The need for a board-level Cybersecurity Committee

Just the past 12 months have seen one massive corporate security breach after another. Major retailers (Target, Home Depot, Neiman Marcus, Sony Pictures), e-commerce sites (eBay), and financial institutions (JP Morgan) have all been victims.

Taken individually, digital security breaches serve as a warning for executives and security professionals to remain vigilant. However, when every major breach shares the same telltale strategy, it is a sign that there is something more fundamentally broken in enterprise security that must be addressed.

It is crucial that the board require management to present their policies on cyber security. Request that management write up their security practices and standards, and their protocol for responding to a security breach. The board should be able to identify the manager responsible by title, and in what time frame they are to respond to an intrusion. In the event of a cyber-breach, the board should schedule an update from the security committee on any forensic review. The company may need to disclose any data breach in SEC filings if the breach was material. Your board might be surprised to find out that a court considers failure to disclose a cyber-attack as a “material omission,” according to some interpretations of new SEC guidance on disclosure.Just the past 12 months have seen one massive corporate security breach after another. Major retailers (Target, Home Depot, Neiman Marcus, Sony Pictures), e-commerce sites (eBay), and financial institutions (JP Morgan) have all been victims.

Taken individually, digital security breaches serve as a warning for executives and security professionals to remain vigilant. However, when every major breach shares the same telltale strategy, it is a sign that there is something more fundamentally broken in enterprise security that must be addressed.

There are several important similarities in these attacks, all suggesting that your company’s data security protections need stronger oversight:

- Security looks for the first step, but misses the lifecycle of an attack. Traditional online security structures attempt to detect and block malicious payloads (either a piece of malware or vulnerability exploit). In a modern attack, the initial compromise is just a means to a much larger end. The vast majority of security technologies are not designed to see the so-called “long con” of an attack. Even though the security industry continues to develop more and more advanced methods of detecting individual pieces of malware, there is still too little ability to see the larger attack that follows after the malware.

- There are infinite opportunities for security systems to fail. As computing and business has evolved, the “attackable” areas of the enterprise have become nearly impossible to secure. Employees use mobile devices that are routinely outside the corporate firewalls. Corporate applications and data are increasingly both inside and outside the perimeter.

Online security has become incredibly complicated, and corporate directors may not even know the fundamental distinctions between the various types and motivations of online intrusions.

Step one for every board is to understand that it is supposed to be offering oversight on these risks as part of its fiduciary duty. The board needs to assure there are internal controls in place to protect the corporation’s cyber assets. The stakes are high. A study found that up to $21 trillion in global assets could be at risk from cybercrime. What is needed is a solid board structure for monitoring and managing cyber risk in the company. To begin, I recommend is a series of committee briefings so “cyber security” is demystified and better understood. However, given the complexity and dangers involved, The time has come for boards to create a dedicated cybersecurity technology committee.