As Cyber Crisis Mounts, CISOs and Boards Must Learn to Communicate
There is an urgent need for clear communication between enterprise security teams and business leaders. Former national cybersecurity commissioner and seasoned board director Maggie Wilderotter knows how to walk that talk.
With the world bracing for cyberattacks from Russia in retaliation for Western sanctions, the need for effective communication between enterprise security leaders and the executives they report to has never been greater.
But talk is easier said than done. In a new report by Harvard Business Review Analytic Services, in partnership with Tanium, a third of respondents surveyed say their senior executives receive only ad hoc updates from security leaders on issues like sensitive data monitoring and data protection.
Thanks to a rapidly changing, complex IT environment, cybersecurity has never been more complicated. And it’s been made worse by tools that are disconnected from risk analysis and security performance, according to the HBR report.
That means two things: Cybersecurity professionals struggle to explain cyber risk in a language that business leaders and boards can understand. In turn, business leaders and board members are not getting the information they need to make smart choices regarding network risk and business resilience.
Given the urgency for both sides in this equation to come together, Endpoint decided to look back at an important conversation we had last spring with Maggie Wilderotter. She has been addressing these issues in the C-suite and boardroom for a long time as a former CEO of telecom Frontier Communications, a member of President Barack Obama’s Commission on Enhancing National Cybersecurity, and one of Fortune magazine’s “50 Most Powerful Women in Business”—an honor she’s received four times. She has also served as a member
of more than 32 public- and private-sector boards, the first when
she was 28.
Here, she discusses the business challenges posed by cyber threats, the need for regular—and frequent—cyber check-ins, and the importance of public and private collaboration.
(The following interview ran in May 2021.)
What role should boards play in navigating cyber threats?
Boards have to play an active role. Part of a board’s work is to make sure we mitigate risks and that we understand what the top risks of the company are. We have to understand what the company is doing about managing that risk.
Part of a board’s work is to make sure we mitigate risks.
And we have to ensure that governance and transparency satisfy the needs, not just of the company’s shareholders but also of its stakeholders. That includes its customers, government affiliations, and other businesses that rely on the company in their supply chain.
For instance, I chair three public company audit committees. We are in charge of risk oversight on behalf of the board, which has ultimate oversight responsibility. Some public company boards actually have a cybertechnology committee. Cyber is a review we do every quarter at the audit committee level, and we do a deep dive with the board once a year. But a lot of that is based upon what we know, not what we don’t know.
What are the challenges in providing security oversight?
We’re still dealing with a lot of networks that are legacy. The processes and capabilities of those networks don’t necessarily lend themselves to resist the sophistication of today’s cyberattacks. Transforming those networks takes time, effort, money, and
other resources.
So, everybody, I think, plays more catch-up than we do getting ahead of it. And when it comes to legacy systems, there’s a lot of hesitancy to even touch them because organizations don’t want to experience the downtime or because it’s expensive. But you just have to bite the bullet and do it.
If something happens, a breach or other malicious activity, you must have a system that can give you facts so you can act fast.
What’s happened over time is when a new cyber vulnerability is discovered, companies wind up buying a point solution instead of thinking about utilizing a platform that can be expanded to solve a problem. So over time, companies wind up with multiple point solutions, and none of them are integrated or talk to each other.
Company CTOs, your CIOs and CISOs, have chosen these solutions and implemented them. Then, over time, companies realize that unless solutions are integrated properly, they’re really not protected. With a large set of point solutions, the technology leaders are not quick to replace them because of the investments made to install and utilize them in their systems.
It would also make those leaders look less competent in their decisions for having implemented these point solutions in the first place. CIO and CISO tenure is already short for large enterprise companies. So, the pressure is to “live with” a less than adequate solution set.
How does a company solve this problem?
The solution is to have the senior leadership—including the CEO, CFO, and COO—as well as the board ready to give permission to replace these point solutions with platforms that can be leveraged with multiple application solutions that are fully integrated.
Then these platforms can give horizontal linkages across all facets of the company for visibility, vulnerability testing, and—for that key defense—isolation when something does happen. And if something happens, a breach or other malicious activity, you must have a system that can give you facts so you can act fast. Attacks will continue to morph and get more sophisticated. The cost of the Colonial Pipeline breach was $44 million, significant but below the $200 million average cost of a breach for large enterprises.
[Read also: How to respond to a data breach]
Today, boards are looking for cyber and technology expertise, and if they don’t have it themselves, they are looking to outside consultants, industry partnerships, and think tanks to educate themselves.
Has the federal government done enough to make businesses understand how serious the threat is, and to offer businesses the support they need?
One of the things government has not done, and I think private enterprise would really love, is to look at cybercrimes as an
act of war.
These are acts of war. These attacks amount to one nation trying to destroy the economy of another nation.
What do I mean? The catalyst for all this was the Sony attack from North Korea. [In 2014, North Korea hacked Sony Pictures’ corporate IT system after the studio released a Seth Rogen film parodying North Korea’s leader, Kim Jong-un.]
We are now seeing foreign actors with ransomware freezing company assets. These are acts of war. These attacks amount to one nation trying to destroy the economy of another nation.
Who in the government should be responsible for this?
There are a lot of government agencies that have some cybersecurity responsibility, but a more cohesive plan or program should be put
in place. A more proactive collaboration between the public and private sector is really needed. I ran a telecom for 12 years. Telecom is highly regulated.
The industry holds a lot of people’s personal communications information. Our governing agency is the FCC, and they have a great track record in consumer protection. The other regulated industry with strong cyber-regulatory oversight is the financial industry, which includes large and regional banks.
[Read also: Cybersecurity trends to watch in 2022]
So, there are best practices out there to use as a starting point for public-private partnerships to put capability in place for cybersecurity and ensure it’s shared with software supply chains, which are spread across the globe and are not always very sophisticated in their security. That would go a long way toward better protection and detection.