Even the best designed data security initia- tives are prone to failure if not implemented correctly. A common problem that can occur even after apparently successful program implementation is a disconnect between appropriately drafted policies and proce- dures on the one hand, and operational practices and technology infrastructure on the other (in-house and third party-man- aged), and a failure of the board to notice.
Cybersecurity policies and procedures are effective only if they are tailored to the company’s unique business environment, applicable regulatory requirements, and known security risks. However, too often, boards and C-suite leadership oversee the development and adoption of boilerplate policies and procedures that, although per- haps built on generally appropriate founda- tions, are either insuffi ciently customized or implemented inappropriately. The resulting disconnects may lead not only to damaging data breaches and unauthorized disclosure of personal information but also to scrutiny from regulators and actions from the plain- tiffs’ bar. For example, the Federal Trade Commission (FTC) currently views the dis- connects between cybersecurity policies and procedures and their actual implemen- tation as unfair or deceptive trade practices under Section 5 of the FTC Act, and this is a trend that senior executives should expect to continue.
It is critical to the success of a cybersecu- rity program that the operational uptake of—and ongoing adherence to—program requirements are measured effectively. Monitoring of the program not only enables effective reporting up to the board but also, more importantly, identifi es vulnerabilities in the program and areas for improved limited to IT and includes building a corpo-
rate culture that is mindful of data risk, as is discussed more below.
Detection measures include analysis of operational data and anomaly detection as well as systems for logging, monitoring, and testing data moving into and out of the corpo- rate IT environment and across various devic- es (e.g., from computer to cloud service or external storage devices), where legally per- missible. Rapid remediation measures include incident response plans that are rehearsed, implementation of forensic recovery tools, and measures to quickly restore failed sys- tems from back-ups. Boards should recom- mend appointment of a permanent incident response team—comprising senior manage- ment from IT, legal, compliance, vendor man- agement, PR, investor relations, and business lines—to lead the incident response efforts, report incidents and remediation plans to the C-suite and the board, and notify external regulators and customers when necessary.
In line with the previous point, a key step the C-suite should take is to oversee lines of communication among the various parts of the company that either manage or make use of the company’s cybersecurity controls. If a business line is experiencing occasional bugs in its online customer order processing, for example, and IT is not informed of the issue in a timely manner, malware may go unde- tected. If an employee with database access quits and HR does not timely inform IT, then user credentials may remain active long after they should.
Another key step the C-suite can take is to prioritize regular training of employees—at a minimum annually—on cybersecurity threats and how to avoid them. A surprising number of threats can be thwarted by employee education about suspicious emails, strong password practices, and cau- tious use of personal devices. The more employees at every level learn to treat data as a valuable asset, the more careful they will be. Conversely, no matter how strong a com- pany’s cybersecurity controls, it only takes one employee mistake to expose sensitive company data.
OVERSIGHT OF COMPLIANCE AND CONTROL RESPONSIBILITIES
business asset is clearly established; its value is verifi ed on a daily basis by those who seek to gain access to business networks and view, remove, or otherwise exploit the data residing there. However, resources allocated to cybersecurity are still frequently an IT line item, rather than an enterprise-wide issue. Businesses operating in this environment of perpetually evolving digital risks must rec- ognize that data security is no longer a cost of doing business; it is a core component of remaining in business. As such, budgets must be allocated appropriately to meet the risks. Budgets vary according to business type, data types and sensitivity, volume of data, sharing with third parties, and any number of other of risk factors that must be considered by the board and executives. The budgeting process has to enable the compa- ny to do more than get the right people and processes in place but also to implement technology that truly addresses the security needs of the organization. This process requires commitment from the C-suite and oversight from a board that understands the importance of cybersecurity.
Cybersecurity budgeting also must include dedicated resources for training of personnel. As mentioned above, the human element is frequently the weakest link in an otherwise solid data security program. Staff must have the resources they need to be trained not only to be proactive in taking steps to safeguard data but also to recognize attempts by unauthorized parties trying to gain network access. Phishing, for example, remains a remarkably effective tool for gain- ing credentials that open a door to the net- work and the data therein, and inadequate training may increase a company’s vulnera- bility to phishing attacks. Regulators know this and expect board members providing cybersecurity oversight to know, too.
The board and C-suite also must bear in mind that successful initial implementation of a cybersecurity program does not necessarily lead to a cybersecurity program that has lon- gevity. Ongoing success is largely dependent on top-down involvement by the board and active management by the C-suite. The board security. Although evaluating the effective-
ness of a cybersecurity program would appear to be a core component of any suc- cessful implementation, many organizations fail to adequately address this need, often leading to exploited weaknesses, data breaches, and programmatic failure.
Effective metrics for evaluation can be broken down into several categories to ena- ble more targeted application across the enterprise. Programmatic metrics measure the progress of various organizational com- ponents of the information protection pro- gram, such as overall program development, implementation, and maintenance (e.g., cybersecurity policies are updated to meet new regulatory requirements). Operational metrics measure the performance of (as the name implies) various operational compo- nents of the information protection program; the number of cybersecurity incidents per reporting period is an excellent example. And compliance metrics measure individu- als’ compliance with program requirements. Such metrics may measure, for example, whether employees are observing required data security protocols when sending sensi- tive customer information to a third party for processing. In general, the trend for many of these metrics is toward the meas- urement of outcomes; metrics that demon- strate a company’s frequent intrusion detec- tion scanning are not helpful if the outcome is still a high number of intrusions each year.
Regardless of whether your organization is seeking to measure programmatic, opera- tional, or compliance aspects of your cyber- security program, the metrics that you design must be clearly defi ned and meaning- ful and measure progress against a clearly stated objective. A properly implemented metrics program helps leadership ascertain initial uptake and improve the compliance with—and performance of—a well-designed cybersecurity program.
Another challenge for effective imple- mentation of cybersecurity compliance and controls—and one that must be closely mon- itored by the board—is resource allocation. The recognition of data as a highly valued
ensure that these measures are being adopt- ed. Only with consistent C-suite involve- ment and strong board oversight—informed by an understanding of data risk as a central enterprise risk—can cybersecurity challeng- es be handled effectively.
References
1. See NIST, “Framework for Improving Critical Infrastructure Cybersecurity” (2014) (defi ning “cybersecurity”). Of course there are many defi nitions of “cybersecurity”; the NIST defi nition adapted here is just a recent American example.
2. For example, some regulators require certain data to be encrypted while many others do not. See, e.g., 201 Mass. Code Regs. § 1700 (2009).
3. See International Compliance Association, “What is Compliance?,” available at http:// www.int-comp.org/faqs-compliance- regulatory-environment.
should be apprised regularly of data security incidents and emerging data risks, as well as changes to the regulatory environment. An actively informed and involved board, work- ing in harmony with the C-suite, enables agile enterprise-wide response to evolving threats and appropriate upkeep and improvement of a robust cybersecurity program.
■ Conclusion
Today’s cybersecurity risks affect organiza- tions of all sizes and across industries and lead to not only IT headaches but also headaches for the entire business. Companies are increasingly put into the unenviable position of needing to put up shields against a variety of cyberthreats, knowing that no defense can provide perfect protection. However, the C-suite nevertheless must strive to employ strong cybersecurity com- pliance and control measures that go beyond mechanical satisfaction of applicable legal rules, and the board has an obligation to