The Value of Risk Committees and Board Security Engagement
While at this year’s RSA Conference, I had the chance to have a conversation with Catherine Allen, chairman and CEO of strategic consulting firm The Santa Fe Group and a cybersecurity visionary. She is also the chairman and CEO of Shared Assessments, a collective group that provides thought leadership on third-party risks. Shared Assessments just released a study focusing on vendor risk management, but our conversation focused on boards of directors and how to have a successful approach to risk management and cybersecurity.
Strong Engagement Results in Better Risk Management
First, let’s talk a little about the Shared Assessments study, “Vendor Risk Management (VRM) Benchmark.” One of the most important findings is the strong correlation between engagement at the board of directors level and VRM program maturity—more than half of the organizations reporting high levels of board engagement also report advanced VRM programs. The study also found that, maybe to no surprise, the tech and insurance industries are the best at VRM.
But one area where all industries have pain points is resource allocation. And this is an area where security-savvy boards can make a big impact in ensuring their organization is meeting the challenges of third parties and beyond.
Allen is well-familiar with boards of directors, not only from a cybersecurity point of view but also from her experiences sitting on multiple boards. One thing she’s learned is those boards that talk openly about third-party risks and the security risks of internet of things (IoT), or have risk committees, are involved with organizations that tend to be more security mature. Unfortunately, these conversations are happening only among a small percentage of boards, and those are boards of companies that already have a higher than average awareness of cybersecurity and third-party risks, such as the financial industry. Plus, many of those boards are adding risk committees because they are legally bound.
Why Risk Committees Have Value
Many boards already have an audit committee, which is most likely made up of people with finance experience. The issue there, said Allen, is that these audit committees are often tasked to handle cybersecurity, operational risks, technology risks and regulations, but they don’t have the expertise in any of these areas.
“If you set up a risk committee on a board,” Allen explained, “usually you’ll have one or two cyber-savvy members, if not experts. Then, when the other members are sitting through these meetings, you end up educating the board. You are helping to get them more savvy on cybersecurity, technology, even geo-political risks.” Having a risk committee is a good predictor that boards are talking about these important issues.
Allen also pointed out the advantages of including the organization’s CISO as part of the agenda for the risk committee and the entire board. This should be considered a security best practice for any company. On the boards she serves on, the CISO reports as an individual entity, without any other C-level executives present, so the board can press for honest answers. “We ask if they are getting the budget they need or is it reallocated somewhere else,” she said. “Just like many boards have the chief risk officer or the chief financial officer do that, having the CISO means you are elevating the concerns of cybersecurity.”
IoT Risk and Boards
A relatively new challenge for boards of directors is IoT. Most board members have any idea what devices are connected to the organization’s network. Most companies—even the more security sophisticated ones—haven’t created an IoT strategy or have a proactive understanding of what connects.
Along with IoT, Allen warned that boards need to think more about the operational technology/information technology (OT/IT) and industrial internet of things (IIoT) within the critical infrastructure and other essential services.
“We have IT, but we think about that mostly in terms of data or financials,” Allen said. “We haven’t really focused on manufacturing or control systems or anywhere computers are used in operations.”
There’s a necessity for culture where there needs to be communication between those who deal with those systems and executives. Boards also need to be part of the communication line to help better facilitate security.
Boards need to have discussions on where the threats to the IoT/OT systems are coming from and what the threat actors are looking for. It isn’t just cybercriminals, but nation-states wanting to shut systems down to do serious damage. “Boards are beginning to understand that adversaries are changing and are changing their target. This broadens risks for the company.”
When it comes to cybersecurity and vendor risk management, boards of directors need a mechanism for discussion so they understand the dangers out there and the impact they can have on the organization. Scenario analysis could start these discussions—the scenarios may be hypothetical or they could be based on a crisis felt by a peer organization—but the more board members know about the impact of threats, they’ll likely be more engaged in prevention and risk management. And, as the study shows, the more involved the board is with risk management, the more mature the organization’s security system is.