To Govern or Not to Govern

The millennial shift from the 20th Century to the 21st Century signifies the transition from the industrial age to the information age and from regional and national markets to global markets. It has brought profound new challenges to corporate board members and C-level executives in every economic sector.

Over the last two decades, a series of diverse and intense shocks—some economical, some political, some environmental, some technological, some related to the nature of crime, some related to energy security—have compelled business leaders to take a new look at how they govern.

Board members must assure not only the profitability of the corporation but also its survivability. And in the 21st Century, the twin forces of the global economy and cyberspace have come to dominate our lives, and the business risk matrix has changed, i.e., it has broadened and deepened, and the survivability of corporations is threatened in new ways.

The world in general, and its commerce and communications in particular, are integrated and interdependent in unprecedented ways that have led to both enticing new opportunities and daunting new challenges.

As I write this article, the headlines are dominated by a global economic crisis, a savage seven-pronged terrorist attack in Mumbai, and the wild success of the Somali pirates in seizing control of a $100 billion Saudi oil tanker in 15 minutes.

But this rash of extraordinary circumstances is not an anomaly that could be explained away by astrologers. No, it is not rare transit or an odd conjunction. It is just the acceleration of the trend line we have been on for two decades.

Consider some examples of the thousand and one natural shocks, to paraphrase Shakespeare, that corporate flesh is heir to in these challenging times:

• Barings Bank
• 1990s Asian Financial Crisis
• 9/11 and Post-9/11 Terrorism
• Enron, Arthur Andersen and World Com Scandals
• Russian and Asian Organized Cyber Crime
• Hurricane Katrina
• Indian Ocean Earthquake and Tsunami (2004)
• Corporate Spying Scandals, e.g., the Haephrati case and Hewlett-Packard affair
• Societe Generale

Some of these “thousand and one natural shocks” involve activities and events over which the Board of Directors has some influence, such as those stemming from errors in judgment or ethical lapses on the part of employees or agents, while others, such as terrorist attacks and natural disasters, are the result of forces and circumstances utterly beyond the Board’s control.

And yet, in regard to all of them, it is the responsibility of the Board to understand what must be done in order to avoid what can be avoided, and prepare for what can be prepared for as well as to oversee the implementation of such countermeasures. Any one of the events cited could cause a Board of Directors to review and revise its approach to governance of risk, security and privacy; but taken together, they constitute a call to arms for a comprehensive reorganization of how the Board conducts its oversight of risk, security and privacy.

It was the contemplation of the “thousand and one natural shocks” that led Shakespeares Prince Hamlet to ask himself that primal existential question, “to be or not to be?” Likewise, the “thousand and one natural shocks” which lurk in the dark depths of the 21st Century risk matrix may well compel despairing corporate board members to ask, “to govern or not to govern?”

The answer of course is “to be,” i.e., “to govern.”

But that leads us to another urgent and important question, how to govern best, i.e., wisely, effectively and proactively?

To provide some meaningful answers to this vital question, I collaborated with internationally renowned risk and governance expert Jody Westby, CEO of Global Cyber Risk, LLC, and an Adjunct Distinguished Fellow at Carnegie Mellon University CyLab to create the CyLab Governance of Enterprise Security Survey.

This study explores how corporations are seeking to answer this vital follow-up question, and also suggests some significant ways to improve on the response — at least in regard to cyber risk (perhaps the most nefarious, pervasive and underestimated of these challenges.

Based upon data from 703 individuals (primarily independent directors) serving on U.S.-listed public company boards, only 37% of the respondents viewed “risk and crisis oversight” as “critically important.”

The degree to which board members are uninvolved in the activities that would constitute meaningful oversight is also compelling, e.g.:

• Boards were only involved in: privacy compliance reviews 19% of the time, in assessments of risk related to IT or personal data only 31% of the time; and security breach notification plans 21% of the time.
• 56% of respondents said they only occasionally or rarely reviewed and approved top-level policies regarding privacy and security risks; an additional 23% said they never did.
• 62% of respondents said they only occasionally or rarely received reports from senior management regarding privacy and security risks; an additional 15% said they never got such reports.

How effectively can a board of directors exercise oversight over information security if it does not receive reports on risks to information security?

How effectively can a board exercise oversight of information security if it does not review and approve the top-level policies, roles and responsibilities, and annual budgets related to information security?

Nor are the facts on the ground at the C-level of the respondents’ organizations any more reassuring.

Survey respondents reveal a lack of C-level roles dedicated to mitigating privacy and security risks:

• Only 30.21% have Chief Information Security Officers (CISO)
• Only 27.38% have Chief Risk Officers (CRO)
• Only 16.10% have Chief Security Officers (CSO)
• Only 7.38% have Chief Privacy Officers (CPO)

Westby, the principle author of the study, draws several important conclusions:

• “Boards—especially those of critical infrastructure companies—need to better understand the risks associated with IT, especially, privacy and security risks.”
• “Few boards have Risk Committees; they tend to be overly reliant upon their Audit Committee for both overseeing and auditing privacy and security.”
• “There is little board oversight or governance on privacy and security issues.”
• “There is little value placed on corporate responsibility as a governance issue, which could include organizations being good cyber citizens.”
• “Many organizations do not have executives in key roles for privacy and security, and few have functional separation of privacy and security responsibilities or cross-organizational teams.”
• “Many organizations have major gaps or areas in their enterprise security programs that are not in compliance with internationally accepted best practices and standards, leaving them legally and technically vulnerable.”

From my perspective, the survey results offer a compelling counterpoint to the CSI/FBI Computer Crime and Security Survey I developed with colleagues on the FBI Computer Crime Squad back in 1995.

The goal of that effort was to raise awareness about the nature and scope of cyber crime and the need to report occurrences to law enforcement. In the course of its successful mission the CSI/FBI Survey also dispelled some false notions about cyber risk and security, and gave us our first sustained look at the trends that would come to dominate on the dark side of cyberspace.

We showed that the outsider threat was rapidly increasing, and could no longer be characterized as a much less serious problem than the insider threat. We showed that cyber crime was not a rare occurrence, that it was not limited to juvenile hacking and virus incidents, and that some organizations were suffering serious financial losses. All of these CSI/FBI Survey conclusions, considered by many to be heretical, were born out by story after story and study after study over this last dozen years.

Well, the CyLab Governance of Enterprise Security Survey is as vital at this juncture as the CSI/FBI Survey was in its prime; then the most compelling challenge was to overcome denial and acknowledge the risks that were taking shape in the digital shadows, today; the most compelling challenge is to acknowledge our responsibility to mitigate those risks. And this mitigation process does begin at the Internet portal or inside the operating system’s kernel, it begins in the boardroom.

There is much talk about whether or not information security professionals have a mandate from on high to get the job done within their corporations, but that cherished mandate is not worth much if it is amounts to little more than lip service and a line item. A real mandate flows from the board rooms own actions, not from just their words.

Those business leaders who are serious about accepting responsibility and mitigating cyber risk will embrace the imperative and address the dangerous governance gaps in regard to security and privacy.

The CyLab Governance of Enterprise Security Survey also articulates a series of ten recommendations.

Here are the top five:

• Establish a board Risk Committee separate from the Audit Committee and assign it responsibility for enterprise risks, including IT risks.
• Ensure that privacy and security roles within the organization are separated and responsibilities are appropriately assigned.
• Evaluate the existing organizational structure and establish a cross-organizational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues. This team should include the senior management from human resources, public relations, legal, the chief financial officer (“CFO”), the chief information officer (“CIO”), CISO/CSO (or CRO), CPO, and business line executives.
• Develop or review existing top-level policies to create a culture of security and respect for privacy.
• Review the organization’s security program and ensure that it comports

The full report can be downloaded from the CyLab web site at http://www.cylab.cmu.edu/outreach/governance.html

Richard Power is a Distinguished Fellow at Carnegie Mellon CyLab. He writes, speaks and consults on security, risk and intelligence issues. He has conducted executive briefings and led professional training in forty countries. Power is the author of five books. Prior to joining Carnegie Mellon, Power served as Director of Security Management and Security Intelligence for the Global Security Office (GSO) of Deloitte Touche Tomatsu and Editorial Director of the Computer Security Institute.