“The time for complacency is over. Every company is vulnerable to cyber-attacks and directors have a responsibility to ensure that resources are deployed to detect and defend against them."

– Nicole Eagan, CEO of Darktrace

In 2015, senior executives and their board members have been challenged with cybersecurity threats to their businesses that their predecessors never had to face. Cybersecurity impacts all areas of a networked business and redefines risk as a real time threat to overall operations, company reputation, and shareholder value. The stakes are high and the threats are constantly evolving.

In this article, I asked seven leading cyber experts for the advice they would provide a board of directors heading into 2016. These experts include a Fortune 500 CISO, an international cyber VP, cyber entrepreneurs, a former intelligence community executive, and two CEOs of leading cybersecurity companies.

The four domains of American warfare have historically been land, space, air, and sea. Five

years ago, our government declared cyberspace a new

domain of warfare. The FBI has deemed cyber-attacks the greatest

threat to our nation and its number one priority, trumping international terrorism and domestic crime. Like the FBI, priorities for major corporations and their boards are also evolving. Cyber is now front and center on everyone’s agenda, and boards are starting to realize that it is their responsibility to understand and protect their organizations against this digital risk. Tom Kellerman, chief cybersecurity officer at global security software and solutions company Trend Micro1, states that “Cybercrime is the number one criminal priority of the FBI. Cybercrime directly impacts operational and reputational risk. Risk management must improve to tackle this reality. This is a brand protection issue. As a result corporations must invest in next-gen security.”

As is typically true in crime of any type, the bad guys are always one step ahead. To put daily threats in perspective, consider this statistic from McAfee labs: while its team saw 25 new threats per day in 2005, this year the team sees 486,800. These threats have escalated to the point where individuals, commercial industry, and governments worldwide understand that if the top hackers want to get in, they will. It is crucial to understand criminal intent and position your organization’s ability to adapt post breach. “In the digital economy, CEOs and Boards must put in place an effective risk management framework to deal with today’s persistent and evolving cyber threat environment,” commented Chad Sweet, co-founder of the security intelligence advisory Chertoff Group.2 “The framework

ASK THE EXPERTS: Seven Global Leaders Advise on Digital Risk

Daren DunkelIntel Security

United States Cybersecurity Magazine14

must identify your critical assets, provide for early detection and continuous monitoring, and ensure a robust recovery plan for when a cyber intrusion does occur.”

“In today’s asymmetric threat environment, success cannot and must not be defined with stakeholders as never being penetrated,” Sweet continued. “We must reject the old paradigm of the ‘Great Impenetrable Cyber Firewall’ and instead embrace a new resiliency paradigm more analogous to the human immune system. Our bodies are constantly invaded by bacteria, but we detect it, kill it, and move on. Similarly for boards, expectations should be that your enterprise will be penetrated but can be resilient enough to operate under continuous attack. Your ‘corporate body’ can have a healthy cyber immune system that efficiently deals with infections and moves forward with improved resiliency.”

A large part of corporate cybersecurity health is understanding your company’s supply chain from start to finish. In the Target Corporation breach, a small HVAC contractor had its business email breached, leaving Target vulnerable to attack “upstream,” with a huge detrimental effect on the corporate brand, customer base, shareholder value, and leadership (Target’s CEO lost his job, and its Board of Directors faced lawsuits).

Understanding the underlying risks of the supply chain has always been a responsibility for boards. As modern business becomes more digital, this risk factor morphs dramatically to include software, and risk protection integrates more tightly with physical security. “Among the duties imposed by law on boards of directors is the fiduciary duty to protect the company’s assets,” said Richard Marshall, a former National

Security Agency executive, supply chain expert, and legal advisor to multiple Directors of the NSA.3 “Historically this has been limited to physical and financial assets, but today the scope of that responsibility has expanded exponentially through the application of information technology. In the modern business environment, every aspect of a business operation from strategy to sales to human resource management, accounting, customer lists, business plans, and product development is documented digitally. Preserving the confidentiality, integrity, and availability of a company’s digital assets is critical to maintaining competitiveness. In order to do so you must have an aggressive supply chain risk management program in place. It is not enough to know the originating source or province of each component that contributes to business success; you must also be aware of and address any and all risk factors that may be introduced in the supply chain.

“For example, what is the country of origin of your IT hardware and software? How trustworthy are the entities involved in the designing, coding, assembling, and shipping processes?” Marshall queried. “The threats to a company’s digital assets come not only from Internet attacks but can also come from malware introduced into hardware and software at the point of origin or in subsequent processing or shipping steps in the supply chain. Ignorance is no longer a defense in a stockholder suit for failing to protect digital assets!”

As with risk of any type, total protection is impossible and more spend does not always equate to more protection. Best-of-breed technology is great, but if the technologies operate in silos and don’t share threat information with one another, are you really getting the best value out

Cyber education at all levels of the organization is a critical

issue that needs more focus.

United States Cybersecurity Magazine16

of your security investment? Digital risk is actually much harder in many respects to counter than physical risk. Digital risk has the ability to scale globally in seconds and makes attribution exponentially harder than with physical security. Organizations need to be able to prioritize risk and understand which cyber threats pose the highest threat. This requires a clear understanding of your specific business and its operations.

Think like the adversary. What are your firm’s most valuable assets? Who would want to steal them, and why? How might an adversary attack your company? What is the adversary’s intent? At day’s end, intent equals consequences. There is a big difference between a denial of service attack on your website and stealing the IP (intellectual property) for your company’s next blockbuster product. “With respect to managing cyber risk, more security spend doesn’t necessarily equate to less risk,” noted John Watters, founder, chairman, and CEO of cyber threat intelligence company iSIGHT Partners.4 “In order to efficiently manage cyber risk, it is important to first construct a register of the most impactful cyber threats that the enterprise faces, then purpose-build a set of cybersecurity programs to counter these threats prioritized based on impact values of each specific threat.”

Cyber education at all levels of the organization is a critical issue that needs more focus. Executives and boards must be educated on the multitude of risk factors that cyber represents to their respective organizations. Continuous learning about cybersecurity should be included in employee training and management development. On top of just having a cyber program, companies need criteria to evaluate the success of the program and continuously adjust. As is evidenced by the constantly changing threat landscape, you can’t set a cyber program and leave it alone.

ADP CISO Roland Cloutier is constantly educating his board of directors on cyber.5 “Educating the C-Suite starts with security executive self-education on the business you are protecting. By knowing your business’s go-to-market, future strategies, and operational imperatives, you are in a better position to be able to articulate the security issues and needs of your business in a way they will comprehend,” Cloutier said. “Secondly, transparency and visibility are critical in the education process. Being prepared to show them their end-to-end business through detailed analysis,

Sources

1. http://blog.trendmicro.com/author/tkellermann/

2. http://www.chertoffgroup.com/security-services.php

3. https://www.linkedin.com/in/rmarshall141699

4. https://www.youtube.com/watch?v=uGecuNWWsLM

5. http://www.adp.com/media/press-releases/2014-press-releases/adps-global-security-organization-at-the-top-of-two-major-security-rankings.aspx

6. https://www2.guidancesoftware.com/about/Pages/leadership/Patrick-Dennis.aspx

the controls and security considerations directly within their business, and the level at which you can or cannot protect them is all part of the awareness process. Create simplified data representations and visualizations of their risks and options to guide the discussion in a business context.”

Cyber is an evolving, sophisticated, and advanced threat to the operations of businesses large and small. This digital threat has actually changed the nature of risk that organizations and their boards of directors must prepare for and respond to. Information technology represents a windfall to business productivity (and society); there is no turning back now because the benefits are too great. However, boards must realize that hacker groups, criminal organizations, and governments leverage the same technology for crime and espionage. Perhaps the best advice to boards of directors is “think like a criminal” and respect the way these adversaries constantly innovate and try new tactics. “You cannot afford to be scared of cyber risk,” said Patrick Dennis, CEO of Guidance Software. “It’s just another risk. Boards have managed risk for years. Institutionalize these risks in your existing risk process and allocate budget accordingly.”

Winter 2016 | www.uscybersecurity.net 17

About the Author:

Daren Dunkel graduated from Oklahoma State University in 2014 with a business degree in Management Information Systems and a certification in Information Assurance (IA) from the National Security Agency (NSA). He is a sales professional with Intel Security (formerly McAfee),

specializing in cybersecurity solutions and countermeasures for the commercial business market sector in California and Nevada. Daren works in the domestic sales operation center in Dallas, Texas.