The question for the directors is not whether to become involved in cyber risk management, but how to appropriately oversee their company’s initiatives. Gain confidence by doing a cyber “tabletop exercise.”
Boards everywhere are asking what they should be doing about cybersecurity. Ensuring the adequacy of a company’s cybersecurity program is critical to a director’s oversight responsibilities. However, often they are not as familiar with the components of a cybersecurity program as they are with operational and financial issues.
Driving awareness of cybersecurity threats and linking them to risk, governance and compliance is key to providing directors with the information they need to fulfill their oversight duties.
Board members may not understand the technical details of cybersecurity, but it is important that they understand the basics, such as:
- what vulnerabilities are
- what measures are in place to minimize risk
- what response and recovery plans are in place
Answering questions the Board is likely to have before a breach actually happens enables you to spend your valuable time during a breach focused on the crisis in progress, rather than bringing the Board up to speed on how the organization is positioned to respond and the detailed processes in place.
Finally, it is critical that board members understand that the occurrence of a breach is not a matter of IF, but WHEN.
Assessing the Risks
Taking reasonable and appropriate safeguards to protect the enterprise, customers and stakeholders is essential to effectively minimize risk.
Though risk cannot be completely mitigated, each company should have a cybersecurity plan that protects critical infrastructure and data.
First step: understand the critical assets that need to be protected.
- Given limited resources, Boards must understand what are the most critical resources that need to be protected.
Second step: What is the risk profile the organization needs to have operating in cyberspace and what mitigation is needed to achieve the agreed tolerable risk agreed with the Board.
- Ensure the Board understands the current maturity of the organization’s cybersecurity program and supports the additional mitigation efforts required to achieve the agreed tolerable risk level associated with cybersecurity.
Pepco Holdings Inc. (PHI) faces daily intentional and unintentional threats from cyber, physical and human sources. To address these threats, our company invests an extensive amount of time, resources and capital to secure our critical assets to provide the greatest level of assurance and reliability to our customers. PHI has a plan that includes: education and awareness, policies and procedures that address the security and protection of systems and data, and the development of solutions with security in mind.
PHI‘s all-hazards approach considers both environmental and community impacts, with single management arrangements for both natural and man-made hazards. There are, of course, special considerations for cyber security within this framework.
Generally, PHI relies on:
- Preparedness, focused on user awareness and information gathering
- Prevention, focused on technical design & system monitoring
- Response, focused on the identification of and response to threats
- Recovery focused on the steps taken in the immediate aftermath of a successful attack
These elements come together to:
- First, mitigate the risk
- Second, detect through situational awareness, a potential event ASAP to prevent further damages and reduce the impact
Tabletop Demonstration for the Board
To help the Board understand the complexities of PHI’s emergency response logistics, and especially their own role, we conducted a cybersecurity tabletop exercise. The demonstration was an audit of the PHI response process, a critical piece of the cybersecurity plan.
The walk-through of what would happen in the first 24 hours after a successful attack benefited the Board by providing them with:
- Clear understanding of how the process will work and who is responsible for what
- Understanding of the process and who is essential to the situation and can answer questions
- A feel for how an incident might lead up to a full-blown event
- How will federal agencies interact with the company?
- How the company will respond initially, and how decisions to escalate will be made
- The drill provided an opportunity to learn and improve upon
- What items require board follow-up?
- Coordination with federal agencies and reconciling different reporting requirements of federal and regulatory agencies
Most importantly, this exercise increased board confidence that the plan is sound and illustrated how cyber events are similar to, and different from environmental hazards.
To have a successful response plan, it is critical to be coordinated from a tactical level with a dedicated cyber response team that is integrated within the Incident Command Structure (ICS). The structure must ensure that customers, community leaders and employees have access to timely, accurate and consistent information.
And finally, with so much at stake – financial loss, operational disruption, legal liability, harm to reputation, the Board of Directors must be involved to appropriately oversee the company’s activities. Participation in a cyber tabletop exercise is one way to provide the Board with a practical knowledge of your company’s readiness and response plan, and their own role during a crisis.
– Patricia A. Oelrich, Board Member, PHI
Click here to read the full article.
To read more about the evolution of threats over time and the “Age of Response,” see Nigel Stanley’s post: The 3 Ages of Cyber Security.
About the Author
Patricia A. Oelrich is a member of the board for both Pepco Holdings Inc. and FHL Banks’s Office of Finance. Additionally, Oelrich is a consultant for OpenSky on a range of cybersecurity topics. From 2001 to 2009 she was a vice president of IT risk management for GlaxoSmithKline Pharmaceuticals, and was vice president of internal audit from 1995 to 2000. Earlier in her career she was a partner of Ernst & Young, leading the Chicago Office Information Systems Audit and Security Practice.