In this Help Net Security interview, Tom McAndrew, CEO at Coalfire, discusses the balance organizations must strike between legal compliance and effective enterprise security governance in the context of evolving regulatory frameworks.
McAndrew also addresses the need for clear governance structures and regular board reporting to effectively oversee cyber risks and incident response plans.
In light of increasing legal and regulatory frameworks, such as HIPAA and GDPR, how should organizations balance legal compliance with effective enterprise security governance?
As legal and regulatory frameworks continue expanding, it is necessary to find the balance between effective security governance and maintaining compliance with legal requirements. While a risk-based approach has long-been the dominant theme, the privacy-by-design approach is finally gaining the attention many of us have been preaching for years.
Using a risk-based approach that identifies and prioritizes risks and understands the who, what, when, where, and why of data, allows organizations to focus on what is truly important and most risky, and apply the appropriate policies and controls to that data.
The privacy-by-design approach which is simply, “to protect individual privacy and data protection through intentional design choices”, takes a security-first approach by ensuring security and privacy controls are embedded into systems at the development stage and not as an after-the-fact bolt-on control.
Finally, organizations must overcome the cultural barriers to more formal collaboration between internal organizations such as IT, cybersecurity, legal, HR, etc., that will ensure more organizational harmonization of policies and procedures.
How do you recommend organizations develop effective reporting mechanisms for boards of directors to understand and oversee cyber risks? What metrics or KPIs should be a part of regular board-level reporting?
Board reporting for cybersecurity and compliance should become both more frequent and more concise. Consistent dashboards that are updated regularly and highlight strategic issues like compliance with reporting standards, as well as more tactical issues like patch management efficiency and mean time to detect (MTTD) and mean time to respond (MTTR), are effective metrics that can provide the board with a good sense of security program effectiveness.
Board members should not be expected to be cybersecurity experts so it is the security teams’ responsibility to present information in a clear and easily understood manner that conveys trends related to cyber risk and their potential business impacts.
What governance structures are most effective in preventing conflicts of interest between the CIO and CISO?
The most important component in preventing conflicts is a clear design of roles and responsibilities that eliminates any opportunity for misunderstanding related to activities and authorities. I’ve advocated for years that the CISO should not report to the CIO since there is an inherent conflict of interest, but rather report directly to the CEO. There is also a growing trend for CISO’s to have a role on the board of director’s cybersecurity committee which provides both direct line access and unfiltered communication with the board.
How should a company’s board of directors establish its role in developing and overseeing an enterprise security program? What practical steps can boards take to ensure they are adequately informed and engaged in security oversight?
I’ve advised hundreds of boards from Fortune 100’s to startups on the boundaries of their cybersecurity governance. As more regulators delve into cybersecurity, I’ve seen an uptick of board angst as they feel more pressure to gain cyber fluency. The good news is that boards are responsible for governance, not cybersecurity operations which helps create a bright line between the board and the executive team.
So while the SEC’s updated cybersecurity rules require companies to describe their boards’ oversight of cybersecurity risks and assign risks assessment to day-to-day operators, actual execution of operations remains with the executive team.
A practical step boards can take to enable oversight is to ask for monthly CISO board reports as a starting point to understand the business risks stemming from cyber. These reports provide visibility into cybersecurity actions and outcomes, which boards can factor into business risks.
What are the key elements of an effective incident response plan from a governance perspective? How should boards be involved in incident response testing and planning?
Cybersecurity is simply another risk in the smorgasbord of corporate risks that include compliance and regulatory risk, financial risk, reputational risk, competitive risk, and many others. From a governance perspective, a clear understanding of roles, communication protocols, and how the cybersecurity incident response plan is aligned with the broader corporate risk framework is what separates the good companies from the bad companies.
While incident response is purely an operational function and the responsibility of the corporate executive team, the board has a role and should be familiar with the plan as well as understand how it based on the organization itself and the evolving cyber threat landscape.