The information security community has long taken corporate boards to task for failing to be actively involved in IT security programs, which includes not investing enough resources into staff and threat mitigation technologies. However, Infosec professionals may need to shelve the criticism shortly, as two experts now say that a lack of security education, not awareness, is holding board members back from taking more active roles in information security programs.
Ken Daly, president and CEO of the National Association of Corporate Directors (NACD), a non-profit group focused on advanced boardroom leadership and practices, said that many of the more than 14,000 members at the NACD have expressed a desire to lead on information security topics within their respective organizations. Any notion that IT security risk wasn't under the purview of corporate board members was dismissed in recent years, he noted, by the high-profile leaks from Edward Snowden and Bradley Manning, as well as the breaches that affected Target Corp. and other major retailers.
Speaking at a Department of Homeland Security event Tuesday, Larry Clinton, president and CEO of the Internet Security Alliance, agreed with Daly's assessment, citing statistics from a recent FTI Consulting study that showed data security is now the top concern among corporate directors and general counsel. Data security supplanted last year's choice of succession and leadership transition, Clinton added, which shows that information security has become a prominent topic among corporate board members.
"We've actually moved beyond our first goal, which was [raising] cybersecurity awareness, to the harder issue, which is actually understanding the problem and then pragmatically working to solve it," said Clinton. "It's one thing to talk about the fact that cybersecurity should be part of the business, [but] it's another thing to actually do it."
Indeed, rising awareness of information security issues among board members is obviously a positive, Daly said, but it hasn't necessarily led to more action from boards when it comes to mitigating risks. Many NACD members have actually indicated through surveys and informal discussions that they simply lack the education when it comes to security topics, according to Daly, with some going as far as admitting that they don't have the security-specific vocabulary needed to effectively discuss relevant technologies, threat vectors and trends.
To answer that demand for more information security knowledge, the NACD released a handbook in June that details five general information security principles, all of which are aimed at covering board-level considerations related to security risk oversight. Daly said that the handbook has been downloaded more than 1,200 times since its release and will likely receive more attention as the Department of Homeland Security has chosen to highlight it as a resource for private sector businesses concerned about security. The NACD will also be providing more security resources in the form of video series and expert presentations at the organization's meetings, he added.
As for what's included in the NACD handbook, one of the principles advises board members to be aware of the legal implications associated with cyber risks. Certain states such as California have established specific guidelines in regard to breach notifications, while high-profile data breaches have led to numerous companies being sued. To ensure that a business cannot be accused of neglecting security after such an event, the NACD handbook noted that board discussions featuring security topics -- including updates on specific risks, the security program as a whole and technologies -- should be recorded in the minutes of all official meetings.
The handbook also says corporate boards should also ensure that they regularly meet with pertinent security staff and experts to discuss cyber risks, and decide how much toleration each individual organization will have for such risks. What the handbook doesn't advocate, Daly emphasized, is the placement of a dedicated security resource on a board.
Instead, Daly said that all board members should be involved in managing risk as part of an "enterprise-wide" strategy. That means that each board member and committee should be involved with understanding how security impacts their specific realm within the enterprise, he noted, and then determining whether to take a deep dive themselves in an attempt to manage the issue, or possibly even hiring outside consultants to help educate them.
"I've not heard a lot of desire [from NACD members] to put another expert on the board," said Daly. "I think that actually defeats this enterprise-wide notion."
Daly expressed his hope that even if the NACD handbook doesn't provide all the answers for corporate boards, it will at least turn the current "unknown" of information security into an "uncertain" -- meaning that they will accept that data breaches are an inevitability, but the outcome of such breaches can still be affected by the mitigations put in place by an organization in advance.