Chapter 10
Creating Executive Cyber Risk Councils

It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently.

Warren Buffett

The space race in the United States accelerated in 1961 when on May 25 President John F. Kennedy stood before Congress and said, “This nation should commit itself to achieving the goal, before the decade is out, of landing a man on the moon and returning him safely to the earth.” This was in response to the threat of Soviet dominance in space. History was made on July 20, 1969, when Apollo 11 landed on the moon and Neil Armstrong's boot touched the lunar surface. It was thrilling. It was extraordinarily memorable.

In the history of space exploration, there is another perhaps equally well-known event: Apollo 13. In 1970 Apollo 13 was on its way to the moon when it encountered a high-risk incident, an explosion aboard the spacecraft, forcing the cancellation of the plan to again land on the moon and prompting a return to Earth. There were no guarantees the crippled ship would get the crew back home alive. But thanks to the mission control team at NASA and the grit of the Apollo 13 astronauts, Apollo was a successful failure—the mission of going to the moon failed, but they made it back and no one was killed. Mission control was confronted with an extraordinary, complex predicament. This was not something anyone expected. They didn't plan for it. There wasn't a Plan B. Nothing in the brief history of space exploration had prepared anyone for this event.

Similarities exist between Apollo 13 and cyber attacks. For one thing, cyber attacks are, in the history of business, relatively new. There was a time not too long ago when cyber attacks were unthinkable. How could there be such an attack when the only computers were mainframes the size of a large room? The only distributed data was on paper, in files, in different locations.

Things go wrong when there's a cyber attack. But as former NASA flight director Gene Kranz once said, failure is not an option. Failure is not an option when it comes to managing risk, either. The stakes are too high. It may seem poor form to suggest that a cyber attack may be as critical as an accident aboard a spacecraft carrying human beings. But cyber attacks have the potential to be devastating.

NASA's mission control is an interesting model, perhaps even for managing risk and developing an executive risk council. There were various kinds of engineers on the team, plus medical personnel, physicists, technical communications specialists, media specialists, executive management, third-party vendors, and so on. Nothing stressed the model more than Apollo 13. Nothing may stress a corporation like a critical cyber attack. The outcomes are never certain, the risk of failure ever present, the reality often veiled by layers of complexity.

Executive risk councils have a vital function in today's environment, just as mission control had a vital function during the space race and beyond. Cyber attacks are marked by increasing frequency, intensity, and risk impact. And no entity is immune. Companies large and small are targeted by nation-states, organized crime, and cyber attackers associated with protests of a dizzying array of social and political causes. Like the Internet, Web, social media, and mobile devices, the cyber threat has left little untouched in this world.

But there are effective ways to combat cyber attacks!

One of the mistakes made in the somewhat brief history of cyber space is viewing cyber attacks as a technology security issue. While it is true that both technology and security play a major role in cyber attacks, to view the attacks as exclusively in the domain of electrons isn't based on reality. Cyber attacks involve people. So do the methods of managing the risks associated with them.

Cyber criminals are smart. For them, stealing information is a business. They target companies, looking for rich archives of personal and business information. Large companies, medium-size companies, and even small companies are targeted. Not only are cyber criminals looking for information, but, like a burglar, they are looking for information that is not well protected. If there are two homes, and inside each home there is an equal amount of money to steal but one home is locked down and secure, the thief will likely move to the home with less security.

Criminals often look for the path of least resistance. They're not necessarily lazy. They're just pursuing intelligent paths. Companies need to be smart to manage the risks associated with cyber attacks. This is not a one-person job. Managing these risks requires a more broadly distributed perspective. Managing these risks is multidimensional.

Curiously, the word “cyber” often fails to ring any alarms. Companies often say, “Why would anyone target us?” This is what they say before the breach. The Internet and the Web have become the great democratizers of marketing, with the Davids of the world assuming the corporate persona of a Goliath. Using the tools of the digital age, a one-person company can look as sophisticated and global as, well, a sophisticated and global company.

Trust and reputation are irrevocably linked. Violate the trust, compromise the reputation. Fair or unfair, this is reality. Reputation is arguably any company's most valuable asset. A breached company is not usually a bad company. A breach doesn't mean that the people in the company are bad. But sometimes that is what hackers want you to believe. Without trust, the information that is the fuel of the economic engine of commerce that sustains employment and tax revenue for government becomes a legal, financial, regulatory, and reputation liability with potential negative impact. Translation: loss of market share, market preference, and dominance; loss of shareholder and stakeholder value; and loss of investor confidence, which may even result in the loss of geopolitical positioning and diplomatic power. Trust is at the heart of reputation. Once trust is lost, it is hard to regain. That's why it is essential for the attackers to go for the reputational jugular—trust.

Trust is a most human characteristic. It is not something automatically conferred or at least it shouldn't be. Trust should be earned. Enterprise trust is not really any different from fundamental human trust. But enterprise trust has a lot of moving parts, a number of components that are managed by many people. Each one has a role, a purpose, and a level of trust.

Cyber attack impact is variable—and assured. Fail to adequately safeguard information and the pain is quickly felt: regulatory scrutiny, fines, civil and even criminal litigation, loss of market value, loss of customer base, loss of market dominance, loss of reputation, and on and on. The list is long, and can be costly. Unregulated intellectual property and trade secret compromise can have similar—and perhaps even greater—impact.

So what to do about it? Establishing an executive risk council can have a substantial impact on any organization. While an executive risk council is not the silver bullet of cyber defense (there is no silver bullet), it can provide significant value to almost any organization.

Some companies have begun to evolve in terms of managing risk, but many have not. The U.S. regulators for the financial services industry have played a role in shaping this vision. Few companies appreciate regulators. But regulators are increasingly placing an emphasis on top management and boards getting educated on cyber risk. This is absolutely critical because this is where budgets come from, and where reputations are often shaped. Intelligent and lucid boards of directors and top management shape culture and lay the foundation for how their companies should operate. Placing an emphasis on the management and board getting cyber smart pays dividends. One of the things it accomplishes is raising the level of awareness across the company about the cyber risk.

This causes various areas of an enterprise to examine operational risk and the threat of a cyber attack and its potential impact. It can lead to a discussion of how to mitigate the risk, which can in turn lead to an examination of the different people in an organization who have something to contribute to that defense.

First, it should be noted that every employee is part of the fabric of a cyber defense. But there are some who must be part of the management defense—the guards at the gates, so to speak. Bringing together the right team is essential in managing risk.

An executive cyber risk council brings together the right parties needed to define the problem and the solution, and then manage the process, and then make adjustments to the program as needed as things change. For too long, security has been perceived as either an issue of guards, gates, and guns, or as an IT issue. Even today, across many companies, risk is perceived as a technology issue or a security issue, and the assumption is that the answer to managing that risk resides within the domains of technology and security. Nothing could be further from the truth. This kind of thinking can get even the most reputation-conscious companies in deep trouble, and quickly. The reality is that managing risk is all of these things and more, and should be reflected in the composition of the executive cyber risk council.

The Goal of the Executive Cyber Risk Council

The goal of an executive cyber risk council is to reduce to the lowest degree possible the impact of a breach, or to prevent a breach if possible. The council needs to understand the fundamentals of cyber threats, and how to defend against legal, financial, regulatory, and reputation risk. This includes recognizing potential risk impact and working to control it. It forces the team to confront potential loss associated with a cyber breach.

An important function of the executive cyber risk council is to look forward with respect to changing conditions in threat and risk conditions, thinking holistically about cyber risk issues, and then acting aggressively to manage the risk. So on the one hand, the executive cyber risk council is something of a study group, but it is also a planning, action, and response organization.

An executive risk council is no silver bullet against hackers, internal or external, but it is a good starting point for building awareness where it counts—the CEO and the board.

The participants of the executive cyber risk council may vary by size of organization, industry sector, and so on. But the mission serves not only to manage the risk condition, but to manage expectation and commitment. Having a functional, actively engaged, and highly visible executive cyber risk council sets an example, makes a statement. This statement of commitment is important to regulators, business partners, investors, and insurers. The existence of the executive risk cyber council says that the entity is aware of the threat dimension, the likelihood of attack, the fact that real damage can result from an attack, and that it is committed to defending the integrity of its information or its customers' information.

Warren Buffett's quote comes to mind: “It takes 20 years to build a reputation and 5 minutes to ruin it. If you think about that, you'll do things differently.” It hardly seems fair. But so much in life isn't fair. Think about it from a customer's point of view. It doesn't matter if the customer is a lone consumer or a giant corporation or government agency. Most people want to do business with organizations that have a good reputation. The reasons are obvious. Do business where there's trouble and you're likely to get trouble in return. Managing risk by managing reputation is a rational approach to managing business.

All companies targeted by cyber attacks face one great commonality: the potential compromise of reputation—reputation risk. The best advice is to always think postbreach and act prebreach. An executive cyber risk council should serve the function of thinking from a postbreach perspective. If a breach occurred, what would the company do? How would each member of the council react? What would be their function? How would they work together? What would they tell employees? What would they say to the media and to business partners? How would they stop the breach? How would they investigate it? Who should contact law enforcement? Which law enforcement agency should be contacted, and when? What about getting the regulators involved? Which ones? When?

An effective executive cyber risk council can address these and other questions before a strike occurs, helping to reduce the impact of a potentially devastating cyber attack, and maintain that ever important bond of trust, which defines reputation. While an executive risk council may sound like a fairly straightforward approach to helping manage risk, the composition of such a council may not be so readily obvious.

Who Should be Included in the Executive Risk Council?

Look at the impact of a breach and it becomes increasingly obvious who should be involved in an executive risk council. Although companies and situations vary, here is an outline of who should be included:

  • Legal officer. The breach impact footprint is large. A breach first and foremost becomes a legal issue. The legal challenge involves regulatory considerations, breach of contracts, civil litigation, and even criminal prosecution in some cases. Fundamental to effective risk management in the case of an information breach of any kind is the attorney-client privilege. So it is vital to include a legal representative. For smaller companies, especially those without in-house counsel, consider working with an external legal resource, one with knowledge of information management and risk. But make no mistake: A cyber attack can and will have legal consequences.

    In some cases, smaller companies have sought the advice of general-practice attorneys who lack experience in cyber breaches and the resulting risk. In a recent case, for example, a smaller company used its legal counsel to handle the termination of an employee accused of information theft. Without getting into the specifics of the case, the legal counsel provided advice to the client that conflicted with the law enforcement efforts to apprehend the criminal. An attorney with law enforcement experience and information theft experience would likely have provided better advice and counsel, resulting in a better conclusion to the case. The company did not have the satisfaction of seeing the justice system work to its maximum potential, and the criminal is likely working elsewhere, perpetrating another fraud. So getting the right legal counsel can have a major impact.

    Placing a knowledgeable and experienced attorney with privacy, data protection, and law enforcement experience on the team can be invaluable.

  • Risk officer. Some companies have a chief risk officer. For a variety of reasons, many do not. Budget is sometimes a reason not to have one. Others don't believe it is necessary to have a chief risk officer. Still others believe that if the company is not regulated there is no reason to have such a position. But a chief risk officer role is critical, regardless of the business size, industry sector, and global reach. Even if the company doesn't have a formal title of chief risk officer, someone should be appointed to that role, even if it is not a full-time endeavor. The importance of it is that someone should sit outside of technology and security in order to look at a broader range of factors that could result in a risk event and be able to orchestrate prevention as well as postbreach activities. In some cases it may be a legal officer, in others the chief financial officer. Make sure that risk officer is a critical part of the executive risk council. Having someone who is continuously analyzing risk and its potential impact is vital to any organization. Even some small and midsize companies, especially in financial services, are creating chief risk officer positions. Every breach results in a cost to the company, and that is why it is also important to have the CFO on the council, because that officer can be influential in making budget available for preventive measures. As has been stated elsewhere in this book, it is almost always less costly to prevent a breach than deal with the aftermath of one—and there's a lot less certainty around final outcomes when a breach occurs.
  • Security. A chief security officer (CSO) and/or chief information security officer (CISO) is a natural for the executive risk council, right? This is an obvious role, perhaps, but not entirely so. As odd as it may seem, companies often get this one wrong. In larger operations there may be both a CSO and a CISO. In most companies, though, and especially in smaller to midsize ones, the CISO is the representative on the executive risk council. But this can be problematic. Some CISOs are well versed in physical security, some are not. Having a physical security specialist on the executive risk council is critical. The reason is that some breaches occur as a result of gaps between physical and logical security. One of the main reasons that companies often fail physical perimeter stress testing is that a CISO without adequate physical security training and experience designed the mechanisms that are intended to prevent unauthorized access. This often means that gaps in the defense are present. These gaps are often identifiable through even light surveillance of physical access points at the target facility.

    Here's an example. Unless the CISO has adequate physical security awareness, it may be quite possible for intruders to use social engineering tactics to gain access into the building under false circumstances. This is important, because once inside, there is an assumption that whoever is present is supposed to be there. Understanding of zone security, social engineering, and training of employees on this point is fundamental to protecting information. So having this role on the executive cyber risk council is a must.

    Information security must contain three very specific characteristics: (1) physical security, (2) technical or logical security, and (3) administrative security. The regulators make reference to these aspects of security, and each should have equal measure. In many companies, there is a wide gulf between physical security and technical and administrative security. This is a weakness that increases the likelihood of breach success, particularly when an intrusion involves physical penetration of the target company.

  • IT infrastructure. Technology infrastructure is vital to the council because most every activity the company engages in involves a computer, a tablet, a smartphone, the network, the Internet, and servers. IT touches everything. A chief technology officer (CTO) or director of information technology is a good candidate for this role on the executive cyber risk council. Too often, the technologists help select the technology based on its performance and its “cool” effect. This is something of an Achilles' heel of the technical enterprise. Not only do a lot of technical people feel the pull to bring new technology into the workplace, but a lot of other executives do as well.

    Having a technology officer on the executive cyber risk council accomplishes two things. First, it brings to a seat at the table someone who understands the power of technology. Second, it is something of an early warning system that the company is looking at new technology for consideration and deployment. On many occasions the security and risk team gets blindsided when new technology is introduced. For example, the information security team will sometimes be told that, say, tablets are being purchased for the board of directors because they want one. “Oh, and those tablets will be arriving tomorrow. Make sure they're secure.” The executive cyber risk council is a forum for getting insight and perspective on what going on at all levels of the company, and the technologist on it can be a great asset to understanding the technological advantages of a product or system.

  • Information and records management/chief information officer. While many organizations are transitioning to paperless records, many are not. Most environments currently are a mix of paper and electronic records. This magnifies the risk. For companies that are going to maintain this dual-data structure, equal protection should be given to both formats. A Social Security number written on a piece of paper is equally vulnerable to the same number contained in a storage device or computer. In fact, sometimes the piece of paper is even more vulnerable to compromise because of so much emphasis on electronic data. It's also good to note that many regulations specify both paper and electronic records. Include the chief information officer (CIO) or records management executive in the council.
  • Business continuity planning/disaster recovery. Business continuity planning and disaster recovery are critical to the executive risk council. The larger the global footprint, the greater the potential risk impact, and the greater the likelihood of an event. A cyber attack against the weakest link in a company's supply chain creates substantial impact. An attack against the local utility grid may be equally damaging. BCP/DR contributions to the executive cyber risk council should include issues such as workplace violence, terrorist attack, war, cyber attacks, natural disasters, extreme weather events, utility outages, and other factors that may imperil the enterprise. The absence of this representation on the council may result in increased risk impact.
  • Marketing and sales. Though they are often not included in executive risk councils, it is important to remember that marketing and sales executives are intimately related to the company's reputation, and this part of the workforce is often directly impacted first. In the event of a breach, it is necessary to address this issue with customers, and having a senior representative on the executive cyber risk council will provide the executive risk council with better perspective. Their participation can also provide insight into customer expectations and concerns.
  • Human resources. Get the entire employee base on board with the security message. HR is often the organization that has the greatest reach to all employees, from onboarding to exit interviews. HR needs to be part of the solution to risk impact management and prevention. One of the biggest problems around security is lack of awareness among the employee population. On the executive cyber risk council, HR can serve as a view into how the organization can be educated on the issue of risk, coordinating this effort with the risk management and security executives, and helping to design a program that contains the right messaging with the right delivery model.
  • Information privacy. Not every company has a chief privacy officer (CPO), though many do. If there is no CPO in the organization, there should at least be someone who is charged with the responsibility of managing information privacy. Make sure someone is responsible for ascertaining that information privacy is understood and that the associated policies are in place. Also, remember that privacy includes not only personal information, such as financial and medical information, but also intellectual property and trade secrets. Having this employee on the executive cyber risk council is important because it will give the council perspective on the type of information at risk and its sensitivity.
  • Internal audit. A representative from internal audit will add substantial value, making certain that the internal audit plan embraces the full dimensions of the scope and risk. Also, it has direct linkage to the audit committee of the board of directors. Increasingly, auditors are becoming part of the risk management perspective, though not necessarily part of the risk management team due to their need to remain independent. As part of the executive cyber risk council, the internal auditor is able to apprise the council on a continuing basis on the status of ongoing regulatory and other concerns pursuant to security and risk.
  • Corporate communications. Developing a media response plan before a breach is fundamental and should be part of every company's corporate governance initiative. If perception is reality, then perception should not be left for others to define, lest that become the reality. The communications executive on the executive cyber risk council will be able to place into perspective the many factors that influence a breach, and participate in ongoing discussions about the internal and external conditions of the organization and its threat environment. Breaches can be complicated. The ability to communicate knowledgeably and effectively has great value. And let's face it, when it comes to dealing with the media, many executives lack expertise. The communications executive can also be a media coach to the council.
  • Alliance management. Strategic alliance and joint venture partner relationships are at risk in the event of a breach. The alliance partner may have a great deal to lose, from a capital investment to its reputation. Placing someone with a trusted relationship with the partner will be an advantage when a breach comes. Having an alliance management executive participate in the council allows for proper messaging (working with corporate communications) to the various companies who may have skin (and risk) in the breach.
  • Regulatory compliance. A regulatory compliance representative is critical, particularly if the breach involves personally identifiable information (PII) or personal health information (PHI). Depending on the size of the company, compliance may be part of the legal office, so the legal representative may fill this position. If not, someone from compliance will be able to convey to the council the regulatory requirements associated with managing data and what to do in the event of a breach.
  • Vendor management. When a breach occurs, it is likely the breach may come through a third-party vendor. Having an executive risk council member with a relationship with the external vendor can save time and money. Just as it is likely that a breach will originate with the external vendor managing its customer's information, it is equally likely that the external vendor may be uncooperative in the event of a breach at its facility. Depending on the size of the company and the number of external vendors, consider rotating members in vendor management. Alternatively, seek cooperation from the most senior executive of the vendor management committee for participation in the council.
  • Executive sponsor. The more senior the title, the better. For smaller organizations, it may be the CEO. But whether it is the director of internal audit, the general counsel, or the CFO, the executive sponsor must have direct access to the board and to the executive management team. This is invaluable for budgetary approvals. A council member will have a strong understanding of the need to prevent breaches and reduce the impact of one. Having an executive sponsor will keep the key risk-related issues in front of the top management and the board of directors. The importance of keeping these issues in front of the board cannot be emphasized too much. In fact, for financial institutions, this is a requirement. So the executive sponsor must be responsive to the council and represent its concerns, and must obtain the correct level of funding in order to effectively manage the organization's risk.
  • Independent adviser. An outside opinion is always advisable. Bringing in an independent third party has the advantage of providing a perspective that is not influenced by corporate politics or trying to impress the boss with showboating. An independent adviser can contribute information and analysis critical to the formulation of decisions, often providing insight that is not available from inside the enterprise. Organizations have cultures. Cultures are often shaped by policies, a way of doing things. Policies can also be shaped by culture. In either case, there is an internal dynamic. That dynamic may be right or wrong; it is just the way things are done.

    Here's an example: The company in question was global in its reach, but its risk assessment approach was very narrow, focusing only on the threats defined by its own staff. The staff, for whatever reason, thought about threats only from their own experience base. They looked at every threat from a U.S. point of view. Never did they consider assessing threats at the foreign-country level. This approach left them vulnerable, unable to reasonably foresee the developing threat conditions in the other countries where they operated. Unable to foresee such threats, they had no defenses with which to counter the threats and no strategy for managing the risks emanating from those threats. It's not that the company was defenseless; it wasn't. But its risk management program lacked a fully dimensioned view, which could result in an unsatisfactory result. That unsatisfactory result often translates into an impaired reputation.

    The perspective of an independent party has significant value. It doesn't mean that the independent adviser has to be at every meeting. But quarterly meetings are a good idea because things change quickly and often. If nothing else, having that independent adviser should bring to the executive cyber risk council the satisfaction of knowing that it is exploring various elements of ongoing threats and the potential risk from someone who is less likely to say something because it is the safe or appropriate thing to say.

As Henry Ford remarked, “You can't build a reputation on what you are going to do.” But you can build a reputation, and maintain it, by how risk is managed. Building an effective executive cyber risk council, and maintaining it for the long term, is the best way to keep perspective and to holistically understand the many vectors from which the unexpected may come. There is an order-of-magnitude difference between the unexpected and the unanticipated.

A cyber attack may be unexpected, but it should never be unanticipated. Managing risk requires anticipating the threat, as well as how to manage the risk arising from it. One of the best methods for anticipating the full range of cyber complications springing from the cyber threat is through the executive cyber risk council. Every member has a voice. Every member has a perspective—and a responsibility. And every member has a vested interest in the outcome. The problem is vastly more complex than any one individual, and so is the solution to managing outcomes. Everyone should have a compelling interest in countering the many varied types of cyber attacks. Forming an executive cyber risk council will help focus thinking about the problem and developing in-depth countermeasures to maintain information integrity in an increasingly intense cyber threat environment.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.176.0