Outages at major providers have caused downtime across wide swaths of the Internet and making a recovery plan for these scenarios can seem near impossible considering the exponential nature of fourth (and, indeed, fifth and sixth) party risk.

It can be helpful to simply open a conversation with your third parties about their supply chains in order to gain a better understanding of their risk management expectations. However, their suppliers will likely change over time, and you might not be notified of every change. Tools are now available such that you can map and monitor the service providers used by your vendors and subsequently use that data to make more informed procurement decisions and disaster recovery plans.

User-related risk

Human error can expose an organisation to a wide array of cyber attacks. Business leaders say that employee negligence is the most common cause of data breaches. Phishing, for example, was implicated in 32% of data breaches in 2018.

In addition, poor password practices, connecting to public Wi-Fi from company devices and sharing files that contain malware are all examples of employee mistakes that could translate into huge costs for any organisation.

Overcoming user-related risk is challenging. After all, it only takes one user and one click to expose an organisation to risk.

Security awareness training can afford employees a better understanding of their role in cyber security, but it’s also important to create a company culture of accountability. This can be achieved by communicating with business unit leaders about cyber security performance and providing them with measurable benchmarks for success, like Security Ratings that can be tracked over time.

These benchmarks can also become cyber security metrics for the Board, helping Board members understand user-related risk within the organisation.

Filling in the gaps

Is your Board of Directors looking at the bigger picture, or are they focusing on the cyber security tasks that feel most manageable to them?

When it comes to Board oversight of cyber security, bike-shedding is a real issue. However, with the right tools in place, Board members can identify the most urgent risk areas and work on strategies to address them.

One of these tools is Security Ratings. Due to the fact that they require very little technical knowledge to understand, Security Ratings can give Board members accessible and valuable insight into the cyber security performance of the organisation (as well as that of third and fourth party connections), improve the understanding of complex cyber security topics, inform decision-making and assist in creating a more secure organisation.

Ewen O’Brien is Vice-President of Enterprise (EMEA) at BitSight

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts