If doing the same thing over and over again and expecting different results qualifies as insanity, cybersecurity might be better characterized as a mental health issue. Fixating on technical issues as the source of all cybersecurity vulnerabilities is flawed since the root causes of security vulnerabilities often have nothing to do with technology.
In addition, the continuation of data breaches despite generous spending on security technology suggests cybersecurity efforts are misplaced and/or too narrowly focused. As former Yahoo Chief Security Officer Bob Lord commented in the New York Times, “If adding security technologies could fix our cybersecurity problems we would have fixed things 25 years ago.”
The historical evidence suggests a need for better security governance rather than more security technology. To understand why this is so, it is necessary to understand the forces that influence any security risk management strategy.
An organization’s security risk management strategy is a function of its tolerance for risk, which lies somewhere on a security risk continuum. That continuum is bracketed by unconstrained business facilitation at one extreme and total security restriction at the other. Calibration of the set point that lies somewhere between those extremes is achieved via security controls.
The figure below illustrates the situation.
Security measures intended to prevent cyberattacks inevitably cause inconvenience. The organizational tolerance for inconvenience is determined by where the organization sits on the above continuum, which is typically inversely proportional to the tolerance for risk.
Boards of directors must balance business-driven requirements for convenience against legitimate security concerns. Perhaps most importantly, the Board must influence the culture so that business and security decisions are in harmony, or at least are not unknowingly in conflict. The key point is decisions impacting information technology can simultaneously affect the security of sensitive information and the effectiveness of business operations.
The present reality is boards of directors are being increasingly held responsible for data breaches whatever the cause. For example, the current and former directors of Solar Winds were hit with a stockholder suit regarding a massive hack affecting many of their customers. This type of lawsuit is likely a harbinger of things to come.
It is impossible to reduce the probability of a successful cyberattack to zero. So what should boards of directors do to further protect their organizations’ information as well as reduce their personal liability in the event a data breach does occur?
First, they must adopt an enterprise view of IT environments by ensuring processes, workflows and technologies exhibit the appropriate balance between security and convenience. Such a view is necessary to understand the organizational features and functions that contribute to complexity, a significant driver of cybersecurity risk. They also need to be aware of the most significant security vulnerabilities across the enterprise, their significance and the plan for risk mitigation.
Second, they should regularly and collectively engage with the chief information security officer (CISO) or chief technology officer (CTO) and business unit leaders as part of a centralized security governance process. In this way they learn about security risks and business requirements from the sources of ground truth by encouraging the sharing of views with all parties present. Awareness of security controls and their potential business impact is essential to security governance and should not just occur following a breach.
Third, they must adjust the organizational culture so that security is embedded in all business decisions impacting information technology. In my experience the most successful cybersecurity programs are those where senior leaders are actively engaged in the creation and/or approval of security policies. Boards of directors must show by example that cybersecurity is an innate feature of the organizational culture. Evolving a culture is never easy, and it must be done without undermining the qualities that have historically contributed to the organization’s success.
Finally, the board of directors must ensure there are sufficient resources available to keep pace with the inevitable evolution of technology as well as to address an increase in demand. In this way they will demonstrate a fulfillment of their fiduciary responsibilities while acknowledging that in security risk management, like most things in life, you get what you pay for.
Carl S. Young is a co-founder of Consilience 360, a security risk consulting firm that specializes in advising senior executives and boards of directors on security risk management and governance. He is the author of five reference books on science applied to security. His most recent publication is Cybercomplexity; A Macroscopic View of Cybersecurity Risk (Springer Nature, 2022).