Security in the Boardroom: Technology Change, Risk Management, and Duties of Care
Boards are fundamentally responsible for the health of the organization they oversee (they all, whether their organization is for-profit or not-for-profit, have a duty of care and a duty of loyalty). The current reality is that assessing and managing cyber risk has become indispensable to any organization's prosperity and even survival.
The Chertoff Group's Security Series event, "Security in the Boardroom," was devoted to helping boards navigate that new imperative.
Jim Pflaging, Chertoff Group Principal, Technology Sector and Strategy Practice Lead, set the stage with a brief greeting. He reviewed recent cyber incidents that have had a direct and immediate effect on companies—the NotPetya pandemic serving as the prime example—as highlighting the risks boards now need to address. Pflaging noted that directors often say their ability to manage those risks is impeded by their own lack of domain expertise, the desensitization they experience from repeated warnings and bad news, and the excessively technical way cyber issues are presented by the media and by their own security leads.
While the focus of the conference was on how boards of directors could understand and approach their responsibilities for cybersecurity, the presentations and discussions were more far-ranging than the topic might suggest. Typically such conferences enjoin CISOs to approach the board with a business case for security, couched in language accessible to board members with a business background, and they urge board members to understand cybersecurity as an exercise in risk management, with due attention paid to the familiar range of threat actors and their tactics. This sort of advice is certainly valuable (and such valuable advice was exchanged during the Security Series) but yesterday's sessions covered some ground less often traversed.
Many of the panels were devoted to exploring the effects that emerging technologies were likely to have on organizations. The families of technologies most discussed were autonomous systems, artificial intelligence and machine learning, and blockchain and distributed ledger applications. These will inevitably become matters of immediate concern in organizational risk management, and they remain imperfectly understood. The first two are still pictured in highly anthropomorphized science fiction terms (Skynet, the Terminator, etc.). The third is generally not understood at all (as much as it is mentioned in the media). Thus CISOs were advised to think not just about getting a seat at the board's councils, but to think through the implications of technologies that are already beginning to make themselves felt, and are entering corporate operations in ways that aren't generally well-understood.
Other interesting points were made about the psychology and neuroscience of training, with implications for resilience and incident response under pressure. There were discussions of public policy and its implications for boards of directors, and there was some pointed cultural advice for Silicon Valley.
Sessions included the Role of the Board Director in Cybersecurity; Governance, Measurement, and Response; Artificial Intelligence and Security; Risk Management and Growth Strategy; Mutual Aid; Cryptocurrencies and Distributed Ledgers; and the Warrior Spirit.
One brief session worthy of note offered a geographer's perspective on walls as enablers and not barriers. The brief spotlight session presented by Dr. Eric Frost, Director of the Homeland Security Graduate Program at San Diego State University, took a look at the wall along the US-Mexican border as is exists south of San Diego. What he sees is consistent with the dual mission of the Department of Homeland Security: not just securing the homeland, but facilitating legitimate trade and immigration. The border as we see it today, fences, roads, and all, represents not only security challenges, but opportunities for commerce and mutual aid. He called attention to the heavy truck traffic moving across the border, the cellular and sensor networks along the fence that enable communication and even rapid cross-border disaster response, and other features of the border that are commonly overlooked. With his presentation he sought to communicate a sense not of restriction, but of possibility, in a place that's an especially dense transfer point in physical and cyberspace.
The conference had the support of a number of sponsors: Ayasdi (specialists in the design, development, and deployment of artificial intelligence applications for the financial services, healthcare, and public sectors), BeyondTrust (proactive elimination of data breaches from both insider privilege abuse and external hacking), Ivanti (experts in visibility and orchestration for optimal service performance), Lumina Analytics (risk ecosystem development and actionable intelligence), Nehemiah Security (providers of a security risk management and analytics platform), and SailPoint (experts in identity governance). The event partners were Innovative Capital Ventures, Inc. (connecting technology companies with strategic partners) and SINET, the Security Innovation Network (the community builder and strategic advisor working to advance innovation and enable collaboration against cyber threats). There were three media partners: 10Fold Communications (an integrated high-tech marketing and public relations firm), theCUBE (specialists in live interviews, with a show covering technology, innovation, and the people they involve), and, of course, the CyberWire.