What every CIO needs to know about cyber resilience
In January 2017, the World Economic Forum (WEF), known for its meeting of the global elite in Davos Switzerland, released a special report, Advancing Cyber-Resilience: Principles and Tools for Boards, in which it outlines the necessity for board directors to pay special attention to the concept of cyber-resilience. The WEF report is a valuable tool for CIOs to improve their level of engagement with top leadership and the board regarding the cyber issues, by providing an external guide written specifically for top leadership and boards.
Bohmayr & Türk, from the Boston Consulting Group, write that “cyber-resilience in an organization must extend beyond the technical IT domain to the domains of people, culture and processes. A company’s protective strategies and practices should apply to everything the company does — to every process on every level, across departments, units and borders, in order to foster an appropriately security-conscious culture.” They further elaborate on the key role that boards are to play on this issue: “ultimate responsibility for cyber-resilience rests squarely on the shoulders of boards and senior executives.”
The issue of board responsibility and oversight of cyber risks isn’t new. In 2015, the Cybersecurity Disclosure Act of 2015 (S. 2410) bill was introduced in the US Senate. The bill would have required “public companies to disclose whether any board member has experience or expertise in cybersecurity, and to describe the nature of that background” and should no board director have cybersecurity expertise, to justify why such expertise was unnecessary. Ultimately the bill wasn’t acted on in 2015, but has recently resurfaced as the Cybersecurity Disclosure Act of 2017 (S. 536) with bipartisan support.
What’s in the cyber-resilience report?
Lori Bailey, from Zurich Insurance, a member of the working group that issued the report, summarizes the value of the report: the “toolkit provides tangible steps that organizations can take to advance their cyber resilience.”
The report contains:
- Terms and definitions to ensure everyone is on the same page.
- Recommendations on using the principles and tools.
- Board Principles for Cyber-Resilience — a primer for board directors.
- Cyber Principle Toolkits — goes more in-depth into each of the principles, and provides key questions that boards should ask to engage with top leadership, including CIOs and CISOs.
- The Board Cyber Risk Framework — to enable boards to better understand and review their organization’s cyber risks and ensure integration with a larger enterprise risk management framework.
What are the main principles?
The report first outlines each of the ten principles below, then provides actionable advice in the form of questions for boards to consider:
- Responsibility for cyber-resilience, reminding boards of their ultimate responsibility for this topic. Questions include the board structure for oversight of this issue (e.g. full-board versus audit committee), frequency of discussions of cyber, and the existence of regulatory pressures.
- Command of the subject, urges boards to ensure they have the right level of background knowledge related to cyber risks to enable them to make the right decisions. Questions include whether they have this knowledge internally on the board, whether they receive updates from management (CIO/CISOs), or whether they have access to qualified external expertise.
- That the board has designated an accountable officer (CIO/CISO) for management of cyber risks and cyber resilience, and that this person has “regular board access, sufﬁcient authority, command of the subject matter, experience and resources to fulﬁl these duties.” Questions include reviewing the roles and responsibilities of this officer, the organizational and reporting structure (e.g. “does the accountable ofﬁcer have sufﬁcient independence from IT”), and whether the officer is provided with sufficient authority and influence to drive changes in the organization.
- That the notions of cyber-resilience and cyber risk assessment are integrated into the fabric of the business, including resource allocation, budgets, and the overall enterprise risk management framework. Questions include how the organization governs cyber risks, the level of involvement from the board, and the level of integration of cyber concepts in every business decision.
- Setting the risk appetite of the organization, by defining and quantifying the (cyber) risk tolerance level. Questions asked include the organization’s approach to setting and reviewing its risk appetite as well as external communications related to the risk appetite (e.g. to shareholders and customers).
- That the board holds management accountable to report and quantify cyber risks Questions also include whether the organization is evolving an appropriate culture of security, the extent to which risks posed by third-party vendors are properly accounted for.
- That the organization develops cyber-resilience plans, and then properly implements, tests, and improves those plans. Questions cover business continuity, disaster recovery, whether the plans are cross-functional, that the plans are tested frequently, and adjusted when appropriate.
- That the board considers the full implications of cyber resilience from a community perspective, both in terms of the organization’s own impact to its own clients as part of its position in the supply chain, as well as the risks posed by third party vendors to the organization’s business objectives and brand reputation. Questions include identifying and implementing industry best practices, reviewing and implementing appropriate channels for information sharing (threats, indicators).
- That boards oversee regular independent reviews of the organization’s cyber resilience plans and activities. Questions cover the selection and qualification of the reviewers, the risks of participating in such a review, the scoping of the review, and the role played by other review activities such as internal and external security audits.
- Finally, that boards oversee the effectiveness of the organization’s cyber-resilience efforts, including the boards’ own performance. Questions include how the board assesses the quality and relevance of information provided by management, if the board’s own structure supports the right level of oversight of the topic, and the extent that cyber risks and cyber resilience are playing a role in the selection of new board members.
How can CIOs best use it?
The report is valuable to CIOs in two key ways:
- The report provides CIOs with an external, high-value, report written by business leaders for business leaders, that CIOs can readily share with their organization’s management and board. In doing so, CIOs can open the door to better dialogue and position themselves to provide a more strategic and advisory perspective related to the organization’s decision-making and overall handling of cyber risks.
- The report provides CIOs with a list of key questions that they should be ready to answer, and thus avoid being blindsided by cybersecurity-related questions. Having access to this report allows CIOs to be more proactive in raising key issues with management, sharing the organization’s approach to risk management with the board, and ultimately discuss risk appetite with the board to determine the best allocation of resources and prioritize security-related activities.
Together with pressures from regulators, the brand impact of data breaches and high-visibility class-action suits has brought the issue of cyber risks and cyber resilience to the forefront of the board’s agenda. In turn, boards are increasing their level of involvement and oversight of those issues. By leveraging the ten principles found in the WEF’s cyber-resilience report, CIOs help their organizations fully embrace business opportunities knowing that the business is covered from a cyber-resilience perspective.