Understanding the critical role of the board in cybersecurity and digital operational resilience

It’s obvious to everyone that a company’s board is vital to its profitability, soundness and longevity. So why do some boards fail to get sufficiently involved in cybersecurity or digital operational resilience? Is it because it’s technical? Is it because it’s complicated? Is it because it confuses them? Or is it more complex than that and a combination of the gradual digitisation of business, increased reliance on technology and increased interconnectedness?

The press is routinely littered with companies that have been compromised through relatively old vulnerabilities in their remote access solution, web sites or desktops. There are regular reports of companies suffering technology meltdown following an upgrade or technology transformation. It’s surprising, that these existential threats to all modern digital companies, are not given more time and attention. Whatever the reason, company boards must get to grips with cybersecurity and digital operational resilience because of the renewed regulatory attention. The increasing regulatory oversight is building pressure on boards to get to grips with cybersecurity and digital operational resilience.

It is no longer sufficient to just hire a Chief Information Security Officer (CISO) or Digital Operational Resilience Officer (DORO) and say we’ve done our bit! The recent EU Digital Operational Resilience act places explicit responsibility at the board level. It cannot be delegated. This means they must understand the strategy, policy, standards and testing programmes being undertaken. They need to understand, in order, to skilfully oversee, govern and define risk tolerances in these areas. The EU Digital Operational Resilience act not only applies to financial institutions but also third parties providing services to them. That means a greater number of firms will need to raise their game when it comes to cybersecurity and digital operational resilience or lose customers. The EU regulators have the power to summon the board to explain their approach - not the CISO and not the CIO (unless they sit on the board). The EU may be leading the way but other parts of the world are sure to follow.

Where to start?

The best place for a board to start is to gain greater awareness and information. But how do you go about this? Well simply put you arrange for subject matter experts to come in to present to the board on a subject of the boards choosing – such as ransomware, business email compromise, insider threat etc. We would not recommend asking vendors to present to boards as these discussions are likely to become technical very quickly. We would however recommend arranging for a company like IT Security Locksmith, who are cybersecurity and digital operational resilience generalists, to come in and talk about these two important subjects. An alternative approach would be to invite a Threat Intelligence firm to present their current threat landscape to provide an insight into attackers that may target your firm. Either way you need to arrange for the board to have a 30-minute presentation on these subjects regularly. This will allow them to start to comprehend these difficult and sometimes worrying subjects. Our best advise is get the conversation going and see where it leads.

It is important for board members to keep up to date with articles in the press and learning from the experiences of other firms that suffer from a cyber-attack or technology failure. You need to ask the questions “Could that happen to us? And if not why not? What makes us different?”. Failure to learn these lessons could result in your company being in the press for all the wrong reasons.

Plan your board level digital dashboard

Boards should already be receiving regular updates from their Cybersecurity, Information Technology and Business Continuity teams already. However, these tend to be rather technical because of the nature of the subject and the approaches taken by the operational teams. The managers responsible are too close to the ‘coal face’ so to speak. We would recommend the board request their own view of the information required that they can understand. A board level digital dashboard should be non-technical and include:

• ICT Risk appetite and tolerances
• Strategic objectives and status
• Control Framework and status
• key Information Communications and Technology (ICT) risks and treatment plans
• Operational resilience testing schedule and results summary
• Open audit issues
• External security score
• and any other updates from the operational teams.

There are some unfamiliar words in the paragraph above, so let’s work our way through some of them and add some business understanding or context to help. We will explain why each is critical and what is likely to happen if a board fails to step up.

ICT risk appetite and tolerances

A risk appetite is a written statement on the amount of risk a company is prepared to take in order to achieve its strategic objectives. It’s interesting to note that you may have different risk appetites for different types of risk. This means a board’s risk appetite is made up of a number of statements of risk appetite for the different types of risk such as cybersecurity risk, digital operational risk, financial risk, market risk, credit risk etc.

Example appetite:

The company has a moderate ICT risk appetite that includes both cybersecurity and digital operational resilience risk.

The company has a low cybersecurity risk appetite and a moderate digital operational resilience risk appetite.

In the examples above the words low and moderate appetites need to be defined, in a formal taxonomy, so that all readers know exactly what they mean for consistent understanding.

A risk tolerance is generally stated as two thresholds above which the exposure present is deemed to be unacceptable. The first threshold helps provide a leading indicator that "something is not right". The second indicator shows that "something has become critical".

A risk appetite may be supported by multiple risk tolerance statements.

Example risk tolerances:

The meantime to remediate important and critical technical vulnerabilities should be less than 14 days and must be less than 21 days.

Meantime to remediate important and critical technical vulnerabilities affecting internet facing systems should be less than 1 day and must be less than 2 days.

Note: Important text has been bolded or underlined.

If a board does not specify an ICT risk appetite and tolerances the operational teams will still operate but the level of risk may vary along with the tolerances and there will be little or no oversight or governance by the board. This means the company may be accepting either too much risk which could have a devastating impact on the company or too little risk that prevents the company’s strategic objectives from being achieved cost effectively.

Control framework

Simply put a Control Framework is an agreed set of strategy, policy, standards and other documents that must have a named owner and be maintained. The ‘sign-off’ level or ratification level for each document should be documented as part of the framework. All document approvals must be recorded as a ‘minuted’ decision by the board. This is required to demonstrate to regulators or internal audit teams that they have been correctly authorised. Example policies include ICT Risk Policy, Information Security Policy, Business Continuity Policy – these are all used to mitigate ICT risks identified as part of the ICT risk management process.

Strategies and policies are generally approved by boards and the other documents by senior managers or operational directors. Standards could include documents detailing how access control is undertaken or how specific types of systems are configured to meet the relevant policies.

It is essential to have an ICT risk management framework because it co-ordinates activities across multiple disciplines in order to mitigate ICT risks. It is important to detail all the required formal documents, their owners and their purpose. A framework reduces the possibility that there will be any gaps in the overall approach. Where gaps are identified the ownership needs to be clarified to ensure the responsibility is clear and documented.

Failure of a board to establish an ICT risk framework may result in a fragmented approach to ICT risk management, meaning that the operational teams will carry out their perceived roles. While at face value this looks appropriate it means that the gaps are simply ignored by individual senior managers and left. These gaps result in increase risks that may or may not be known which results in increased risk exposure for the company.

ICT risks and treatment plans

The company should already have a risk management approach. These ICT risks should be driven from your internal management process currently being used to drive your cybersecurity and digital operational resilience approaches to mitigating risk. The dashboard should only include the top three to five. These can be the highest risk or those showing a concerning level of trajectory. Each risk should be accompanied by a tailored treatment plan to allow the board to understand what is being done. The board should also undertake a full review of all ICT risks at least annually or delegate a more thorough review by another board such as a Risk Management Committee.

If the board does not have visibility of the ICT risks and treatment plans how can it govern them and ensure the right action is being taken. It’s like a warning light on the dashboard of your car. The first question should be “What’s that and how serious is it?” the second question is “What’s being done to fix it?” These sorts of questions coming from the board have weight and the operational teams will react accordingly. Equally, if there’s no questions being raised then the operational teams may simply carry on doing what they are doing which could allow the risk to become critical.

Digital operational resilience testing

Digital operational resilience covers a number of disciplines and is not simply business continuity under a new name. It includes IT resilience, cybersecurity resilience, business continuity, crisis communications, third party management, recovery procedures, recovery systems, recovery technology and testing to demonstrate your capabilities. The board needs a simple schedule to show what tests are due when and an indication of how it went. It doesn’t need to be a long list maybe 8 items and it allows the board to keep a watchful eye on proceedings, to identify when there’s a problem to enable ‘oversight’.

For example, we would expect this list to include:

• Data backup testing
• Disaster recovery testing
• Business continuity testing
• Penetration testing (including threat led penetration testing)
• IT critical infrastructure recovery testing
• Crisis management testing
• Cybersecurity incident response testing
• Third party resilience testing

Any failed tests should be immediately rescheduled until a positive outcome is achieved. This needs to be visible to the board.

If a board does not have visibility of the digital operational resilience testing it sends a message to the wider company that the tests are not important. As a result, tests may simply be postponed because they are considered not important enough or more urgent operational activities have taken priority. This means the schedule will slip and weaknesses or failures in recovery plans are not discovered until a real incident occurs and it prevents recovery.

Open audit issues

An internal or external audit team are independent reviewers carrying out the wishes of the board. This allows them to impartially review and comment on the ICT environment and make recommendations for improvements. It is critical that boards review open audit issues to ensure the operational teams are both aware of the findings and taking the necessary actions to address them.

Failure of the board to include open ICT audit issues especially for those considered to be grade 1 or high risk could result in a serious control failure resulting in a cybersecurity breach or inability to recover from a serious digital operational resilience incident.

External security score

There are various firms that help companies to assess the security posture of their third-party suppliers such as Bitsight, SecurityScoreCard and Upguard. These services also allow you to view your own score against those of your nearest competitors! You can then take the necessary actions to improve your score.

These systems are very good at providing a general indication but should not be taken literally. These systems are limited by the type, scope and comprehensiveness of the data required to make a truly meaningful determination on your cybersecurity approach but a good score is a step in the right direction – and looks good to clients.

Failure of a board to include an external security score measurement may fail to identify fundamental control failures which are visible to external monitoring firms. A poor score shared with the wider market could result in a commercial disadvantage or loss of customers. While a good score demonstrates competent management and makes the internal teams feel good!

Conclusion

We hope after reading this article you have a greater appreciation and understanding of the critical role the board plays and are suitably energised through increase knowledge to do something about it. Good luck!

How can IT Security Locksmith help?

There are a number of ways we can help:

• Why not get in touch to discuss your current challenges and what we can offer for a free of charge consultation?
• Alternatively you could book our board level cybersecurity course. More details can be found here.
• For individual board members we offer 1-2-1 sessions to help develop your cybersecurity or digital operational resilience skills.
• IT Security Locksmith can assist with developing a board level digital dashboard or any of the components it contains.

Don't delay get in touch today - please email contact@itsecuritylocksmith.co.uk

#Board cyber resilience
#Board cyber strategy
#Executive cyber risk management