By Russ Banham
The deluge of data breaches that has cracked open some of the world’s best-known companies should put members of corporate boards on notice. Though most board members are not experts in cybersecurity, they carry a heavy burden of responsibility for helping to prevent data breaches.
Because board directors and senior executive managers can be held personally liable by shareholders, investors and customers for a substandard cybersecurity program, they need to be certain that the program meets or exceeds industry standards before giving it the thumbs-up.
Otherwise, they could find themselves in the crosshairs of litigation.
The goal is to implement the best program possible — one that is not just technically competent but also litigation-ready, said David Mahon, chief security officer at CenturyLink and a former FBI special agent. “You need to design a cybersecurity program that protects your assetsagainst all reasonable and known realistic threats,” Mahon explained. “This way, you have a better chance of your program standing up favorably in a court of law and showing you took your ‘duty of care’ seriously.”
“Duty of care” is a legal obligation requiring businesses and individuals to adhere to a standard of reasonable care while performing acts that could foreseeably harm others. In the case of cybersecurity, insufficient duty of care could lead to the hacking of customers’ personal data and legal claims of negligence by victims.
Is Your Staff Up To The Task?
One challenge with assembling a top-notch cybersecurity program is that the threat is a moving target. Consequently, yesterday’s standard of care may not be tomorrow’s best practices. Another challenge is the expertise of those entrusted to manage cybersecurity. In many organizations, information technology staff was recruited mainly to improve operations. Managing business technology today requires different viewpoints.
“It’s the difference between thinking about a technical solution to make processes more efficient, and thinking about potential adversaries to secure your networks and systems,” said Mahon. “If the information security leader is called before the court to testify following a cybersecurity incident, you want to be sure they can authoritatively attest that the company had robust enterprise-wide security standards in place, which the board and senior leadership team strongly vetted and reviewed before approving.”
Find Answers To Order Fixes
To adequately assess a cybersecurity program, business leaders need to ask probing questions, Mahon said. Here are six to ask the security lead at your organization.
- How do we know that the cybersecurity strategy is top-notch and incorporates best practices?
- Have we put in writing a cybersecurity vision statement declaring our objectives with regard to the risks we confront and how we should deal with them?
- Is the cybersecurity program strongly linked to corporate strategy? In other words, does it take into account our planned growth organically and through mergers and acquisitions, and address the security issues created by our vendors and other partners?
- Does the strategy lay out remedial tactics were we to suddenly come under cyberattack? Exactly how will the incident response plan respond to the breach and why did we select this particular approach?
- Have we trained our employees to be cognizant of social engineering hacking schemes and the risk of losing a company laptop that has inadequate password protection? Have we explained to them why this is vitally important and provided training?
- Lastly, can we document that these issues are fully addressed on a consistent, ongoing basis?
And these are just a few suggestions to get the discussion going.
“The important thing to keep in mind is that many of these same questions will be asked in a courtroom if a lawsuit is filed in the aftermath of a data breach,” said Mahon. “You want to be sure your IT people on the stand don’t say they regrettably overlooked that particular issue.”