TechKnowChat’s intrepid reporter Sean Field, Special Counsel, reports on the second and final day of the National Institute of Standards and Technology (NIST) Cybersecurity Framework Workshop.

It’s another beautiful day in DC as mini heat-wave conditions set in for the rest of the week.

This morning’s Washington Post reports that the National Security Agency’s hacking tool, EternalBlue, has found its way into the wrong hands and may be the code at the heart of Wanna Cry. The Post is also suggesting that there may be some element of North Korean involvement in Wanna Cry.

Against that backdrop of developments swirling in the cybersecurity world, the second and last day of the Cybersecurity Framework Workshop provided the opportunity to participate in more detailed discussions on particular topics relating to the NIST’s Cybersecurity Framework (NIST CSF).

Today I attended the sessions on “Cybersecurity Governance and the Board” as this is a special area of interest for me. This was a difficult choice as there were plenty of other interesting sessions on offer, including ones on international usage/alignment of the NIST CSF; fintech; and cyber in the communications sector.

We all know that cybersecurity is well and truly on ASIC’s radar in relation to Directors’ duties. Similarly it will not be controversial that the extent to which an entity – and its Board – actively address cyber risk issues can be key factors that can go to reducing or minimising the legal implications of a cyber breach.

It is probably not a gross over-simplification to say that regulatory measures aimed at ensuring cyber integrity are somewhat more advanced in the US than in Australia. However it would not be unreasonable to expect that ultimately the Australian Government may follow the US lead in this regard; accordingly the issues discussed in this blog likely indicate some sign-posts for Australian organisations to draw upon in preparing for developments in regulation and legislation here.

So how well are Boards doing? How good a job are Boards doing of ensuring that they are appropriately informed and making the right decisions on cybersecurity?

These were the main themes occupying the Governance break-out group this morning.

Organisational issues

Organisational issues are a key aspect of governance. Careful thought needs to be given as to how cybersecurity risks play into structure and risk-related appointments.

In large organisations, it is increasingly common to appoint a Chief Information Security Officer (CISO) or similar. CISO ideally would have equivalent status to the Chief Information Officer (CIO), for two reasons.

First of all, if the CISO reports to the CIO (a relatively common arrangement) then the CIO’s needs, including budgetary needs, may take priority over the CISO’s needs and the budget available for cybersecurity. That’s OK if such decisions are risk based, but not if they are driven predominately by politics.

Second, as mentioned in my blog on Day 1, ideally an organisation’s cybersecurity team is integrated and multidisciplinary. If CISO is equal in status to the CIO, then CISO’s voice should be given appropriate and equal weight (along with the views of other members of the team) in the consideration of cybersecurity matters.

Risk harmonisation

Cyber risk should be considered as one business risk in the full range of risks. To this end, some organisations appoint a Chief Risk Officer, who has overall responsibility for risk control and management, including in respect of cyber risks.

Keeping the Board informed

Not surprisingly, some organisations are addressing cybersecurity issues well, while others are not doing this so well or are not doing it at all.

Boards are increasingly aware of the potential for cyber issues to impact on shareholder or company value and as a general proposition, are becoming more aware of cyber issues generally (especially when events like Wanna Cry are all over the media). However it was observed that awareness is not a substitute for proper consideration and implementation of a cybersecurity plan.

There was a great deal of discussion about whether Boards needed to get more tech and cyber savvy or whether it is incumbent on CIOs/CISOs to present cybersecurity issues to the Board in language it is familiar with – in terms of impacts on balance sheets and shareholder value.

In reality there probably needs to be movement on both sides. The business needs to avoid presenting in tech/cyber jargon; but by the same token, Boards should make some effort to become familiar, at least in a high level way, with cybersecurity and related technology issues. The business also needs to present cyber issues in such a way that the Board is filling its proper strategic role and is not being asked to make day-to-day operational issues.

CIOs/CISOs should anticipate how they will answer questions that Boards will want answers to; for example:

  • if we approve more expenditure on cyber, will we be more secure (and how do we know when we have spent enough)?
  • are we properly prepared (the “tell me it won’t be us in the news tomorrow” conversation)?
  • what are our peers doing to address cybersecurity issues?
  • what help does the business need

Measurement and metrics

CIOs and CSIOs should also be in a position to brief boards on key performance metrics illustrating, for example:

  • how the entity currently stacks up against the NIST CSF and other applicable standards;
  • what are peers spending? What are industry averages? (benchmarking);
  • how spending on cybersecurity has improved performance and preparedness as against the previous state; and
  • quantifying potential loss and damage in the event of a cyber breach; worst case scenarios.

Metrics and performance measures should be regularly reported against.

Transitional risk

There was also an interesting debate on risks that arise in transitional states – for example, during mergers and acquisitions. Cybersecurity issues are increasingly a critical consideration in terms of due diligence on a target and during transition of a business or assets to the purchaser.

Many businesses are undergoing the transition from non-cloud to cloud – in many cases whether they like it or not, because it is vendor driven. Cyber risks should be carefully considered in this transitional state also.

The NIST CSF as a tool

All of us which brings us back to the subject of this Workshop, the NIST CSF.

The NIST CSF can serve the purpose of conversation facilitator and framer. Presenting cyber issues on the basis of the five functions at the Core of the NIST CSF – Identify, Protect, Detect, Respond, Recover – allows an entity to undertake a risk assessment based on an evaluation of its assets and prioritisation of the entity’s assets in terms of their importance to the business and their value.

Clearly Governance is a critical issue for cybersecurity. It may even have its own section in future versions of the NIST CSF Core.

Farewell to Gaithersburg

So with that, my account of the NIST Cybersecurity Framework Workshop for 2017 comes to an end. I hope you’ve found my very potted summary of certain aspects of the Workshop useful. Please don’t hesitate to contact me if there is anything you would like to discuss in more detail. I plan to hold a presentation on the Workshop in June in Melbourne so if you are interested in coming along, please do let me know so that I can ensure you are included on the invitation list.