Directors identify cyber-risk as one of their top areas of concern in the current environment as attacks have become more sophisticated and extended beyond theft of information to serious business interruption and loss. No company, regardless of size is immune to cybersecurity risks, including attacks of ransomware, malicious code and vulnerabilities passed along by their own business partners and employees. As stated by our panel: as board members and executives everyone in the room either is or will be a target of an attempted cyber attack.
Discussion Summary and Key Takeaways
The landscape of cyber-risk has evolved from intrusions targeting intellectual property and personally identifiable information, largely by cyber-criminals, to include attacks by nation states and objectives of seriously damaging or impeding the conduct of business. Boards need to be concerned not only with their company’s ability to prevent, detect and repel attacks but with the company’s “cyber-resiliancy”—the speed with which a company can retrieve data and resume operations after an attack.
It’s critical to know what are your assets and where they are held. Intruders not only approach a business directly but by exploiting trusted relationships with third parties, open source and points of interconnection. All businesses, regardless of size and the sophistication of their IT infrastructure, need to be concerned with who is storing or managing their data and who is interconnecting with their systems.
Boards also need to ask about incident management plans and testing of controls and remediation processes. This should extend beyond the IT department to include the cyber-resiliancy plans of lines of business and corporate functions.
The FBI in Newark, NJ established a cyber unit in 2002 that not only investigates incidents reported to it by companies but shares information that may be helpful to companies in averting or identifying an attack. Directors should understand whether the company has a relationship with the FBI and whether it makes sense for the company to reach out affirmatively before an incident even occurs. The FBI can also work with a company’s technical staff to assist in remediation.
Boards should be generally aware of who is responsible for cybersecurity and what resources are invested in cybersecurity protections and readiness. The Chief Information Security Officer or the person who performs that function should meet with the Board at least annually and have an avenue of communication to senior leadership regardless of where he/she reports. The Board should ask that individual where he or she would like to invest if the funds were available.
Some of the other key questions that Board members should also ask:
What are the company’s “crown jewels,” where are they held, who has access?
What are the controls applicable to those assets?
What is the maturity of the company’s cybersecurity protections? Should there be a third party evaluation?
How often does the company perform table top exercises with respect to cyber incidents as well as business continuity exercises, including back-up and restore?
What is the company’s relationship with the FBI?
Does the company have cyber insurance and what does it cover? Does it cover fines for violation of privacy laws such as the Global Data Protection Regulation and breach notification statutes?
What is the cybersecurity budget and how is it spent? What are the benchmarks for spending on cybersecurity for companies of your size and industry? Where does the company fall within those benchmarks?
What are the qualifications of the leader responsible for cybersecurity?
What are the Board’s own processes for protecting its communications from intrusion?
Download NACD Director's Handbook on Cyber-Risk Oversight:
Jon Rose Former Chief Security Officer Dun & Bradstreet
Jon Rose is a seasoned IT Security leader and advisor to business executives and technology teams specializing in business risk. Jon currently manages a security consulting practice, RedSky Security, based out of New York City. Prior to consulting, Jon served as the Chief Security Officer for Dun & Bradstreet, where he managed the strategic direction and operations of D&B’s agile security team. In that capacity, he was responsible for securing more than 240 million business records associated with $1.7 billion in revenue. Security Magazine titled Jon as one of the top 10 CISO’s in his field in 2015.
Jon launched his career in Washington, D.C. as a security specialist at TWM, a defense consulting firm focused on military systems for the Department of Defense. He previously was employed at Ernst and Young’s Giuliani Advanced Security Center as an independant consultant advising business executives and technology teams responsible for manageing the complex risks associated with IT security.
Jon studied Computer Information Systems and Management at James Madison University.
Marene Allison Vice President and Chief Information Security Officer Johnson & Johnson
Marene Allison is responsible for protecting the company’s Information Technology (IT) systems and data worldwide through elimination and mitigation of cybersecurity risk. This includes ensuring that the J&J information security posture supports business growth objectives, protects public trust in the J&J brand, and meets legal/regulatory requirements. With 265 companies in 60+ countries, J&J is a leader in consumer health and pharmaceutical products worldwide.
Prior to joining Johnson & Johnson, Marene was Chief Security Officer and Vice President for Medco, and before that was employed as head of Global Security at Avaya Inc.; as Vice President of Loss Prevention and Safety for the Great Atlantic and Pacific Tea Company; and as a Special Agent in the FBI working on undercover drug operations and anti-terrorism.
Marene has a Bachelor of Science degree from The United States Military Academy at West Point, and has served in the US Army in the Military Police.
Brett Yeager Supervisory Special Agent FBI Newark Division's Cyber Task Force
Brett entered the FBI in 2009 and was assigned to a Newark Cyber Squad where he investigated criminal and national security computer intrusions and theft of trade secret cases. In 2015, Brett accepted a supervisory position at FBI Headquarters in the Cyber Division, where he was a national program manager for large scale national security intrusion investigations while coordinating closely with other members of the U.S. Intelligence Community. Brett returned to FBI Newark in 2017 and began his current supervisory role. Prior to joining the FBI, Brett worked as an Engineering Manager and Electrical Engineer, where he designed electronic circuits for industrial and military applications. Brett also served for 6 years in the military.