I recently led a round table on “Influencing the board” at the Smart Grid Forums’ IEC 62443 Week in Edinburgh – discussing how to get board-level buy-in for spending on industrial cybersecurity.
Here are some insights I took away:
A word of background before I start: boards of directors generally do not authorize funding for cybersecurity programs – that’s the CEO’s job. Boards do get directly involved in very high-level decisions like acquisitions, divestitures and mergers. Boards also decide on who is the right CEO for the business and what that executive’s compensation should be. And boards care about “oversight,” which has a lot to do with risk. For example, boards hire financial auditors to address the risk that a CEO or executive team might be deceiving both the board and the shareholders about the performance of the business. Boards also care more generally about other material risks and might hire external auditors to verify cyber risk and other company risk information the executive team presents.
Back to our problem – many boards are not convinced that their businesses have a problem with industrial cybersecurity. Many boards care much more about regulatory risk than cyber risk. Many boards are backwards-looking – they are not security experts and so look at statistics about past attacks rather than looking at the current threat environment and projecting future risk. And yes, there is a war in Europe that led to a bump in awareness and willingness to support cybersecurity spending back in the February/March timeframe, but the conflict is dragging on. Today, the average board is slipping back into their traditional stance on industrial cybersecurity, whatever that stance was.
There was one surprising insight about an organization’s reputation. I knew that boards tend to be very aware of risks to their brand – most big businesses have spent billions of dollars on their reputation over previous decades. A major cyber incident like the Colonial Pipeline outage can have a big impact on the reputation of the business – a concrete example of this impact is the new cyber regulations that the US TSA issued 30 days after the Colonial incident. Before Colonial, the TSA was willing to let the industry largely look after itself, believing that that OT security was more or less handled. Not anymore.
The surprise: massive incidents like the 2017 NotPetya attack, that took down hundreds of victims, do little to impair the reputations of the affected organizations. It seems that if “everyone” gets hit, then no single organization is necessarily any better or any worse security-wise than anybody else. Insurers worry about massive events like this, which is why many insurers now cap cyber damages claims at $200-$300M – it has become very hard to buy more coverage than that, even for the biggest businesses. But it seems boards are less concerned about these “cyber catastrophes.”
Solutions: the clearest advice from the CSO’s and other leaders at the table was to work to understand the board’s risk appetite. Understand what risks the board cares about and be aware that risks outside of that envelope are likely to be downplayed. Then, embed security spending into projects that support the board’s business strategy – ie: upgrade security postures generally as part of support for strategic business initiatives. Other advice focused on comparison with peers – board members tend to be deep experts on core elements of the business, and less expert on everything else. In these “other” arenas, many board members rely on comparison with peers. These members want the business to be in the “middle of the pack,” or “just above average” risk-wise for everything outside of strategic business risks. So if we can use our auditors or industry reports or other data sources to show that we are falling behind our peers, that tends to get the attention of executives and board members.
Finally, anything that makes individual board members personally liable gets their attention. For example, in some industries and some jurisdictions, board members can be held personally liable for injuries or deaths due to inadequate safety measures. Today, board-level liability for deaths or damages due to cyber attacks is pretty much non-existent, but the Gartner Group has predicted that such liability may be only a few years away for a great many boards.
The bottom line – boards generally don’t authorize industrial security spend but getting budget for such projects is going to be much easier if (1) the improved security is important to a strategic business expansion or comparable initiative, (2) the project is part of a regulatory compliance initiative, or (3) You can show that without the investment, the business is falling behind its peers security-wise.
I hope that was useful. If you’d like to dig deeper into strong security that won’t break the bank, feel free to request a (free) copy of my latest book Secure Operations Technology.