Plugging the Cyberliteracy Gap: In confronting enterprise risk, directors should focus on risk tolerance and liability, not threa

A former CTO of a Fortune 1000 company with significant government experience, Deborah B. Dunie has an enviable resume for board service. She discussed her work with the National Association of Corporate Directors (NACD) advisory services, which recently unveiled a suite of tools and educational offerings to help close the “cyberliteracy” gap on corporate boards. Her remarks have been edited for length and style. 

MCC: In announcing a suite of cybersecurity resources for directors, NACD referred to a lack of “cyberliteracy” in corporate boardrooms. Given your tech-heavy background, which is unusual for directors, how would you define “cyberliteracy” for a typical director?

Dunie: Simply put, it’s the capacity for good discussions with management and an understanding of cyber-risk tolerance. That’s where the NACD initiatives come in. The initiatives present an opportunity to help directors enhance their knowledge base and cyber awareness. Key to the discussion is a set of simple questions that address board and company liability. That is a very different way of getting into the topic for most people. The question becomes how quickly you can recover from a critical attack, and how you address the liability from multiple perspectives. You have to be more agile, more resilient.

MCC: NACD is partnering with Ridge Global and Carnegie Mellon on this initiative. Tell us about the certification being offered as well as the partnerships with Ridge and Carnegie, and how those can benefit NACD members.

Dunie: The new NACD Cyber-Risk Oversight Program is an online cybersecurity course designed to help directors enhance their cyber-risk oversight. It provides a heightened view of the cybersecurity threat landscape, detailed and retrospective responsibility of the board and management in cyber-risk oversight, and incorporates a cyber simulation to evaluate your organization’s preparedness. These offerings can raise awareness and arm organizations to make appropriate decisions. Taking advantage of expert educational offerings is a win-win, and the work Carnegie Mellon and Ridge Global have done on risk management over the years has been stellar for corporate America.

MCC: You’re in an interesting position as a director with a utility and gas company given the concerns about protecting critical infrastructure. Many call for more cooperation between the public and private sectors, but the private sector worries about how internal investigations are affected by cooperation with the government. You’ve worked in government and the private sector. Give us your perspective on what a successful public-private partnership looks like.

Dunie: There’s no question that the infrastructure has vulnerabilities. The government is trying very hard to promote information sharing and create an environment where it can assist with tools to help stop nefarious things from happening. For example, companies in the critical infrastructure sector can get access to valuable information, threat reporting and mitigation techniques.

For the critical infrastructure sector, the bottom line is safety. When it’s a matter of public safety, the emphasis needs to be on the constituents. Every company should have an incident response plan at their fingertips, which they should exercise, and a clear understanding of who is on point to speak for the corporation externally. No matter how good your internal team is, you can benefit from access to outside expert forensic help. And access to outside legal counsel cognizant of the jurisdictions in which you operate can help, as you may be dealing with data protected through privacy laws in an array of U.S. locales or internationally. You may also need a relationship with an outside communications firm. These are all elements of an integrated incident response plan.

MCC: In a recent report, the security firm Mandiant said that nation-states continue to be the state of the art when it comes to cyber sophistication, but that financial threat actors have caught up to the point where there’s no line separating the two. Why is the source of risk important for directors to understand in safeguarding their companies?

Dunie: It’s important because different threat actors have different motivations, and the sophistication of the attacks is ever increasing. Understanding the motivation can help inform the response to and recovery from the threat actions. Some threat actors are patient and have long-term strategic intent to inflict long-term damage. Their attacks may not play out for years. On the other hand, some actors are looking for short-term financial gain, and hackers motivated by money are responsible for a lot of the ransomware cropping up. Socially motivated hacktivists are surfing the net looking for “fun” ways to use their skillsets, and they’re not necessarily motivated by financial gain at all. 

MCC: Companies are also concerned about insider threats. To what extent do the NACD resources address that topic?

Dunie: The trusted insider is the most dangerous threat because they have the keys to the kingdom. Their motivation, too, can vary dramatically – from the disgruntled employee, to the paid operative, to the employee who isn’t malicious but gets click happy and does things to the network without realizing it. You can combat some of the latter with training and awareness.

NACD stresses a number of best practices that can help mitigate the damage insiders can inflict. You need an enterprise view of your environment to know what classes of data are sensitive and where that data resides. You don’t want personally identifiable or sensitive intellectual property roaming all over your network. You want to minimize exposure. And the folks with network and data administration privileges – with the keys to the kingdom – need to be monitored more closely.

MCC: There are more efforts, using artificial intelligence and predictive analytic tools, to figure out what the threats are before bad things happen. Is that an answer?

Dunie: You can catch bad actors using those types of methods. Much of the time, countering threats needs to happen at the speed of cyber, without man-in-the-loop decision making. Automated tools are key to self-healing network architectures, and can counter many attacks. But these systems are ever-evolving, and there’s always the zero-day attack, the one that has never been seen before – the behavior you’re not expecting.

MCC: I don’t want to get too specific about Yahoo, but the breaches have been very much in the press. As usual, we’re hearing the question, “Where was the board?” Speaking generically, where was the board? More importantly, where should the board be when these things happen?

Dunie: Clearly, the board should be available and should know about the event. There are remediation steps that could take place, and the board should be aware. Here’s the challenge: The responsibility of every board is to have people on the board who understand what questions to ask. This goes to certification programs, including what NACD is offering, which can help. You don’t have to have folks who are deeply technical. It’s more of a risk-tolerance discussion.

MCC: Board service has changed over the years. There was a time when you could get away with reading the book and going to the meeting, but no longer. There’s a lot of pressure on directors to take a more active, strategic role. What’s your take on the demands on directors?

Dunie: It is a difficult job. Understanding market dynamics and developments can require external research that goes beyond the board books, especially for independent directors. But independence also brings the benefit of cross-industry experience that can be relevant. Disruptive market forces like technology and cyber can both enable and deter your strategy. Directors with technology and cyber acumen can be an advantage in the current environment by asking the right questions and exploring context that can provide an opportunity for better board governance. 

MCC: Talk about a little more about the bigger picture. 

Dunie: Cyber is part of an overarching enterprise risk program. If you’re looking purely at cyber, you’re missing the big picture. Cyber risk is not just an IT problem. It is an operational problem. Those systems are not necessarily under the CIO, but operational technology is just as vulnerable as the technology overseen by IT.

At the same time, cyber is an incredible enabler. By not engaging in online services, e-commerce and other things to accelerate your business growth, you can leave your company at a competitive disadvantage. It needs to be done thoughtfully, and you need to constantly balance the benefits and the risks of the cyber enterprise, as part of an overarching approach to enterprise risk. And remember that your cyber enterprise also may include your suppliers, subcontractors and consumers.

MCC: To double back to the NACD initiative, given your unique perspective, is it valuable?

Dunie: Cyber is still a relatively new topic for boards. NACD has done a lot to raise the profile and help folks understand that there are things you can be doing. I’m excited about the educational opportunities and certification programs that can assist directors in understanding the landscape and inform good decision-making. NACD is moving the needle in that regard.

Status and Options
Published
Interview