My own theory is that we are in the middle of a dramatic and broad technological and economic shift in which software companies are poised to take over large swathes of the economy. More and more major businesses and industries are being run on software and delivered as online services—from movies to agriculture to national defense.
There are only two kinds of companies in the world, those who have been breached and know it and those that have been breached and don’t know it.
Four years after publication of Marc Andreessen’s oft-quoted Wall Street Journal article, software has continued growing as a major factor in the strategic planning of an increasing number of companies. Due to the escalating reliance upon software, cyber breaches overshadow all other sources of risk. In 2014, 42.8 million cyberattacks were detected [PWC Global State of Information Survey 2015], and the estimated average time from intrusion to detection is 205 days!
Since the Sarbanes-Oxley Act passed in 2002, corporate directors have focused significant attention on meeting financial reporting requirements. As the number of cyber attacks accelerates, cybersecurity has now become top of mind for most board members. Akin Gump’s recent director survey found that in the list “of top director issues for 2015, cybersecurity is the No. 2 concern behind strategic planning.” A recent survey of NYSE revealed that, while more than 80 percent of boards discuss cybersecurity at most or all meetings, 66 percent aren’t confident that their companies are secured against cyberattacks.
Recent conversations with board members of billion-dollar companies suggest that board discussions typically follow one of two paths. One founder of two technology companies with nine-figure exits serves on the board of a billion dollar company. When the topic of cybersecurity comes up, other directors turn to him and ask, “Hey, you’re a tech guy, so what do you think we should do?” He patiently explains that his expertise is not in cybersecurity. Another board member friend described a common scenario: the chief security officer presents the state of cybersecurity, the directors’ eyes glaze over, and the chairman moves on to the next agenda item.
It’s critical that we start to demystify cybersecurity for the director community. Directors don’t need to be technology experts, but they must play an effective role in cyber-risk oversight.
Empowering the board to oversee cybersecurity risk mitigation is vital. The issue of cybergovernance is tracking the path that financial fraud followed in the early 2000’s before the Sarbanes-Oxley Act was passed in 2002 (see diagram below). The governance, risk, and compliance (GRC) solutions space that resulted is now an estimated $5-7 billion market. With numerous bills now being floated in Congress, knowledgeable observers believe passage of a cybergovernance compliance bill in 2016 is highly likely.
How will corporate boards comply with a new cybersecurity bill that delineates their liability for overseeing company progress? While most boards have expertise in evaluating and making decisions regarding financial risk, few have significant technical knowledge. The knowledge gap between the Chief Information Security Officer (CISO) and the board currently hinders effective prioritization of cybersecurity resources.
Adoption of a common business model based on accepted industry standards and business outcomes would enable all stakeholders – directors, management, security staff, and vendor partners – to operate within a shared, well-understood decision-making framework.
A new model supporting cybergovernance should:
- Enable business-level discussions of cybersecurity between the board of directors and management;
- Empower directors to exercise effective oversight adequate to remove the threat of personal liability;
- Involve relevant stakeholders, including directors, management, and vendors;
- Be specific enough to allow tracking of progress between meetings;
- Incorporate existing government standards (e.g. NIST, DoE, FINRA, HIPAA); and
- Relieve directors from having to become cybersecurity technology experts
The challenge of reducing cyber risk is one every organization faces. Creating an effective shared framework for making decisions about the deployment of risk-mitigating cybersecurity resources should be a high priority for all of us.