Several years ago, Senator John Tower, his daughter and an astronaut were killed in a plane crash. The cause of the accident was determined to be the failure of a part in the propeller control unit. A safety board chairman said, “It acted like a file and over time it wore down the teeth that controlled the propeller unit.”
The part wasn’t large. The problem wasn’t easily detected. The crash was unavoidable.
Welcome to cyber-security.
Governance issues around cyber security are rising rapidly. It is a unique risk. Directors lack experience in the discipline; companies rely entirely on the internet; failure is not as much an operational issue as it is a lack of imagination around vulnerabilities.
Executives and Board members are flying on a plane, and because it is in the air and the usual dashboard indicators look clear, they feel safe. Stealth stocks them.
Past risk governance models are now inadequate. Physical and financial assets, the old dashboard, must make room for the technology dashboard. There are three major indicators a Board must look at, and that the CIO must lead in developing and translating: risk, alignment and response to incidents.
Cyber-risk is business-risk. Impact to the business is the scope more than impact to technology. The defense is in the details. Security teams must be aware of business activities to inform the proper defense. General defense guidelines that fail to take into account unique business practices ignore customized, stealth threats.
The CIO and Board work together to ensure that cyber security is integrated into the business, not isolated. The key to integration is to align the motivations; every business component must focus on the business strategy and not just its own standing. Fear of being culpable for failure, and temptations to divert blame, must yield to commitment to overall business success. Everyone is secure or no one is secure.
Integration depends on clear communication. Non-technical persons must be able to understand the security issues at stake, the impact at risk and the implementations that are needed. One legendary college basketball coach used to say, “It’s not a good pass if it isn’t caught.” No matter how great the message is, it’s not a great message unless it has been received. Communication is not in the delivery but in the doing.
The CIO is in a unique position to communicate to the Board the information that helps them assess and evaluate security approach and activity, and incident response and recovery. The Board needs this information through direct and indirect vehicles: reports, sessions devoted to security, ongoing education, timely assessments and third-party input. In turn, the Board needs to help determine the internal checks and balances in place to ensure that they are receiving unbiased information. In short, they need to know how management is thinking about security, and what management is doing about it.
Together, the CIO and Board are addressing critical questions:
- What should the focus of the Board be in regards to cyber-security?
- How will the Board and Leadership interact?
- Who is accountable for assessment and management of risks?
- How are policies and procedures reflecting commitment to cyber-security?
- What are the IT metrics that will comprise a new dashboard?
- What is the incident response and recovery plan?
- How will the Board receive ongoing education in cyber-security?
As a public, we understand that attention is given to avoid human error and to ensure reasonable safety measures. Miss those, and you may lose customers. Now, fail to detect and protect against the unseen, and you may not just lose customers. The plane may go down.