Boards should challenge any cost-cutting measures involving cybersecurity programs.
High Contrast
Boards should challenge any cost-cutting measures involving cybersecurity programs.
Boards that demand transparency about risks can better help their organizations mitigate them.
Boards should monitor how cybersecurity expenditures keep up with growth in their organizations.
In Corporate Board Member’s 20th annual “What Directors Think” study, public company board members said that cybersecurity is their most challenging issue to oversee.
Based on his experience helping companies advance their cybersecurity programs, Matt Franko, principal with RSM US LLP’s risk consulting practice, joined Jamie Tassa, publisher of Corporate Board Member magazine, to share valuable advice about how to improve your oversight efforts.
Below the video is a transcript of the discussion, edited for clarity and length.
Jamie Tassa: Do you think it's fair to say that cybersecurity investments are on the chopping block? And if so, what should boards’ argument be to management to consider cutting costs anywhere but cyber?
Matt Franko: I would say statistically we have seen this out in the field as we are working and consulting with clients. It is fair to say that everything is on the chopping block, not just cybersecurity spending. Across the board, organizations are looking for ways to contain cost, and cybersecurity is one of those.
We have seen lots of organizations cutting their spending, and some, are sacrificing some of their protection mechanisms. We have seen a lot of organizations that we have helped—specifically, going through their cybersecurity budgets and finding things that they are double-paying for.
A lot of organizations may have licensing for a tool that provides cybersecurity protections, and they are also paying another provider or looking at another tool to get those same types of protections. We have seen a lot of organizations go through that—where they are looking at their cost-benefit, but making sure that if you are removing a controller, if you are removing a technology or removing a spend, that you are still managing the risk in the same way, but just in a more efficient way.
Tassa: Part of the challenge for boards in an oversight role is not getting too far into the weeds on some of this stuff. What is your advice there? What is the right level of getting in deep enough to be able to know the risks and flag them versus relying on the CISO (chief information security officer) to really be managing it and bringing things to the board on a need-to-know basis?
Franko: I have been lectured numerous times by board members on what the role of a board member is and where and how they should be playing. So, I think it is walking that fine line of not getting too involved and trying to get too deep into the weeds, but also getting the right amount of information.
It is a matter of demanding transparency. Where in the organization does cybersecurity report? A lot of organizations may have a CISO, but the CISO is reporting up through IT or up through the chief financial officer—the individual who is making a lot of the budget cuts and probably has the most riding on cost containment.
Some of the questions you should ask would be around how you determined these changes you're making. How have you assessed the risk it will present to the organization? How have you worked with the business? In my view of a CISO, your job is to identify risk, communicate risk, provide advice and guidance, but you do not own the risk. That risk lies with the business. So, has the business been involved to say, “We are okay with these changes and willing to accept what they are and how it increases our risk profile”?
Another thing might be to get a third party involved. Has a third party reviewed what we are changing to make sure that we are still effectively managing what we have from our risk profile, and then aligning with industry standards and industry best practices as we make those changes?
Tassa: That's a great segue to the value of a third party to come in and validate that the company is taking an appropriate cyber approach to the business. If a board were to work with its management team to bring in a third party, what are some of the red flags it should be looking for the third party to uncover? Then, how do they prioritize, particularly in a cost-containment environment?
Franko: We come back to that transparency. So, is that report going directly to the board, using internal audit as the independent sponsor of that assessment? Boards receive third-party reports that are focused on financials all the time, but we don't see that as much from a cybersecurity standpoint without it going up first through the CISO, , the CIO and so on. So, transparency again becomes key.
Regarding the red flags, they're going to vary a lot. One thing I would focus on is whether the cybersecurity spend is keeping up with the growth of the organization. As we look to contain costs, whether the economy is struggling or not, there are still organizations that are growing. They're still going to be making investments in digital transformation because those are, in some cases, going to be cost-cutting measures. But if cybersecurity spend is not keeping up with what the organization is doing, and the cybersecurity activities or the group itself is not heavily engaged in the digital transformation activities, that would be a big red flag.
So a question I would ask here is: Where is cybersecurity involved in our process in terms of going to market or digital transformation? Is it at the end? Is it after we've already pushed stuff where it is publicly facing now, or are they involved at the beginning? And what are we doing and how are we considering it?
While cyber incidents are down, now is not the time to take your eye off the ball. We have got to stay strong and firm on effectively implementing and continuing to build good cybersecurity programs.
Tassa: I’d like your quick take on cyber liability insurance—we get a lot of questions around this. Prices are going up. Is it OK not to renew, or is it needed more in some economic, political times than others?
Franko: This is an easy one for me. I would never tell anyone to not have cyber liability insurance. It is like health insurance, D&O (directors and officers) insurance.
It is always a good idea to have it, especially in today's environment. The average ransomware incident nowadays runs anywhere from high six figures to low seven figures. You want to make sure that you have protections in place. As boards, we understand risk. It's a matter of, from a risk perspective, what are we mitigating? What are we accepting? Then, anything that is in that gap between, what we are not willing to accept?
I know that premiums have gone up. Insurers have changed the way they are actually providing coverage. So it's just important that, as an organization, as board members, we're asking who's involved in the process.
If the CISO is not heavily involved in the cyber liability insurance process, that should be a red flag that something's wrong there. If an organization cuts their cyber liability insurance as a cost-cutting or a cost-control measure, it would be good to ask, “Hey, what did the CISO say about this?”
Tassa: Great advice. As we wrap, what is one takeaway? There are a lot more than one, but one good takeaway that any board member listening should bring to his or her next board meeting.
Franko: I would say the most important thing is to understand while cyber incidents are down—and we've seen a lot less activity, I would say, in the last year—now is not the time to take your eye off the ball. We have got to stay strong and firm on effectively implementing and continuing to build good cybersecurity programs.
My suggestion to board members is to make sure that you are staying educated on cybersecurity, and you are challenging management on the decisions that they are making around cost containment and how they are still effectively managing the cybersecurity risk associated with those cost-containment decisions.
Today, board risk management means providing CISOs the resources and voice they need to tackle evolving cybersecurity challenges.