by Daniel J. Solove
A few days ago, I posted about how boards of directors must grapple with privacy and cybersecurity. Today, I came across a survey by NYSE Governance Services and Vericode of 200 directors in various industries.
According to the survey, about two-thirds of directors are less than confident about their company’s cybersecurity. This finding is not surprising given the frequency of data breaches these days. There is a growing sense of exasperation, as if we are living in an age of a great plague, with bodies piling up in the streets.
Of the directors surveyed, 80% say that cybersecurity is discussed at all or most meetings. This finding appears to conflict somewhat with some of the surveys I discussed in my post, where it seemed that a greater percentage of boards were not focusing sufficiently on cybersecurity.
The question on the NYSE survey merely focuses on whether cybersecurity matters are discussed at meetings, and I think we need to examine not just whether cybersecurity is discussed but what is being said and decided about it.
Security is complicated because it essentially requires each employee to act with a high level of awareness and vigilance, a state that is hard to sustain. Over time, corners tend to get cut more, busy people tend to do more careless things, practices tend to become sloppy. That’s human nature. Complacency sets in. Being on one’s toes isn’t an easy state to maintain.
The biggest risks to security are human errors — people putting data where it doesn’t belong, people not following policies, people losing portable electronic devices with data on them, people falling for phishing and social engineering schemes. These errors are best addressed through training. Merely showing people a PowerPoint or putting them through a program that’s the equivalent to an airline safety video is a waste of time. People must be engaged. They must care. And the message must be repeated over and over and over. I recommend training throughout the year rather than just once. Good security requires an awareness campaign. And that’s a lot more than just telling people stuff. It’s about creating a culture within an organization.
The board of directors can do a lot more to help create the right kind of organizational culture. Interestingly, the survey asked directors to indicate who should be held accountable in the event of a breach. Most listed the CEO and CIO, with the CISO ranking fourth.
At a different survey at RSA that extended to people who were not board members, 38% said the CISO’s head should roll after a breach. 26% blamed the CIO and 24% blamed the CEO.
What is interesting in both surveys is how little accountability is being placed on the board of directors. In the NYSE survey of directors, the directors ranked themselves 5th in blameworthiness, behind the CEO, CIO, entire executive team, and CISO.
The board plays an essential role in cybersecurity because it is the board that mandates the resources and attention that should be given to cybersecurity. As I said above, security is about culture, and the board needs to exercise great leadership here. That means more than just “hmm . . . that’s worrisome” or “let’s look into this a little more” or “let’s up the resources a little bit.” It means demonstrating that security is a priority through actions. It means really making a commitment.
Here are the leading fears of directors regarding cybersecurity attacks:
It is good for boards to be afraid. These fear must translate to effective action, or else the fears will become reality.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 21-23 in Washington, DC), an event that aims to bridge the silos between privacy and security.