Mike Shultz is the CEO and founder of Cybernance, a company that regulated industries, public companies, and government agencies rely on to effectively oversee and manage cyber risk. Previously Shultz was CEO of cybersecurity firm Infoglide Software. As founder and CEO of QuestLink Technology, he structured $26.5 million in equity financing and negotiated a successful merger with eChips, Inc. Shultz was on the founding management team at Cirrus Logic and Integrated Device Technology, setting the sales strategy contributing to successful IPOs for both companies. Shultz received the Ernst & Young 2004 Entrepreneur of the Year Award and the 2002 Greater Austin Chamber of Commerce’s Award for Innovative Business.
General Donald Cook serves on the Advisory Board at Cybernance. A retired Four Star General, Cook served 36 years in the U.S. Air Force. His culminating assignment was as Commander of Air Education and Training Command responsible for an $8+ billion budget providing leadership and oversight of 90,000 military and civilian personnel. General Cook was Commander of Air Combat Command during September 11, 2001. Cook also served as Chief of the Senate Liaison Office and on the staff of the House Armed Services Committee in the U.S. House of Representatives. Currently he is a director at Crane Corporation, USAA Federal Savings Bank, U.S. Security Associates, and is a consultant to Lockheed-Martin.
Christopher P. Skroupa: As a starting point, let me ask you, what do you see boards doing now to provide cyber risk oversight, and what are the questions you’re hearing from them?
General Don Cook: Board members like myself get reports from CISOs and CIOs, and while they try to give us good information, there’s often this feeling that you’re not getting the full scoop. That uneasiness makes me question whether I’m fulfilling my duty of care as a director when I don’t trust that I have command of the situation. However, with so much publicity regarding cyber risk, boards may be demanding more.
Mike Shultz: Not only may they demand more, they should demand more. Cyber risk governance is a critical business issue. Cyber risk and liability can be financially devastating to a company, so this issue is rising to the top with directors. Boards are often presented with highly technical reports that are not clearly connected to business risk. This is not an IT problem; it’s a business problem across the organization. With so many high-profile examples of cyber attacks, boards are becoming more concerned with understanding cyber risk and assessment programs of the organization.
Skroupa: There’s a debate going on out there about how boards should be providing cyber risk oversight. Is this a topic for the full board or a committee? Does the board need a director with cyber expertise? How often should management be reporting to the board, and what should it be reporting?
Shultz: We typically hear from most directors that they are getting reports only once or twice a year. In today’s fast changing environment, once or twice a year is probably not enough. In order for the organization to make progress on their cyber maturity, reporting needs to be a regular part of the business.
Our customers tend to get more engaged than that, and cyber risk becomes a regular topic for board meetings. The oversight is typically being held within the audit committee, as part of all the business risks they monitor for an organization.
Cook: You hear in some quarters that every board should have a cyber expert, but that’s impractical, because not only is there a shortage of cyber experts, there’s an acute shortage of them that are equipped to deal with the broad range of issues that directors have to address. What I’d like to see instead is the realization that cybersecurity is a team sport. Directors should be handling cyber governance and ensure that the IT/Security folks talk cyber. This is an enterprise risk, and it requires involvement of key folks across the organization in order to deal with it effectively. Sure, IT and Security play a big role, but the responsibility should extend to other groups as well. HR has to be engaged in vetting and training of new hires, Procurement should evaluate the cyber risk of vendors—that sort of thing.
Shultz: I agree with Don. For us to make broad progress as a nation in cyber resilience, we have to understand that this is a critical financial risk and the impact can be significant to all stakeholders. Sarbanes Oxley really amped up the attention paid to financial reporting, and we need to apply the same level of critical thinking and oversight to cyber risk governance. With the advent of more and more regulation, boards and company executives will have to become better equipped to understand their cyber resilience and cyber maturity across the entire enterprise.
Skroupa: If emerging best practice is to treat cyber risk as an enterprise-wide management problem, and not an IT problem, that leads to questions about standards and certification. Should companies and boards be using standards, such as the NIST Cyber Security Framework, to develop enterprise-wide approaches to cyber risk management and oversight? If so, what standards should they be using and how? Do you see the possibility of a trend toward certification of organizations, or of boards? If so, what form might that take?
Shultz: When we started Cybernance two years ago, it was based on a firm belief that a standard way of measuring cyber risk was vital if we were going to make sense of the risk across multiple kinds of organizations. I’d like to say that we were brilliant in choosing the NIST framework, but in fact, it simply seemed to be the most broadly applicable to us and, luckily, it has come to be accepted as the gold standard. Based on guidance from almost every compliance body, boards are adopting NIST standards to bring order to risk mitigation efforts and to enable all stakeholders to have a shared view of risk and resilience.
Cook: It’s important to have a standard process for reporting to the CEO, regardless of which one, and NIST CSF has become the de facto standard in the last two years. It’s the one I hear about from industry friends the most. In fact, there’s pending federal legislation and pending legislation in over 30 states to require reporting from agencies based on NIST. An approved certification process would assist governance-reporting companies like Glass Lewis and ISS to measure a company’s risk governance.
Shultz: The New York Department of Financial Services recently released their own set of cybersecurity regulations that all financial services firms operating in the state must adhere to, which means any financial institution doing business in NY State. Their regulations don’t point directly to NIST CSF, but we analyzed them in detail and they are in fact subsumed by the NIST standard. In other words, if you’re evaluating your performance against NIST, you’ll be in full compliance with New York’s DFS regulations.
Skroupa: What should boards be considering when adopting a comprehensive risk management strategy for cybersecurity? What factors will influence their choice of direction?
Cook: First of all, the number one goal should be to engage the board – and that means whatever strategy you choose, it has to make sense business-wise and not be all about discussions of different technologies. If you consider the idea that we may be approaching cyber Sarbanes Oxley legislation, I’d say we should align our strategy with emerging best practices standards, and that includes assessing and managing risk using the NIST framework.
Skroupa: While cyber risk has everyone’s attention now and those risks are high, cyber is just one of many risks companies face, and the board has responsibility for oversight of management’s performance in managing all of them. How should the management of cyber risk fit into the board’s responsibility to oversee risk more generally?
Cook: I’m amazed by recent studies that demonstrate a lack of attention being paid to cyber by many directors and executives when we all know that it represents a huge financial, reputational, and litigious risk for many organizations. I read a study that came out in HBR in February where only eight percent of directors said they see cyber attacks as a strategic threat. That’s just incomprehensible to me.
Shultz: I saw that study too. It’s telling of the lack of understanding that many executives and directors have of their responsibility. Clearly, that is going to change as boards become at great personal liability for their oversight responsibilities. As more organizations are damaged by cyber attacks, boards will adopt cyber risk governance as part of their standard oversight duties. There is way too much at risk to not do so.
Cook: Yes, I agree. As board members, we have to be clear about the respective responsibilities that we assign to committees versus the full board. What I’m seeing in general is that cyber risk is falling under the audit committee where other forms of risk are already dealt with. We have to build cyber risk oversight into our board structures and processes. It has to become a commonly accepted issue that’s always covered in board packages and is on the agenda every time we meet. Remember, there are companies that have been hacked and know it, and there are companies that have been hacked and don’t know it!
Skroupa: What’s next? What do you see coming? What are the big trends and developments we should be looking for?
Shultz: Obviously, corporate behavior has to change. To date, the focus and attention has been on perimeter defenses. What’s missing is a focus and attention to internal controls – people, policy and process. Most of the large breaches have been because internal defenses were lacking or not practiced. The internal defenses are critical to a successful cyber resiliency in any organization. What we are excited about is our cyber governance platform based on the NIST framework that gives the organization the ability to assess their cyber maturity, determine gaps, and report on improvement plans up to the board of directors. This is exactly the kind of information they need and understand, and can make decisions on, based on the risk assessment. This is what I mean when I say it’s not an IT problem; it’s a business problem.
Cook: I think big changes in behavior have to be led by the insurance industry. I’ve been educating myself on this topic recently, and it seems right now that cyber insurance is growing rapidly but it’s still in its infancy. Industry people that I’ve talked to tell me that underwriters are wrestling with a lack of enough data to be very good at assessing different levels of risk. As a result, I’m helping start a new initiative whose goal is to raise the country’s level of cyber resilience and mitigate risk by encouraging broad assessments across companies, agencies, and nonprofits. The organization is called Cyber Analytics Institute. The idea is to bring together all the resources needed to improve predictive risk analysis to the point that the cyber insurance business can motivate better cyber behavior. It will require broad cooperation on a number of fronts and it’s very doable.
Shultz: As I said earlier, there are a number of legislative regulations in place and more coming down the pike. I think we’ll see significant effort put on executives and boards to be more responsible for cyber risk in their organizations. The recent issue that the Yahoo board and C-suite experienced is a lesson for all boards that this is part of their responsibility and oversight duties to protect the company and shareholders.