There is a strong and growing emphasis on IT governance in American corporations, and cybersecurity and risk assessment has been a major factor in that trend. Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) enjoy new clout in governance meetings, and boards often interact with them directly now.
As with many aspects of risk management, this growing emphasis is driven largely by lawyers. In recognizing that the data that companies are collecting for strategic purposes might also represent a significant vulnerability, risk management specialists are now forced to question whether the value of accumulating customer data is worth the potential losses resulting from a security breach.
Although the answers are not always clear cut, the effect is a new emphasis on quantifiable returns from IT data gathering, and assigning dollar values to the security practices that protect against those risks.
CISOs, CIOs, and CTOs (Chief Technical Officers) have taken on roles to extend the board’s governance role into the day-to-day management of technology and data. In addition to their former roles as chief geeks in charge of keeping the network plumbing running, they are now responsible for:
- Establishing and enforcing firm policies around cybersecurity practices and responses
- Creating a culture of compliance within their organizations
- Educating both technical and non-technical staff on cybersecurity best practices
In the age of outsourcing, they also spend a lot of time reviewing contracts to ensure compliance and good cybersecurity practices at third-party vendors who may have access to company data. The 2013 Target breach, many CIOs will remember, was performed through an HVAC contractor who had been given access to Target’s internal network. Today, strong cybersecurity government and risk management would mandate a fuller review of the contractor’s own cybersecurity practices before awarding a contract with such expansive access.
One of the Worst Failures of Cybersecurity Governance in US History
Christmas of 2013 was not a very merry one at U.S. retail giant Target.
The day after Thanksgiving, hackers had penetrated the store’s internal network and installed a memory scraper named “Reedum” on every single one of the Point of Sale (POS) registers at every single store. During the 17 days the penetration went undetected, the hackers harvested more than 70 million customer credit card numbers.
When Target’s IT staff noticed the breach and notified management, the company sat on the news for almost a week, trying to figure out how to handle it. Whatever conclusion they came to, it didn’t help much when the news broke. Sales dropped by four percent, right in the middle of the busy Christmas rush. The company began laying off staff– almost 500 by January. By February, the costs from the breach had exceeded $200 million. By May CEO Gregg Steinhafel was gone.
But that was just the beginning. The lawsuits started not long after, and kept coming. Banks, consumers, and shareholders had all suffered damages, and all filed suit alleging breach of fiduciary duty, gross mismanagement, and waste of corporate assets. In 2014, the suits expanded, directly naming the company’s directors and officers. The failure, it was alleged, was not merely in the nuts and bolts of firewalls and password policy and IT department patching protocols– it was a failure of governance and risk management—the direct responsibility of corporate officers.
To date, Target has paid out almost $120 million in settlements over the 2013 breach, and the costs may continue to mount.
The incident simply served as the latest warning flag for corporate officers and risk management professionals that cybersecurity belongs at the top of the agenda in governance meetings today.
Doomsday Events Like the 2013 Target Breech Get Lawmakers and Corporate Principals to Act
Historically, IT governance has been a thorny issue that many businesses preferred to put off or delegate to junior managers. This might have been the acceptable approach through the seventies and eighties, but as cybercrime began to rise in the nineties and early part of the 21st Century, cases like Target, Heartland Financial, Home Depot, and many others made it abundantly clear that failing to take firm control of IT and cybersecurity efforts meant mounting risk to corporations and consumers that could end in doomsday scenarios like the 2013 Target breach.
If the lawsuits that were filed in each of these cases weren’t enough, state legislators and federal regulators began to make it clear through new laws designed to require corporations to release information related to security breaches of corporate computer systems.
Forty-seven states currently have laws on the books requiring corporations to notify consumers in the event of data breaches. In a 2014 speech delivered in the wake of the Target breach, Securities and Exchange Commission (SEC) Commissioner Luis Aguilar signaled that cybersecurity was the direct responsibility of the board of directors.
In 2011, the SEC issued its first guidelines for mandatory cybersecurity risk disclosure at public companies. In 2014, the agency followed up on the increasing number of consumer data breaches by conducting direct inspections of cybersecurity measures through its Office of Compliance, Inspections, and Examinations, the so-called “Cybersecurity Initiative.”
Meanwhile in the healthcare industry, HIPAA, the Health Insurance Portability and Accountability Act, has upended cybersecurity governance and risk management practices entirely– and largely for the better.
Advanced Degrees and Certification: Educating IT Professionals and Executives on the Principles of Risk Management
The current level of attention to governance and risk management is not something that has come easy to corporations and governments and has required adjustments at every level. Fortunately, many advanced degrees being offered today for both business and technology professionals include guidance on risk management and compliance principles.
Governance issues are a key part of the curriculum in graduate degree programs related to information systems, and it is considered a standard domain when studying cybersecurity at the master’s level.
For IT staff that do not otherwise require advanced degrees, certification programs are now beginning to offer specific modules or domains dealing with information security risk management and governance.
The Certified Information Systems Security Professional (CISSP) track has a knowledge domain specifically dedicated to Information Security Governance and Risk Management, which covers:
- Risk management frameworks
- Risk analysis procedures
- Loss/risk assessment formulas and asset valuation
At all levels, IT departments can expect increased interaction with executive boards and corporate risk management specialists in order to adapt cybersecurity policies to address both technical and legal vulnerabilities.