A common factor among many companies that have had devastating cyberattacks is that their CISO (if they had one) was too aloof to recognise the company’s risks or too egotistical and arrogant to believe they had any.
Cyber risk is a challenging issue for the board of directors. On one hand, cyber is truly one of the greatest risks that companies face, one that can literally shut down operations overnight, such as in a ransomware attack. On the other, directors’ duty of care to the company is often described as more of a strategic, detached oversight role, not a tactical one.
Because of the critical importance of cybersecurity, however, directors must have a better understanding of it than many other issues. Accordingly, they should focus on the big picture while also ensuring the company has the right team in place, that the team understands its objective, it has an actionable plan and resources needed to achieve the objective, and that it is executing that plan in an effective manner.
The FireEye and SolarWinds cyberattack
On 8 December 2020, FireEye, one of the world’s pre-eminent cybersecurity firms, disclosed that it had been the victim of a successful cyberattack. This shot was heard around the world by anyone familiar with cybersecurity, because, if any company should be well protected from cyberattacks, it was FireEye. If it could happen to FireEye, it could happen to any company.
Days later we learned the vector for that attack: it was accomplished by using a vulnerability in SolarWinds’ Orion network management tool that FireEye used for managing both its and its clients’ networks. The SolarWinds tool was also used by other information technology service providers as well as by many companies themselves. Given the popularity of the SolarWinds tool, then, this was a global attack. This brief description is necessarily an oversimplification of a cyberattack that is one of the largest and most sophisticated ever seen, the ramifications of which are still being felt today. Companies across the globe continue to learn that they, too, have been compromised by it.
Lessons for directors
The overarching lesson that should be learned from this attack is one of humility and resilience. Far too many business leaders – and far too many information technology (IT) professionals –believe their company’s IT networks and defensive measures are too sophisticated and well-maintained for their company to fall victim to a cyberattack. But the FireEye/SolarWinds breach should provide a dose of humility for all. FireEye is at the very top tier of the cybersecurity industry and is the cybersecurity expert that many of the savviest companies in the world hire to help protect them. If any company is going to get this right, it is FireEye. If any company is going to be immune from this risk, it is FireEye. And FireEye was not.
The odds of having an impenetrable cybersecurity defence are virtually impossible – defenders must get it right 100 per cent of the time across the entire environment (including the supply chain risk vector). Attackers need only one lucky shot to succeed.
Add to that the fact that the threat landscape is always evolving and much of the time those defending do not even know what they are defending against because it does not yet exist. I do not believe any organisation can be ‘secure’. But what they can be is resilient and thinking about resilience requires having the humility to recognise that your company can and will be hit so you need to prepare for how to move forward when it happens.
Companies should have a chief information security officer (CISO), or equivalent role, that serves as the company’s ‘head coach’, responsible for cybersecurity. Given that cybersecurity is one of the most critical issues, the CISO is one of the most important people in the company. The board of directors must have a direct relationship with him/her for several reasons and the CISO should report directly to the board.
The best way to understand the company’s degree of humility towards cybersecurity is to understand the CISO’s humility towards cybersecurity. It is therefore important for the board to have a direct relationship with the CISO to be able to better know this person, understand their personality, and have frank conversations about the cyber risks the company faces and how they are being addressed. Much like how a jury evaluates witnesses, this involves evaluating the person and assessing their credibility as much as it involves evaluating the processes of assessing and mitigating the risks.
“A BOARD WITH A MATURE UNDERSTANDING OF CYBER RISK WILL UNDERSTAND THAT IN TODAY’S ENVIRONMENT NO COMPANY CAN BE COMPLETELY SECURE, AND NO ONE HAS ALL OF THE ANSWERS FOR HOW TO BE SECURE BECAUSE TOTAL SECURITY IS IMPOSSIBLE.”
This must be done through direct communication; it is not as effective through written reports or reports provided by other people. Plus, when others are involved, there are often gaps in the information and understanding as well as competing interests that may intervene and distort the accuracy of information reaching the board.
The board’s conversations will likely be difficult for the CISO and that is not necessarily a bad thing. A common factor among many companies that have had devastating cyberattacks is that their CISO (if they had one) was too aloof to recognise the company’s risks or too egotistical and arrogant to believe they had any. For them, a report to the board would simply amount to ‘we are secure, and any risks are being mitigated’.
A credible CISO, however, with a good understanding of the overall cyber risk environment and the particular risks the company faces, will find it difficult to look the board members in the eyes and say, ‘we are secure’. This will nevertheless be hard for the CISO because they recognise that many view their job as making the company secure and such an admission is tantamount to admitting that they are not doing their job.
Similarly, they will find it uncomfortable to answer the question of ‘what needs to be done for the company to be secure?’ because if anyone should have all of the answers, it should be them, shouldn’t it? If the board does not have a mature understanding of the nature of cyber risk, such admissions could mean getting berated and cost them the CISO his/her job.
Conversations such as these directly with the CISO will reveal a lot about their personality, credibility, confidence, humility, understanding of cyber risks and ability to explain them, and thinking on resilience planning.
It is imperative, however, that the board is mature in how it has these conversations. Approaching the CISO in an aggressive and threatening manner will cause them to be more guarded and less forthcoming. This, in turn, will only hinder the board’s ability to do its job properly.
A board with a mature understanding of cyber risk will understand that in today’s environment no company can be completely secure, and no one has all of the answers for how to be secure because total security is impossible.
