Directors need to take their cybermetrics

By Cate Chapman on October 15, 2015

Companies tend to narrowly focus on IT risks that are limited to personally identifiable information and the related systems that protect such information.

But that is only a part of the discussion that should be happening in the boardroom, according to a report by PwC.

“Beyond the interrelationship of IT risks with strategy and operations, a holistic approach to the reporting of cybermetrics can result in a comprehensive view of the IT risk universe, providing more valuable and effective information to directors,” the global consulting firm said.

Stakeholders nowadays expect directors to have broader IT oversight, and the economic crisis has sharpened the focus on the information disclosed by companies and, in particular, the role of the audit committee. That makes this committee the portal through which all IT security relevant to protecting a company’s most valued digital assets should flow.

Audit committees are best positioned to provide documentation and clear evidence of governance and accountability; effective risk assessment processes; security programs based on an assessment against a recognized framework; and the monitoring of the progress of the security program and compliance with internal controls—all which serve to protect the company’s “IT-security owner” and the board from the scrutiny of regulators and plaintiffs.

Whether as the chief information security officer, CIO, COO, CFO or chief risk officer, the person responsible for IT security should have this role documented in his/her job description and an appropriate role as part of the company’s leadership team.

And companies should give consideration to whether other individuals, particularly at the business-unit level, need to have a similar role that supports the IT-risk owner, PwC said.

Then the communication channels have been set up between directors, the IT security owner and management, a task that can be driven by the audit committee.

The global consulting firm’s 2015 Annual Corporate Directors Survey found 65 percent of boards are communicating with the company’s CIO at least twice a year. But only 21 percent of directors believe their companies’ IT strategy and risk approach is supported by sufficient understanding of IT at the board level, and many directors view IT specialists as too technical and lacking in effective communication skills, PwC said.

“It is common for directors to be frustrated with their interactions with management regarding cybermetrics and IT in general,” the report said.

Audit committees should push management for dialogue that:

  • Uses plain English and avoids industry and technical jargon;
  • Delivers specific responses to questions versus vague answers;
  • Focuses on the “value proposition” of IT security initiatives, expenditures, and proposals;
  • Creates a candid dialogue with directors that encourages a discussion of concerns; and
  • Presumes that pre-reading materials have been reviewed in advance of the meeting

Baseline information for directors can cover a variety of aspects of the company’s IT systems, including:

  • Coverage by a cyberinsurance policy. Directors should understand the company’s position on cyberinsurance coverage, and if applicable, what the policy covers (and, more importantly, what it doesn’t cover), levels of coverage and policy limits. It can be useful to understand how a company’s policy benchmarks against other companies in its industry.
  • Protections over the “crown jewels.” An understanding of the the company’s most valuable and sensitive digital data and mission-critical systems and how they are maintained. Crown jewels are fundamental to the brand, business growth, and competitive advantage. It also includes sensitive information the company has custody of, for example, customer credit card information.
  • Identification of needed IT upgrades. When companies delay discretionary software upgrades or replacing legacy IT infrastructure―“deferred IT maintenance”―it can create greater risk. Also, testing the company’s ability to recover mission-critical systems in the event of a failure is important.
  • Current and desired state of cybersecurity program. A risk framework is used by a company to help think through, organize and evaluate its cybersecurity risk program. Such frameworks can include the Commerce Department’s National Institute of Standards and Technology Cybersecurity Framework (“NIST Framework”), ISO 3100: Risk Management – Practices and Guidelines, COSO: Enterprise Risk Management – Integrated Framework, and ISACA frameworks of COBIT 5.
  • Status of IT “health.” Baseline information should include benchmark data related to budgeted and actual security investments made by the company compared to industry/peers.
  • Evaluation of the tone at the top. Directors should evaluate the extent and rigor of senior management’s communications focusing on the importance of cybersecurity at the company. More than any other threat actors, current and former employees are the most cited culprits of security incidents, according to an information security survey this year by PwC.

Dozens of additional metrics for consideration include those pertaining to systems infrastructure (e.g., level of unplanned downtime due to security incidents and IT outages), third parties (e.g., providers with access to the company’s crown jewels), mobile computing (e.g., number of authorized and unauthorized mobile devices accessing IT systems), big data (e.g., efficiency in converting raw data into usable information to improve operations), social media (e.g., percentage of employees trained on cyber policies and practices related to social media), cloud computing (e.g., cost of services compared to typical run rate of IT department), and international travel.

Again, the most relevant are those that relate to protecting the company’s most important digital assets.

With respect to these, the audit committee should:

  • Discuss and agree on the prioritization of the most important other metrics, with a focus on the top 10 or 15.
  • Evaluate baseline metrics to understand the company’s current cyber and IT environment and the gaps to achieving its desired cyber state.
  • Ask whether management took a holistic view of IT risks beyond basic cybersecurity when considering cybermetric reporting to directors.
  • Evaluate whether the cybermetrics being presented to the directors enhance and maximize the oversight function.