Black Hat 2018: 6 Execs On What The Boardroom Overlooks Around Cybersecurity Strategy

Keeping Their Eye On The Ball

Members of Equifax's board of directors faced fierce opposition to their reelection this year as a result of the summer 2017 data breach that caused the personal information of nearly 147 million U.S. citizens to be exposed. The high level of investor dissatisfaction with Equifax's directors underscores the consequences for board members that don't give sufficient attention to cybersecurity.

So how specifically should board members get more involved? At Black Hat 2018, CRN asked that question of six CEOs and technical leaders, who strongly encouraged directors to get take a deeper look at data privacy, breach simulation exercises, and open-source libraries that supply code for software.

Here are six elements of cybersecurity strategy that industry leaders attending Black Hat 2018 feel the boardroom needs to probe more deeply.

Open-Source Libraries

Companies face the prospect of being breached due to the risk inherited from open-source libraries, according to Veracode Vice President of Research Chris Eng. This was a total blind spot to security professionals as recently as five or six years ago, Eng said, and developers are still very unlikely to think about or update the library they're using to obtain pieces of code.

"Software ages like milk, not like wine," Eng said. "The longer it's out there, the worse and worse it [the security] gets."

Board members rarely ask direct questions about the security risk related to items that are being borrowed or inherited, Eng said, though it's starting to become an area of interest for CISOs.

The industry typically thinks about third-party risk in the context of vendors or contractors an organization works with, but Eng said consideration also needs to be given to where the software and code being used to run a company's applications are coming from.

Data Privacy

Data security isn't typically a board-level topic until the privacy elements are brought to bear through legislation such as GDPR or California's privacy regulations, according to John Delk, general manager of Micro Focus' Security and Information Management and Governance Product Groups.

As boards start to discuss how personally identifiable information is being stored and transmitted and where it's being made available, Delk said directors sometimes end up having broader conversations around encryption and lifecycle management.

Organizations are increasingly creating a chief data officer position that serves as a proxy to the board around setting up a privacy policy, understanding how to implement controls, and maintaining a lifecycle view over potentially sensitive data, Delk said.

From there, the IT organization or others downstream in the organizations are tasked with picking the right privacy tools and stitching those together in a way that adheres to the control framework put in place by the C-suite, according to Delk.

Breach Simulation Exercises

Organizations should have a separate management chain in place when a breach occurs to ensure the business continues to function like a well-oiled machine, according to Alissa Johnson, Xerox's chief information security officer. In order to create muscle memory and the appropriate context, Johnson said companies need to regularly practice and walk through what their breach response plan looks like.

Over time, Johnson expects boards to demand more information about their organization's breach simulation exercises, requesting information on what type of data the simulation focused on to ensure the company is prepared for an event regardless of the data stream that's ultimately impacted. Metrics around this will be important, Johnson said, and practicing just once a year isn't frequent enough.

As boards become more involved with breach managements, Johnson said CISOs will be tasked with keeping boards up to date on organizational preparedness. Companies that fall victim to a data breach are typically graded on their response, Johnson said, and having a quality breach response plan in place signals to the world that the business is prepared.

Quantifying Risk

In order to reduce an organization's cybersecurity exposure, the company must first find a way to measure their risk, and then put controls and policies in place to reduce it, according to Digital Guardian Vice President of Global Channels Marcus Brown.

For this reason, Brown said boards have started to establish their own cyber risk committees to a get a sense of precisely what risks exist within their organization and ensure the right remediation processes are in place. The formation of cyber risk committees, though, has typically been limited to Fortune 500 or more mature companies, Brown said.

Brown said board members should understand where their company's digital assets reside, who has access to them, the path on which those assets most regularly migrate, and what could put those assets at risk. Given that most companies have a combination of personal customer info and intellectual property in their ecosystems, Brown said the board should be involved in the breach planning process.

Benchmarking Performance

Cybersecurity strategy in the boardroom is often dictated by focusing on a specific incident or service interruption, particularly ones that are experienced by competitors, according to BitSight President and CEO Tom Turner.

To get out of a reactive posture, Turner recommends that board members establish performance benchmarks for cybersecurity and risk management similar to the ones they have in areas such as sales, marketing and inventory.

Specifically, Turner said boards should measure their corporate governance and security controls against an industry framework such as NIST [National Institute of Standards and Technology] as well as members of their peer group. He recommended that boards focus on how effective their organizations are at protecting external-facing infrastructure through measures such as patching.

Danger To Overall Business

Businesses that look at cybersecurity as solely an IT problem tend to believe it can be solved through IT-related actions such as putting a backup policy in place or doing backups more frequently, according to according to Cybereason Co-Founder and CEO Lior Div.

But given that hackers keep evolving and changing their modus operandi, Div said cybersecurity is less about coming up with a grand solution and more about understanding what level of risk a business is willing to consume and how to categorize the various risks their company faces.

Boards should map out the ramifications of the most significant threats they face, Div said, and once that's done, go back and figure out how each of those risk factors can be mitigated.

For instance, a ransomware attack against a hospital could result in their computers not working, which Div said would be a disaster since it would essentially render the facility non-operational since they would be unable to serve patients.