Is Your Boardroom The Weakest Cybersecurity Link?
By Bob Zukis
From phishing to ransomware, one of the primary challenges with effective cybersecurity risk management is related to the weakest link theory. The essence of this theory is the phrase “a chain is no stronger than its weakest link.” This idiom reflects the fact that effective cybersecurity risk management is a complex system of related and inter-dependent parts. If one component fails, it can jeopardize the entire system.
For many companies, their weakest cybersecurity link is at the top, in their boardroom.
First American Title was recently the inaugural recipient of an enforcement action under New York’s new cybersecurity regulation introduced in 2017 for the financial services industry. Known as 23 NYCRR 500, this litmus test will almost surely bring to light the fact that First American Title had tasked its audit committee with cybersecurity risk oversight and that no one on that committee had any cybersecurity experience. Legal action on major data breaches typically looks at the role and performance of the board pre and post-breach, making the boardroom an integral link in the cybersecurity chain.
Viewing cybersecurity as collection of inter-dependent parts is about understanding systemic risk in the digital business system. Systemic risk exists in every digital business system and relates to variances in how the entire system functions to perform its intended objective. One weak spot in a cybersecurity system opens the door for hackers skilled at finding these soft spots.
The boardroom can be the cybersecurity weakest link in several ways. First, is the board doing an effective job in understanding and overseeing cybersecurity risk management? Are the board’s corporate directors a high performing part of the overall cybersecurity system of the company? Several signs indicate the board may be the weakest link:
1. The board doesn’t have corporate directors with cybersecurity experience.
2. The board tasks their audit committee with cybersecurity risk oversight.
3. The board doesn’t assess systemic risk as a part of its enterprise risk management approach.
4. Corporate directors don’t receive annual digital and cybersecurity training.
Hackers actively look for and find weak links. A company with an information technology oversight committee with strong cybersecurity competent directors on its corporate board, like FedEx, is a less attractive target because of the signal it sends about its overall system of cybersecurity risk management. Hackers are busy; they’ll find another company with a board that doesn’t have the skills or resources dedicated to the issue—a weaker link. When leadership is the weakness, that’s a glaring fault. And a loud signal to hackers that there may be a lack of commitment to cybersecurity making the company an easier target.
Second, are the corporate directors themselves, a weak link? There are some leading practices that are table stakes for individual corporate director’s and their at-risk communications. These practices recognize that complex digital business systems are inherently weak, i.e., a breach is inevitable. This mindset also relates to viewing cybersecurity as a systems thinker would. A systems thinker would understand that if a breach can’t be defended against with 100% certainty because the complex systems are inherently flawed, then different tactics need to be in place to protect the company and its digital value.
Sanjeev Verma, Founder, and Chairman of PreVeil, founded his cybersecurity company to address this principle. “Vulnerabilities get exploited immediately,” he shared with me. “So we rethought the approach to cybersecurity by thinking about it as a systems thinker would. How could we make cybersecurity effective given the hackers will always get in? The solution was around making the information that hackers were trying to access worthless to the hackers through encryption.”
By adopting concepts already being applied by the NSA and defense industries, PreVeil is capitalizing on the basic economics of any theft. That is, when the target of the crime is worth less than the cost of stealing it, the target is secure. With encryption, PreVeil is bringing this concept to life by making critical information that hackers target worthless. If they can’t use the information, it’s not worth targeting and hacking into. Hackers will find a weak link somewhere else.
One of PreVeil’s products protects corporate director communications with defense industry-strength encryption techniques that are very easy to use. Encryption makes sure that the information that corporate director’s access and share is worthless to hackers—making corporate directors a less attractive target. Encrypting corporate director email and boardroom files is table stakes in an effective cybersecurity system and is an easy step for any company to take.
The digital and cybersecurity governance transformation of the full board as a critical part of the cybersecurity system is a more significant step, but one that’s also not that difficult to implement. CIOs and CISOs also have a strong vested interest in having a digital and cybersecurity competent board. If the board doesn’t have their back on these issues, then the target’s on theirs. Criminal charges were filed this month against the former CSO of Uber related to a data breach and cover up that indicates a significant corporate culture issue—which always starts with the tone at the top.
There will come a day in the corporate boardroom when digitally-savvy corporate directors and focused digital and cyber board committees are as common as the qualified financial expert and the audit committee. Some boardrooms are already doing just this because they know that it’s expensive being the weakest link in the digital world.