Boards of directors, managers at center of cybersecurity handbook for industry

The server room might be an obvious choice for a starting point when it comes to protecting your company’s cyber networks, but the National Association of Corporate Directors says the best place to begin is in the board room.

The newest edition of the NACD’s Cyber-Risk Oversight handbook, released Jan. 12, advises private sector managers and boards of directors to “strike the appropriate balance between protecting the security of the organization and mitigating downside losses, while continuing to ensure profitability and growth in a competitive environment.”

The handbook also encourages  industry to take advantage of available government resources, advice that was stressed during an event at the National Press Club in Washington, D.C. to announce the handbook’s publication.

“The handbook can act as your guide and DHS can also be there to help,” said Danny Toler, acting Assistant Secretary in the Homeland Security Department’s Office of Cybersecurity and Communications. “DHS operates based on three lines of effort: we gather, maintain and contribute industry best practices that help organizations evaluate their cyber risk and prepare for a cyber incident.”

Advertisement

Adam Hickey, deputy assistant Attorney General for the Justice Department’s National Security Division, referenced the handbook when he said that half the time, victims only learn about a cyber attack because law enforcement brings it to their attention.

“Law enforcement can offer more than just bad news,” Hickey said. “Our goal is to help companies better understand the threat that they face before an intrusion occurs, and after an incident, in addition to helping a company understand what happened on its network so it can better secure it, we seek to hold perpetrators accountable.”

Stakeholders are looking at more than just prevention, but response and resilience, Hickey said. That includes how quickly a company can get back to business as usual, and also “whether you’re working with law enforcement.”

“It shows you’re doing everything you can to understand and address the incident,” Hickey said. “For this reason we encourage companies to develop relationships with the FBI, DOJ, DHS, before you need us. I think the handbook makes a compelling case for doing so.”

The handbook builds on the work of the original 2014 publication, but includes some updates for today’s cybersecurity.

“We have added to [the handbook] substantially by updating information on the threat picture, the expansion of nation-state attacks, the Internet of Things, ransomware issues,” said Internet Security Alliance CEO Larry Clinton, who prepared the handbook. “We also have  gone into cyber risk in a good deal more detail. There are actually multiple different sorts of cyber risks that a board needs to consider. There’s the obvious data corruption or loss issue but there’s also legal compliance risks, and then there are also reputation risks. Actually each of these risks should be dealt with by the board in slightly different ways. We’ve tried to delineate that. The last major addition is a big expansion of the tools that we provide to the board.”

The handbook includes samples of cyber-risk dashboards, board-level cybersecurity metrics, and a section on federal cybersecurity resources, as well as a separate section on DHS resources.

The DHS resources include information on best practices like the National Institute of Standards and Technology Cybersecurity Framework, Automated Indicator Sharing, and contact information for incident response.

Answering a reporter’s question, Toler said if DHS joins a preventative or post-incident effort with a company, “right up front the private sector entity knows what we’re going to do, it needs to feel comfortable with that or the engagement doesn’t happen,.”

“We can actually go into there and do preliminary examinations of the infrastructure to identify vulnerabilities and give recommendations on closing those,” Toler said. “When we enter those types of engagements there are absolutely agreements in advance on how any information that comes out of that engagement will be treated.”

Enterprise-wide risk management

Along with looking at federal resources, the handbook also reminds companies to shore up defenses and preventative measures within its walls.

One of central thrusts of the guide is the private sector needs to be focused on “cybersecurity on the front end, not just on the backend,” Clinton said.

“Now when we talk about tools at the board level, we’re not talking about ISO standards and NIST frameworks at the IT operation level, but what are the questions that a board needs to be thinking of when they’re doing a merger, what are the cybersecurity questions a board needs to be asking when they’re doing a merger, and when they’re launching a new supply chain, a new product, developing a new strategic partnership,” Clinton said. “We think if we can get cybersecurity integrated at the front end of these business conversations, that will lead to a much more enterprisewide risk management approach to the issue.”

In terms of legal implications, a board needs to prepare for a potentially high-profile attack, which not only can create lawsuits, but can harm a company’s reputation.

The handbook encourages boards to try cyberbreach simulations and keep up to date on privacy and data laws, and required disclosures for information sharing.

Another thing to consider is that no matter how internally secure a company might be, as soon as it connects with a third party or supply chain, it can open itself up to attacks if those business partners aren’t secure.

“Directors should ensure that management is assessing cybersecurity not only has it relates to the organization’s own networks, but also with regard to the larger ecosystem in which it operates,” the handbook stated. “Progressive boards will engage management in a discussion of the varying levels of risk that exist in the company’s ecosphere and take them into consideration as they calculate the appropriate cyber-risk posture and tolerance for their own corporation.”