CIO Perspectives Atlanta 2015 CISO Panel on Cybersecurity for Board of Directors

4. Board of Directors Exposure
• Target
– 4 shareholder derivative lawsuits filed against
directors, naming 13 directors and officers, asserting
breach of fiduciary duty and waste of corporate
assets.
• Wyndham
– Lawsuit dismissed; Directors showed reasonable
investigation
Make data privacy and data security and the
resources devoted to these areas, regular topic of
discussion at board meetings.
* Hogan Lovells, Chronicle of Data Protection, 1/23/15

5. Sample Concerns Driving Boardroom
Conversations
• Verizon 2013 Data Breach Report – 162 companies
– Size doesn’t matter: more than 50% had < 1000 workers
– SMB see security as a medium high priority
• Only 75% admitted sufficient knowledge to assess
– 1/3 of the companies security budget <10% total IT budget
• Mandiant Threat Report – 2014
– 2/3 of breached companies notified by external parties
– 229 days (average, improved 13 days) to detect breach
– 44% of phishing emails impersonate internal IT
– Political threats: example, Syrian Electronic Army
– Iran: targeted Saudi Aramco, RASGAS

6. Sales
growth is
healthy
Effective
controls are
in place
What about
Cyber
Security?
Manufacturing
safety metrics
are in line
“ Given the significant cyber-attacks that are occurring with disturbing frequency,
and the mounting evidence that companies of all shapes and sizes are increasingly
under a constant threat of potentially disastrous cyber-attacks, ensuring the
adequacy of a company’s cyber security measure needs to be a critical part of a
boards of director’s risk oversight responsibilities.”
SEC Commissioner Luis A. Aguilar, June 2014

7. National Association of Corporate Directors
(NACD)
Five principles:
1. Directors need to understand and approach cybersecurity as an
enterprise-wide risk management issue, not just an IT issue.
2. Directors should understand the legal implications of cyber risks as
they relate to their company’s specific circumstances.
3. Boards should have adequate access to cybersecurity expertise,
and discussions about cyber-risk management should be given
regular and adequate time on board meeting agenda.
4. Directors should set the expectation that management will
establish an enterprise-wide risk management framework with
adequate staffing and budget.
5. Board-management discussion of cyber risk should include
identification of which risks to avoid, accept, mitigate or transfer
through insurance as ell as specific plans associated with each
approach.

8. Six Questions the Board Should Ask*:
1. Does the organization use a security framework? (ex;
ISO 27001)
2. What are the top five risks the organization has
related to cybersecurity?
3. How are employees made aware of their role related
to cybersecurity?
4. Are external and internal threats considered when
planning cybersecurity program activities?
5. How is security governance managed within an
organization?
6. In the event of a serious breach, has management
developed a robust response protocol?
* Institute of Internal Auditors Research Foundation