What are the true cybersecurity needs your business requires? If you start any business it is important to do a risk analysis of what could be exposed online today. CTI Inc is ready to help you with your cybersecurity needs. Read more about Cybersecurity and risk management by Peter High from Forbes.com
by Peter High
James Lam has been an advisor to boards on matters of risk management and mitigation for roughly 25 years. He has been the Chief Risk Officer at GE Capital Markets Services, and Fidelity Investments. He was a partner at Oliver Wyman and started ERisk under its auspices. That unit would later be sold to SunGard. He started an eponymous risk management company in 2002. Since then, he has served on the boards of several companies including E*TRADE Financial Corporation, where he is the chair of the risk oversight committee, as well as a member of the audit committee.
As someone with deep experience in advising companies on how best to de-risk the enterprise, I wanted to find out what advice he would offer to boards and to management teams. For instance, he notes that his top five recommendations for boards to consider in their oversight roles are
- Double down, or triple down, on the basics
- Establish a cybersecurity risk policy with clear risk appetite statements
- Ask for an effective risk report with qualitative assessments and quantitative analytics
- Provide credible challenge and oversight of the cybersecurity program
- Focus on people and culture. He provides thoughts on each of these and many other suggestions in this interview.
Peter High: How much time and attention on boards is spent discussing cyber-security and how has that changed over the course of your time as a board member?
James Lam: I’ve been a public company director for five years now. During this period, I’ve served as Chair of the Risk Oversight Committee at E*TRADE Financial and also a member of the Audit Committee. In the last five years, there has been a significant increase in general awareness, as well as the time and attention spent on cybersecurity. I am also active in the National Association of Corporate Directors and other director groups so I can tell you that this is happening not only on our board but across the boardroom community. Cybersecurity used to be discussed once or twice a year and now it is discussed in nearly every board and/or committee meeting.
We have all seen the headline cyber breaches and the severe organizational, financial, and reputational consequences. Unfortunately, cybercriminals and their weapons and attack strategies have increased and will continue to increase, in sophistication. Consider that the cost of cybercrime is estimated to increase from $500 billion today to $2.1 trillion in 2019. At that level, it would rank as a top 10 country in GDP! So the attack means and economic ends are there. Cybercrime will be an existential risk, for businesses and society at large, that we will have to deal with for many years to come.
High: To what extent are the breaches of other company’s covered?
Lam: One of the most important lessons that my father taught me is that “a smart man learns from his own mistakes, a wise man learns from the mistakes of others, and a fool never learns.” I have always applied this lesson in enterprise risk management (ERM), as a chief risk offer, as a consultant, and more recently, as a director. There is a learning opportunity in any risk or loss event, whether it happened within or without a company. We would be foolish not to systematically capture them.
Whenever there is a significant breach the board should always ask: What do we know about what happened and the underlying root causes? Do we have similar vulnerabilities and could that happen here? What are the lessons we should learn with respect to our cybersecurity program? What actions and decisions should we consider based on this review?
High: Do boards have a full appreciation of the need to play offense and defense, and that if the bad guys have you in their cross-hairs, their smarts and the level of financial backing behind many of them may mean it is only a matter of time before they are in? If so, are scenario analyses, disaster recovery, and business continuity plans discussed, and what are the best practices in undertaking these exercises?
Finally, the board should make sure that a crisis communication plan is in place to deal with an actual breach. This includes roles and responsibilities to escalate and communicate within the organization, as well as with external stakeholders including law enforcement, regulators, customers, business partners and vendors, and the general public.
High: As a board member, what else do you hope to hear from CIOs or CISOs? Conversely, what is less important?
Lam: As with any other risk, cybersecurity is management’s job. The board should provide risk governance and oversight. In order to do our job, we need concise and useful risk reporting from management, including the CIO, CISO, and the chief risk officer if one exists. My long-held view is that qualitative risk assessments and heat maps are over-reported and not very useful for board-level risk monitoring.
I would like to see more cyber risk metrics and analyses, including expert commentary from the CIO and CISO, on the threat environment, risk exposures against risk tolerance levels, and effectiveness of key controls. I would also like to see assurance metrics on overall program effectiveness and early-warning signals on future threats.
High: You are not a big believer in the common practice of measuring cybersecurity maturity against the NIST framework. Why is that, and what do you think is the better means of gauging preparedness?
Lam: A more mature program doesn’t always mean a more effective program. Cybersecurity maturity frameworks such as NIST and ISO 27001 can be very useful tools to benchmark a company’s current cybersecurity program against best-practice standards. This assessment can inform the company on developing its cybersecurity plan and roadmap. However, directors should be more concerned about program effectiveness and overall preparedness (output) and not just program maturity and control components (input).
These frameworks do not fully meet the needs of the board. Consider the five components of NIST: protect, identify, detect, respond, and recover. These are the processes that the CIO or CISO must develop and implement. Directors are also concerned with key questions that are not addressed by NIST: How does the cybersecurity program align with the overall business strategy? What is our cybersecurity risk policy and risk appetite? How do we quantify and report on cyber risk exposures and trends? And most importantly, how do we know if our overall cybersecurity program is working effectively?
High: You believe that the definition of “risk” is fundamentally different for CISOs and board members. Please explain.
Lam: CISOs often see cyber risk strictly as a security or technology issue, while board members think of it as a business issue and an integral part of the overall ERM program. A security-based risk aversion approach taken by many CISOs often lead to a mindset that says “more is better” so let’s “buy one of everything.” A business-based ERM approach taken by board members would consider the opportunity side of operating in the digital economy, and that includes opportunities for business innovation, better customer experience, and profit growth. The board also needs to consider cyber risk in the broader context of other enterprise risks, and determine if the allocation of risk budgets and resources are appropriate.
High: What role do you see artificial intelligence playing in better managing security?
Lam: I believe the field of artificial intelligence hold significant promise for cybersecurity and overall ERM. That opportunity is here today. More and more data are being created and stored on customer behavior, employee behavior, and yes, adversary behavior. The question is how to turn that deluge of data into actionable intelligence.
In the coming years, AI will dramatically reduce the cost while increasing the efficacy of all types of prediction models. With cybersecurity, AI can extract a vast amount of internal and external data, identify network vulnerabilities, and predict the likelihood of breach across the company’s network. People risk, including employees and contractors, is the most critical element in cybersecurity. AI can support behavioral analytics to identify undesirable patterns of behavior by individuals or groups. Moreover, AI can more rapidly detect cyber breaches including the origin and root cause of the compromise.
High: Is there a top five recommendations you have to better secure the enterprise?
Lam: Here are my top five recommendations for boards to consider in their oversight roles:
- Double down, or triple down, on the basics. Many companies underinvest in basic cyber hygiene while the vast majority of breaches take advantage of these fundamental controls. Directors should ask tough questions about policies and controls related to passwords (including multi-factor authentication and privileged access), updates and patches from software vendors, employee education on phishing, and penetration testing and red team exercises.
- Establish a cybersecurity risk policy with clear risk appetite statements. Cyber risk represents a clear and present danger. An aspirational policy with general guidelines is inadequate. An effective policy must have clear definitions for cyber risk exposures and risk tolerance levels. Directors should expect management to clearly define its cybersecurity strategy, plan, and policy, including quantitative definitions of risk appetite.
- Ask for an effective risk report with qualitative assessments and quantitative analytics. A recent survey found that 91 percent of boards cannot interpret their cyber report. Shame on management, not the board. It is management’s job to report to their board in ways that are clear and understandable. A board-level cyber risk report should include commentary and metrics on the threat environment, risk exposures against risk tolerance levels, and effectiveness of key controls and the overall cybersecurity program.
- Provide credible challenge and oversight of the cybersecurity program. Management makes business decisions about how much cyber risk the company is willing to accept in pursuit of its strategy and objectives. The role of the board is to provide governance and oversight, including credible challenge on key policies and decisions. To fulfill this critical role, the board should have adequate access to cyber expertise and obtain assurance on their own security and the security of their key vendors. This assurance may include a third-party assessment or using a security rating service like BitSight. (Disclosure: I am a BitSight advisor.)
- Focus on people and culture. In the final analysis, cyber preparedness is all about people. Employee behavior is likely to be more important than the cybersecurity policies, processes, and systems combined. Directors should pay more attention to the training, communication, and testing programs, as well as employee and contractor behavior. This will help the board monitor the company’s overall risk culture.