CEOs and board members are increasingly under the microscope when it comes to managing cyber risk. The financial, legal, and regulatory impact that cyber incidents can have upon organizations have transformed what was once an “IT problem” into a whole of company challenge.
But in a world where cyber incidents and breaches have become so common – even for the world’s more sophisticated, risk-focused organizations -- how should CEOs and board members think about managing this challenge? One idea with legal and historical roots is for executives to focus on whether they are meeting a “standard of care” when it comes to their organization’s cybersecurity performance.
What is a Standard of Care for Cybersecurity?
A “standard of care” is a test used to describe the reasonableness of a particular set of approaches to deal with a problem. When an organization’s practices fall outside of the reasonable standards or approaches used in their industry or sector that is typically viewed as negligent behavior. A famous application of the standard of care argument came in the early 1920s when a tugboat operator was found negligent for failing to equip his boats with radios, which were becoming more commonly used by others in the industry.
Applying this line of thinking to the cybersecurity context, executives and board members should strive to implement reasonable approaches and practices that are used by organizations within their particular industry or sector.
But when it comes to cybersecurity, determining what others are doing in cybersecurity has always been a challenge. What’s reasonable? What’s best practice? How are other organizations doing? Are they doing it better than we are?
The executive seeking to meet a “reasonable” level of cybersecurity must therefore focus on obtaining high quality measurements and metrics about peer- and sector-wide security performance. This focus on benchmarking allows the executive to determine what the standard of care within their sector or peer set truly is, and then whether or not the organization is actually meeting its standard of care.
Understanding and Meeting the Cyber Standard of Care
Think of the standard of care as essentially a benchmark that is useful in measuring your organization’s cybersecurity practices against industry peers, and using that data to hold your organization accountable. The challenge in cyber is that this is a dynamic benchmark to meet: adversaries are continuously evolving approaches, IT infrastructure changes, and defenders constantly work to implement new security approaches and practices to reduce risk. Executives should embrace the fact that cyber is a dynamic risk and adopt approaches and programs that recognize this dynamism rather than ignore it.
We must begin by taking a comprehensive look at the security performance of sectors and industries as a whole – and this starts with access to the right data. Today, organizations have access to data and observations we can make about security performance around the globe. Executives can embrace these observations and create performance requirements around those observations.
In order to meet the demands of the constantly evolving cybersecurity landscape, organizations should not only be prepared to continuously monitor and analyze internal and external data, but they should also be able to respond to changes in real time. Measuring data sets against the industry baseline helps executives and business leaders triangulate precisely where their company stands within the broader industry’s cyber performance
Once executives better understand their company’s performance against their peer group – and thereby, the industry standard – they can then begin developing goals that are aligned with the state of their industry. When creating these goals, executives should examine and react to the key areas that comprise their cybersecurity practices, such as:
- Hiring practices: Hiring IT talent to manage cybersecurity is no longer enough. How can your organization hire and retain the best cybersecurity talent?
- Distribution of talent: Once you have your security team, is their time being used wisely? How can you better distribute security resources?
- Security culture: Security should be top of mind across your entire organization. Does your company culture emphasize the importance of cyber vigilance from the top down? Are employees properly trained to identify potential phishing attacks or malware?
- Performance effectiveness: Why is my organization performing in the manner that it is? Do we have the right technology in place? Personnel? Resources? How should we change any of these elements to achieve a more optimal outcome?
- Tools and data: Cybersecurity technology is constantly evolving. Is your team equipped with the latest tools and real-time continuous monitoring data to match the increasing sophistication of cyber attacks?
Once these goals are in place, senior executives should work with the board of directors to identify and execute on a strategy that helps the organization meet – and maintain – alignment with the broader industry standard of care. Rather than conduct an annual review of cybersecurity measures, the organization should regularly assess and quantify progress against baseline goals, as well as highlight any significant threats and events the company identified during the period.
Optimal Approach to Oversight
Executives who embrace the dynamic, ever-changing nature of cyber risk – and fashion oversight programs around peer benchmarking and understanding the industry standard of care – will place their organizations in better legal and competitive positions.
From a legal perspective, being able to articulate your organization’s alignment with adequate security performance may help establish a strong defense during a breach incident. Perhaps more importantly, demonstrating strong cybersecurity performance compared to peers and competitors can be seen as an important point of differentiation in the market. As more organizations ask their customers to show best practices in cybersecurity, those that can independently demonstrate performance and exceed the efforts of peers and competitors may be in a better position to win business and achieve long-term success.
Executives can begin today – by asking CIOs and CISOs the hard questions: How are we doing? How do we compare? And how do we measure it?
Tom Turner, CEO, BitSight