Several weeks ago I wrote about how boards and audit committees struggle to handle IT risks, and how compliance executives can help them understand such problems. The good news: compliance professionals themselves now have fresh guidance to understand cyber-security risks.
The bad news: you need it.
Let's start with the new guidance. Last week the National Institute of Standards and Technology published its long-awaited framework for managing cyber-security risks. In theory the framework is meant for businesses working in critical infrastructure sectors: chemicals, water treatment, telecommunications, energy, banking, and so forth. (Not sure whether you're critical? The Department of Homeland Security has a list.) In practice everyone should read it, since the framework outlines a sensible approach for determining what your risks are and how you can respond to them. That's the context about risks that audit committees want you to provide.
The NIST framework identifies five core functions for cyber-security:
- identifying your risks;
- protecting your assets;
- detecting intrusions;
- responding to attacks; and
- recovering after an attack has happened.
Each core function then has categories and sub-categories of specific tasks or business practices assigned to it, plus citations back to other guidance or frameworks already out there: the COBIT framework on IT controls, the ISO 27001 standard for information security, and earlier NIST publications. Anyone closely involved in the chore of improving business processes to shield them from cyber-security risks will have a clear roadmap of what NIST recommends you do.
More useful to senior-level compliance and risk officers, however, might be the four “tiers of implementation” the framework provides—basically, a way to let you determine how mature your risk management program is. Even if you don't want to embrace the NIST framework wholeheartedly, the tiers alone can be converted into a check-list of all the steps your business should be taking. When the audit committee asks for an update on the company's state of readiness for cyber-security, the NIST tiers are the sort of specific examples committee members can appreciate. As a bonus, the tiers also let you explain what the company should do next to improve things, which in turn can be leveraged into budget and staffing requests.
The ideal tier, NIST says, is the “Adaptive” risk management program, that employs advanced cyber-security technologies and has robust systems to alert all parties involved—including regulators and the public—when a cyber-attack has happened.
The reality for most, I fear, is something closer to the first two tiers, “Partial” and “Risk Informed.” That is, the business kinda sorta knows what its cyber-risks are, and has at least a rudimentary program to manage them—but “manage” is more about responding rather than preventing, and your ability to share all relevant information with outside parties is limited.
Which brings us to the “bad news” portion of this week's column.
Clearly regulators remain unconvinced that companies are managing cyber-security risks well, or that they can even articulate what those risks are. The Securities and Exchange Commission just announced plans for a cyber-security roundtable to be held March 26. The Senate Judiciary Committee held a hearing earlier this month to grill Target about its massive data breach over the holiday season. Most troubling are news stories surfacing over the weekend that at least some employees at Target may have tried to warn about the store's massive breach, which senior executives did not hear amid the overwhelming number of threats large businesses like Target now get every day.
Precisely what the SEC's agenda will be for its cyber-security hearing remains unclear, although it's a safe bet that the agency will want to explore whether companies are disclosing cyber-security risks in sufficient detail. That's an elusive goal; as the SEC itself points out in guidance it published on the subject in 2011, nowhere in federal securities law are companies required to disclose specific cyber-security risks. Rather, the feds want to know that your company has the intellectual and organizational wherewithal to know a material risk when you see it, and describe it to investors—who, after all, are the ones the regulators want to protect.
Yet that's where the NIST framework can be put to good use, and where compliance officers can help lead the charge. To a certain extent, cyber-security risks have a lot in common with fraud risks: they're pervasive, constant, and under heavy regulatory scrutiny. For years compliance officers have been working to develop strong anti-fraud programs, by building strong compliance systems and strong ethics programs to change employees' awareness of fraud.
Well, the effort to manage cyber-security risks will feel a lot like that. Someone will need to corral CIOs, business-unit chiefs, legal officers, and the like to develop good risk management practices for cyber-security. Part of that will be “hard controls” coded by IT, part will be “soft controls” delivered by HR training. The NIST framework can provide some of the language and terminology a business needs to manage its risks, but the daily routines of building effective business processes to fight those risks—that is right in the wheelhouse of the chief compliance officer. So maybe the news isn't so bad after all.