In the past, boards may have been comfortable brushing off responsibility for cybersecurity, relegating it to the IT department as something complex and highly technical. The challenge of cybersecurity is more often, though, one of governance, management and leadership. In addition, with McDonald’s, JBS, Colonial Pipeline Co. and Kaseya all recently coming under cyberattacks, it is clear that cybersecurity and physical security are inextricably linked — and  security is a board-level responsibility.

“At its core, these ransomware attacks have exposed the fallacy there is a line between physical security and cybersecurity, and boards have to wake up to that,” says national security expert Juliette Kayyem.

As a frequent national security analyst on network and cable television, an essayist for The Atlantic and a long-standing adviser to mayors, governors and CEOs, Juliette is known to many of her colleagues as “The Queen of Calm.” We spoke with her to better understand how board members should be thinking about cybersecurity and ransomware and how they can prepare better by asking the right questions.

First and foremost, Juliette encourages leaders and decision-makers to think about a cyberattack just like any other crisis, and they should conceptualize and organize their approach and planning in the same manner.  

“Every crisis has five stages, across the left and to the right of ‘BOOM’, the moment when disaster hits,” explains Juliette. She created this visual to illustrate how to bring ordered thinking to what can feel like an overwhelmingly chaotic topic: 

linear-crisis-2.jpg

Here Comes the Boom

The biggest mistake Juliette sees organizations making time and time again as it relates to cyberattacks is the misguided belief that they can be avoided. Beware of cybersecurity companies that promise you invulnerability. If your system is connected to the outside world,  it is vulnerable. And that means, Juliette says, “that companies have to spend a lot more time on consequence management and limiting the damage.” 

Indeed, given the recent high-profile ransomware headlines, Juliette has been focused on bringing this point of discussion into the national conversation. “Most organizations are obsessed with how to stop these cyberattacks, but they have no idea of the impact, consequences or how to respond once an attack occurs. Companies must flip the focus and assume a breach will occur and plan for it.”

Adopting an “assume breach” mentality is where board members have the opportunity to add real value by asking smart questions. Boards have a responsibility to inquire about the measures that have been taken to ensure the organization is ready both pre and post “BOOM”. 

The question of whether to pay a ransom is complicated. The demands by criminals are purposefully low so companies are incentivized to pay. But payment, as we learned during the Colonial Pipeline attack, does not necessary solve the problem. Juliette takes a harder line on this: to pay is to support a criminal enterprise, embolden it, and leave other companies vulnerable. Regardless of whether a ransom is paid or not, Juliette says the FBI should be notified. Since payment of a ransom is not a crime, there should be no penalty for disclosure. Boards should ensure they know the ransomware protocols and have a say about how their organizations respond. 

As a board member or leader, here are some questions you should be asking.

Left of BOOM: Protection and Prevention

While there are now countless cybersecurity companies selling solutions and promising protection and peace of mind, minimizing risk is best achieved when leaders have adequate knowledge to assess vulnerabilities. Have you asked:

• What have we done to protect our systems and make it more difficult for malicious intruders?
• What have we done to minimize the risk of a single of point failure? Do all of our systems need to be networked? No access should be full access. 
• What steps have we taken to isolate porous systems? 
• Can or should we bifurcate business systems, such as billing, from operations?
• What monitoring is in place with regard to our critical assets?
• Have we conducted an agnostic and holistic review of our cyber and physical security?

Juliette emphasizes the critical, but often overlooked, need for a holistic approach to security. “I worry when I see organizations with separate roles for the chief security officer and the chief information security officer,” mentions Juliette. Typically, CISOs are responsible for the protection of information and data, and CSOs are responsible for corporate safety. “80% of their response should be the same, so they must be not only aligned but intertwined,” states Juliette. She continues, “exacerbating the issue is the fact that these leaders in security often have different reporting structures and chains of command, and they rarely have a voice in leadership or at a board level that could give them greater authority to focus overall efforts.” The bottom line is regardless of how security leaders’ roles are delineated and structured, unifying left and right of BOOM efforts is critical. 

Right of BOOM: Response, Recovery and Resiliency

While most organizations have at least considered the need for protection from cyberattacks, it is less common but equally important to have a plan in place for a breach. Juliette advises that it is instructive to assess how your resources are allocated to get a good sense of where the vulnerabilities lie. Many organizations discover that they have allocated time and money to prevention but are woefully unprepared and under-resourced when it comes to responding to a breach. In her assessment, too often company response plans are simply turning the whole thing off. That need not be the case if planning has taken place and systems are understood with layered responses. Have you asked:

• What is our disaster mitigation plan?
• Who are the key members of the response team and what are their roles and responsibilities? Who is in charge? In a ransomware attack, who will be the primary contact with the FBI?
• How will we communicate critical information both internally and externally? 
• What are the requirements for resuming normal operations?

The approach organizations take to avoiding and responding to cyberattacks should not be dissimilar from other crisis planning. A holistic and thorough plan requires both an upfront investment of time and a commitment to ongoing review. This is where board members can have impact and add value – by steering the organization towards a more comprehensive approach and providing oversight and accountability.