It starts with a deeper understanding of cybersecurity, but understanding human nature, the regulatory mindset, and how to collaborate with CISOs are also important contributing factors to more effective governance.
It’s a difficult balancing act that I had the opportunity to discuss with Lou Steinberg, a seasoned technology leader with a track record of delivering growth through innovation. Full disclosure, Lou is Chairman and Co-Founder of ShardSecure, but his extensive experience, including as CTO at TD Ameritrade and serving on the board of several organizations, places him at a vantage point where he can provide valuable insights for CISOs and board members during these challenging times.
I’ve distilled our discussion into five key takeaways for CISOs and boards charged with cyber risk management as they navigate the evolving regulatory landscape. For the full discussion, watch our 30-minute session, “On the Hook: How CISOs can navigate the evolving regulatory landscape.”
Too many boards don’t really understand cybersecurity, even though it is really material to the operation of almost every business today. And legislators and investors are beginning to demand that boards get their arms around cyber risk as attacks can impact business performance. Even when boards have a technology committee or a risk committee, they don’t necessarily have the expertise to deeply understand cyber risk so they can adequately govern it, which is their role.
Training programs and reading materials specifically for boards can help business leaders get up to speed. Additionally, regulators now want to see someone with cybersecurity bona fides on boards. Adding a CISO to the board makeup is a great way to address this requirement and gain a deeper understanding of cyber risk at the board level.
Boards need to understand that we shouldn’t try to eliminate all risk because that isn’t possible. CISOs shouldn’t be penalized when an outlier event happens because this isn’t metaphysical certainty; this is risk management. At the same time, CISOs need to make sure they are thinking about the business impact of security measures before they put them in place and if something is going to negatively impact a business process or objective, they should look for compensating controls. This may require separating regulatory compliance from business-focused risk management.
What this means practically is that regulators use compliance to manage risk with statutes that were developed based on what happened in the past and these statues don’t change very quickly. Meanwhile businesses operate in a rapidly changing environment and need a forward-looking approach to risk management. So, we have an impedance mismatch. Smart risk management comes down to balancing the realities of the business and cybersecurity measures with compliance.
Almost every CISO has had to deal with recency bias, simply defined as our tendency as human beings to remember recent events more strongly than distant events so we attach more weight to them—and that’s a problem when it comes to cyber risk management and security investment. Boards can’t assume just because we weren’t breached last week it won’t happen today. Or because we experienced a DDoS attack last week that’s all we need to protect ourselves against. Managing risk requires thinking about what is going to emerge over time and protecting against that as well.
Motivated attackers try to take advantage of vulnerabilities, and with unlimited time, eventually all vulnerabilities may be exploited. Recency bias is harmful because the tendency is to say we are doing a good job, so we don’t need to increase our security budget. Or we can just increase investment in this one area based on what happened in the past. But it’s your security budget that got you to the place where you are doing a good job managing risk and if there was a breach in one area, that budget helped protect you against all the other potential attack vectors. You have to understand recency bias to counter it.
If you work in anecdotes, recency bias will drive you. And anecdotes are pretty common, particularly at the board level. However, if you work in numbers, you can quantify your risk and track and manage it over time. There are different methods for risk scoring, so use what works for your organization. [Note: In the webinar, Lou explains in detail an approach he has used effectively.]
How you go about risk scoring doesn’t matter as much as the consistency so you can assess your uncontrolled risk over time. You can see if your risk profile is going up or down and determine if your current risk exposure is acceptable. If it is not within your risk tolerance, you need to bring it down and look at where to invest to help you accomplish that. If your risk exposure is acceptable, then you need to maintain. Remember the environment is changing around you and attackers are learning new tricks, so you can’t stop investing in new controls.
The regulatory environment has never been more complex, between the CLOUD Act, proposed amendments from the SEC, the Strengthening American Cybersecurity Act (SACA), industry- and state-specific restrictions in the U.S., not to mention nation-specific data protection laws, GDPR, and others. Companies end up in the middle of these regulatory demands. The key to navigating the complexity is to focus on regulatory intent. The regulation is there for a reason. You need to understand that reason and then think about that intent in the context of how material it is to you and the business from a risk mitigation point of view. For regulations that aren’t material, do the minimum to be compliant but no more. For regulations that are material and aligned from a risk point of view, go all in and do more than the minimum.
For more insights and tips, including how to quantify and track and manage risk over time, watch the 30-minute webinar now.