Board members as cyber generals

Richard F. Chambers, President and CEO of The Institute of Internal Auditors

The spectre of cyberattack grows each year for organisations of all sizes and from all business sectors. Discouraging statistics and ominous predictions about the scope and continuing expansion of this business threat are as plentiful as hair on a dog. So, it is not surprising that cybersecurity has become one of, if not the, top priority for boards.

The demands on board time and resources created by cybersecurity have become a risk as already overburdened boards struggle to manage the issue, potentially taking their focus away from other business risks. This makes for a dangerous combination that, if not well-managed, can lead to disastrous consequences for organisations.

Board members must understand the resources available to them, not just when it comes to managing cyber risks, but also when planning for the worst. Potential fallout from a major cyberattack can include damage to reputation, erosion of customer loyalty and serious challenges to business continuity and sustainability. Comprehensive disaster recovery or business continuity plans must, therefore, include a well-considered component for surviving a cyberattack.

Internal audit offers a valuable tool to help boards wrestle cybersecurity and all the attendant ills associated with a successful cyberattack. As assessors of risk and assurance providers, internal audit functions are positioned to offer sage counsel on managing cybersecurity. Chief audit executives can become valuable partners to others within the organisation tasked with managing cybersecurity, such as chief information officers, chief risk officers and chief information security officers.

But simply identifying cyber risks and the resources to battle them is not enough. Board members must understand what factors contribute to strong and healthy relationships among those tasked to manage cybersecurity. Often, the biggest challenge is managing conflicts created by poorly defined roles, turf battles, the influence of corporate culture and the false comfort that can come from having a disaster-recovery plan on the shelf.

Defining the scope

There is plenty of information available to establish cybersecurity as a significant business challenge. It is widely acknowledged – and often repeated – that a successful cyberattack on an organisation is just a matter of when, not if. Indeed, even as awareness of the risk has grown, the number of successful attacks also increases each year.

The 2015 State of Cybersecurity Survey found nearly three in four responding organisations expected to fall prey to a successful cyberattack in 2016. The survey, an annual report from ISACA, a non-profit organisation serving the information systems industry, also found the lion’s share of reported attacks from 2015 involved two of the simplest and most easily mitigated forms of cyberattacks, phishing and malware.

Six in 10 respondents reported attacks from phishing, the activity of defrauding an online account holder of financial information by posing as a legitimate company. Five in 10 reported attacks from malware – software that is intended to damage or disable computers and computer systems. Both these schemes are easier to mitigate because they rely on victim interaction. Strong internal controls and employee training should provide enough mitigation to thwart most phishing and malware attacks, yet human error still allows for these attacks to succeed with alarming frequency.

On the positive side, the ISACA survey found 82 per cent of respondents said their boards were ‘concerned’ or ‘very concerned’ about cybersecurity/information security. This concern has translated into significant resource commitments. Spending on cybersecurity continues to grow at a tremendous rate. Cybersecurity Ventures, a leading researcher and publisher of reports on cybersecurity, predicts cybersecurity spending will total $1trillion cumulatively over the next five years. Other data from Cybersecurity Ventures paints equally staggering scenarios:

• Cybercrime will cost the world $6trillion annually by 2021

• There will be 1.5 million cybersecurity job openings by 2019

• Demand for cybersecurity professionals will swell to six million by 2019

• Unemployment for cybersecurity professionals is expected to remain at zero per cent through 2021

Even with demand at such high levels, most entry-level cybersecurity professionals are far from ready to do battle with evil-doers lurking in the ether. The ISACA report indicated that nearly 65 per cent lacked the requisite skills to perform the tasks related to the jobs they were seeking.

To round out the scope of the cybersecurity challenge, we must peer into the future of cybersecurity. As technology advances at seemingly breakneck speeds, businesses must learn to quickly weigh the value of each new development. The dual reality is that technological advances pose opportunity and risk and they present organisations with an unnerving choice – adopt new technology and potentially increase vulnerability to cyberattacks or take a wait-and-see approach and risk falling behind the competition.

This unsettling dichotomy is reflected in the gloomy outlook of ISACA survey respondents regarding the growing prevalence of artificial intelligence (AI). More than four in 10 expect AI will increase short-term cybersecurity risks while more than six in 10 expect it will increase long-term risks. Similarly, more than half say they are ‘concerned’ or ‘very concerned’ that the Internet of Things (IoT) – a growing technology trend where everyday objects have network connectivity, allowing them to send and receive data – will make their organisations more vulnerable to attack.

The prospects of ballooning cybersecurity costs, long-term skilled labour shortages, the battle against human error and the constant Jekyll and Hyde aspect of technological advances are enough to scare most board members into hiding.

Getting your battle plans in place

Clearly, the cybersecurity challenge is a daunting one. But, as with most business risks, a well-informed mitigation strategy that is backed by sufficient resources should protect the organisation. So how should board members approach this formidable task?

It is fanciful and even entertaining to think of board members as cyber warriors doing battle with hacktivists, advanced persistent threats and logic bombs. But it is much more realistic and useful for board members to see themselves as cyber generals, planning and executing sound battle plans against a resourceful and intractable enemy. Developing that battle plan relies on board members understanding the resources available to them, surrounding themselves with qualified and trustworthy lieutenants and preparing the organisation to not just survive, but also quickly rebound from, an attack.

Here are seven key steps for boards to consider when building their cyber battle plan.

1. Identify the crown jewels

Each organisation has many assets, but there are certain assets that the organisation cannot do without. It may be a database of customer information, intellectual property, strategic business plans, trade secrets, or grandmother’s secret recipe. This is where resources to protect and isolate are best concentrated rather than generically spread them across the environment.

2. Build your defence plans

Plans should be built using a careful mix of technology, sound governance policies and practices, crisis-management strategy and input from the highly skilled professionals who will execute the plan.

3. Train the ground troops

All battle plans are only as good as the ground troops who carry them out. Board members should support, indeed insist that, employees receive the necessary training to follow practices and protocols that make up the organisation’s cyber defence.  It is telling that two major sources of cybersecurity breaches remain phishing and malware schemes. Sound cybersecurity practices can quickly render both relatively harmless, yet human error allows them to continue to plague organisations globally.

4. Plan for how to survive the worst

Boards must ensure their organisations are not just cyber savvy but also cyber resilient. Cyber resilience can be defined as the ability to resist, react to and recover from cyberattacks – and modify an environment to increase security and sustainability.1

This means having the plans and resources in place to survive the inevitable successful cyberattack. Yet, The IIA’s 2016 North American Pulse of Internal Audit survey found a scant eight per cent of respondents ranked ‘reaction’ the first or second most-effective method of responding to cyberattacks and three per cent ranked ‘restoration of services’ as most effective.2

Boards must work with management and internal audit to build crisis management and crisis communication plans to look not just at handling a cyberattack, but how to restore and sustain services and rebound from the attack as quickly as possible.

5. Build a healthy and respectful relationship with technology

Technology offers organisations the ability to boost productivity, cut costs and gain an advantage over the competition. But it also can make organisations more vulnerable to cyberattacks. Hackers are constantly looking for ways to exploit weaknesses in organisations’ cyber defences. Adoption of any new technology must be considered. Build the necessary policies and protocols to protect the organisation before new technology is rolled out.

6. Never stop improving the battle plan, even if the battle never arrives

It is dangerous to view cybersecurity and cyber resilience planning as something to simply get done and checked off the list. Organisations are dynamic and as they change, so must their battle plans. New business lines, emerging markets and other evolutions for a business create new risks and new risks require updating plans. Cybersecurity plans gathering dust on the shelf are as useful as battle plans that do not consider the enemy’s latest troop movements.

7. Understand what can undermine your efforts

Even the best and most up-to-date plans can be undermined by problems with organisational culture. Boards and management can devote significant time and resources to developing great business strategies, but misaligned or toxic cultures can quickly derail their execution. Boards must have a keen understanding of the organisation’s actual – not just stated – culture.

Internal audit’s role in cybersecurity

In an ideal world, cybersecurity plans are executed flawlessly. Everyone knows their role and follows the policies and practices designed to protect the organisation. Boards and management remain astute to changes in risk and technology and quickly act to modify plans as needed. Organisational culture supports and strengthens cybersecurity efforts. Of course, no one lives in an ideal world.

As such, boards must constantly monitor the effectiveness and efficiency of cybersecurity practices, policies and plans. This is where internal audit can play an essential role. Once cybersecurity plans are created, it is up to internal audit to do what it does best – test for effectiveness and efficiency of controls and protocols and provide the board and management with assurance about those protections.

Four areas where internal audit can play a significant role in cybersecurity are identified in the Pulse report. Internal audit can:

• Provide assurance over readiness and response to cyber threats

• Communicate to the board and executive management the level of risk to the organisation and efforts to address such risks

• Work collaboratively with IT and other parties to build effective defences and responses

• Ensure communication and
  coordination among all parties in the organisation regarding the risk

The final area, ensuring communication and coordination, may be the most important. Turf battles over who ‘owns’ the cybersecurity risk are counterproductive and weaken
the organisation’s cybersecurity efforts. A unified effort where roles are clearly defined creates the best conditions for deterring cyberattacks and building and executing a cyber resilient business continuity plan in case a cyber breach occurs.

Internal audit can help organisations review and test business-continuity and disaster recovery plans. The potential for reputational harm that poorly managed business disruptions create is significant and it is far better to find faults with business continuity plans through mock exercises than in a real-life scenario.

Despite its complexity and formidable challenge, effective cybersecurity and cyber resilience are within the reach of most organisations. But they require a unified and coordinated effort. Boards are in the best position to manage the effort if their members understand the scope of the challenge, commit the necessary resources to develop and execute an informed strategy and nurture open communications and cooperation among the key players, from management and IT to internal audit.

About the Author:

Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA, is president and chief executive officer of The Institute of Internal Auditors (IIA), the global professional association and standard‐setting body for internal auditors. The IIA serves more than 180,000 members in over 170 countries and territories and is the internal audit profession’s most widely recognized advocate, educator, and provider of standards, guidance, and certifications.

Richard leverages more than four decades of internal audit and related experience to direct nearly 200 professional staff members at The IIA’s global headquarters in Altamonte Springs and Lake Mary, Fla., achieving agreed‐upon strategies and objectives on behalf of The IIA’s North American and Global Boards of Directors. During more than six years as global CEO, Chambers has led The IIA to record membership and the launch of a number of valuable initiatives to benefit members and the internal audit profession, including the Audit Executive Center; Pulse of Internal Audit; AuditChannel.tv; Internal Auditor Online; the Certification in Risk Management Assurance (CRMA); the Qualification in Internal Audit Leadership (QIAL); The IIA Risk Resource Exchange; the American Center for Government Auditing; and the Financial Services Audit Center.

Footnotes:

1 EY: Achieving resilience in the cyber ecosystem. December 2014. www.ey.com/ Publication/vwLU Assets/cyber_ecosystem/$FILE/EY-Insights_on_GRC_Cyber_ecosystem.pdf  2 The annual Pulse survey of chief audit executives is a product of The IIA’s Audit Executive Center