• United States



Director, Critical Infrastructure Protection Programs, North American Electric Reliability Corp. (NERC)

Improving cybersecurity governance in the boardroom

Sep 25, 20176 mins
Business ContinuityData and Information SecurityIT Leadership

To tackle increasing data threats, companies need to put cybersecurity at the very heart of the business.

executive chairs boardroom
Credit: Thinkstock

The risk landscape for corporations is constantly changing with new threats, regulations, and evolving cybersecurity vulnerabilities and attack methods. The recently disclosed Equifax data breach is the latest high-profile event that has stirred senior executives and corporate boards of directors all over the country to ask themselves, “Can this happen to us?” Sadly, the answer remains “yes,” as cybersecurity risk can never fully be removed. However, corporate boards can create a culture of security to mitigate risk and better protect their company’s critical infrastructure, data systems and reputation.

Recent cyber-attacks have caught the eye of many boards across the country because of their significant effect on corporate earnings in 2017. For example, FedEx reported a $300 million hit to earnings due to the Petya attack in June 2017. Mondelez, formerly known as Kraft and the world’s second largest confectionary company, reported a 5 percent drop in quarterly sales, blaming shipping and invoicing delays caused by the same June attack. Similarly, the shipping company Maersk reported that the Petya (variant) attack will result in losses totaling between $200 and $300 million. Lloyd’s of London has estimated that a global cyber-attack could trigger an average of $53 billion in economic losses, a figure on par with a catastrophic natural disaster such as Superstorm Sandy in 2012. Accordingly, the potential monetary and reputational losses from these cyber breaches are significant and increasing as they become more impactful and widespread.

Corporate boards can no longer be content in solely hearing about metrics, resources, and compliance when evaluating corporate success. They must also consider what an organization is doing to protect the business’ existence, including its information assets, the risk to those assets and their criticality to ongoing business operations. To increase board awareness in this area, Chief Information Security Officers (CISO) must proactively engage their boards on issues of data confidentiality, integrity, and availability.

Recent ransomware, denial of service, phishing and other malware attacks are calling for board members to ask the difficult questions about their company’s risk. What is the company’s risk appetite? Have threat and vulnerability assessments been conducted to evaluate company risk? Does the organization have the expertise and resources needed to reduce risk? Have mitigations (controls) and countermeasures been adequately deployed? What risk has the organization mitigated, removed, transferred, or accepted? Every business has risk. Whether you are generating electricity for the power grid or operating a neighborhood lemonade stand, calculating and mitigating risk is a key factor to an organization’s success and survival.

Risk can be defined as the combination of the probability of an event and its consequences. The probability of an event is the likelihood that a given threat will exploit an exposed vulnerability. If there are no consequences or impact, there is considered to be no risk. Conversely, the greater the consequences or impact, the greater the risk. Board members should assess cybersecurity risk on a regular or event driven basis, such as after any incident or security event, because any successful compromise is the result of either a lack of adequate controls or a control failure, which indicates risk was not assessed accurately and must be reassessed. These basic concepts on risk will allow board members to assess security vulnerabilities and better protect their company from potential losses. Today, corporate boards would be well served to have a fellow member with a security background to ensure security objectives, such as cyber risk assessment and mitigation, are aligned with business goals and objectives.

Once a board has defined its corporate risks and identified its security expectations, compliance with these expectations should be met at all levels of the enterprise. Penalties for non-compliance must also be defined, communicated and enforced from the board level down. Beyond these requirements, the board has an ongoing obligation to provide a level of oversight over information security activities. In addition, the board, in coordination with senior management, is responsible for ensuring that the appropriate organizational functions, resources and supporting infrastructure are available and properly utilized to fulfill a well-articulated security strategy for the enterprise. A review of the organization’s strategic business plan is likely to uncover information security opportunities that can directly reduce risk, financial losses and potential operational disruptions. These opportunities for risk mitigation should be included in a company’s information security strategy to provide a path forward in this area.

Without an information security strategy and a governance framework to implement it, an organization will continue to implement ad hoc tactical point solutions rather than a meaningful and integrated plan of action. Information security governance is a subset of corporate governance that provides strategic direction for security activities and ensures that cybersecurity objectives such as effective risk and resource management are achieved. To achieve information security governance, corporate boards must mandate the development and maintenance of an information security framework that supports and is intrinsically linked with business objectives.

An important and often misunderstood cybersecurity issue that surfaces again and again in corporate settings, regardless of which regulatory program we discuss, is the distinction between compliance and security. Compliance is a regulatory minimum that one must achieve, it could even be seen as a tool, but it is not a cybersecurity strategy. Boards of Directors should recognize that compliance is the minimum and that the minimum may not keep a company and its resources secure. Risk mitigation through security controls and countermeasures should drive risk down to acceptable levels. However, when was the last time a risk assessment or a business impact analysis was done to determine current and emerging threats? To tackle increasing data threats, companies need to put cybersecurity at the very heart of the business. In the modern age, information security should be woven into the fiduciary, oversight and risk management purview of the board.

As strategic leaders of the company, if you can promote a culture of security, it becomes an integral part of the way the organization functions. This is one of the best and most important protections that any organization can have, and it will push employees to understand and anticipate that when they engage the board on topics of customer data, infrastructure upgrades and business impacts, security will be discussed in detail. This is the new normal. After all, benign neglect, indifference or ignorance will not end well and could result in irreparable reputation and product damage.


Brian Harrell is a nationally recognized expert on critical infrastructure protection, continuity of operations, and cybersecurity risk management. Harrell is the President and Chief Security Officer at The Cutlass Security Group, where he provides critical infrastructure companies with consultation on risk mitigation, protective measures, and compliance guidance. In his current role, he has been instrumental in providing strategic counsel and thought leadership for the security and resilience of the power grid and has helped companies identify and understand emerging threats. Advising corporations throughout North America, Harrell has worked to increase physical and cybersecurity mitigation measures designed to deter, detect, and defend critical systems. Harrell is also a Senior Fellow at The George Washington University, Center for Cyber and Homeland Security (CCHS) where he serves as an expert on infrastructure protection and cybersecurity policy initiatives.

Prior to starting his own firm, Harrell was the Director of the North American Electric Reliability Corporation’s (NERC) Electricity Information Sharing and Analysis Center (E-ISAC) and was charged with leading NERC’s efforts to provide timely threat information to over 1900 bulk power system owners, operators, and government stakeholders. During his time at NERC, Harrell was also the Director of Critical Infrastructure Protection Programs, where he led the creation of the Grid Security Exercise, provided leadership to Critical Infrastructure Protection (CIP) staff, and initiated security training and outreach designed to help utilities “harden” their infrastructure from attack.

Prior to coming to the electricity sector, Harrell was a program manager with the Infrastructure Security Compliance Division at the U.S. Department of Homeland Security (DHS) where he specialized in securing high risk chemical facilities and providing compliance guidance for the Chemical Facility Anti-Terrorism Standards (CFATS). For nearly a decade of world-wide service, Harrell served in the US Marine Corps as an Infantryman and Anti-Terrorism and Force Protection Instructor, where he conducted threat and vulnerability assessments for Department of Defense installations.

Harrell has received many accolades for his work in critical infrastructure protection and power grid security, including awards from Security Magazine, CSO, AFCEA and GovSec. Harrell maintains the Certified Protection Professional (CPP) certification and holds a bachelor’s degree from Hawaii Pacific University, a master of education degree from Central Michigan University, and a master of homeland security degree from Pennsylvania State University.

The opinions expressed in this blog are those of Brian Harrell and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.