Homeland Security wants corporate board of directors more involved in cyber-security

Setting corporate cyber-security policy and taking actions around it must be a top concern for the board of directors at any company, not just the information-technology division, the Department of Homeland Security (DHS) indicated as a high-level official there backed a private-sector effort to raise awareness at the board level.

Andrew Ozment, assistant secretary, Office of Cybersecurity and Communications at DHS, today said DHS endorsed the principles spelled out in the "NACD Directors' Handbook on Cyber-Risk Oversight" published by the National Association of Corporate Directors, which has over 14,000 members who are directors for public, private and non-profit organizations. The DHS will include the NACD's handbook on the U.S. CERT website as a source of information for businesses. In any organization, the board of directors is there to oversee its general direction, including how well upper management is performing.

+More on Network World: Survey: Corporate security thwarted by dialog failure between IT department and management+

"Most companies are targets for espionage, or worse," said Ozment at a press conference in Washington, D.C. where he was joined by Ken Daly, president and CEO of NACD; Mark Carmillo, head of AIG's cyber products for the Americas Region; and Larry Clinton, president and CEO of the Internet Security Alliance, the primary author of the "Cyber-Risk Oversight" Handbook intended to be read by board directors.

Ozment said CEOs should be well-informed about cyber risk issues that come up and should take the view that the board of directors also wants to know about them.

But that is not always the case today, and there's considerable debate about how the board of directors, which is usually non-technical and mainly concerned about the company's business growth and new products or services, can take on cyber-security issues effectively.

With the news headlines pouring out about data breaches and cyber-espionage on a daily basis these days, "directors are very much aware of cyber-security," said Daly, but they struggle to know how to confront it in detail.

The "Handbook on Cyber-Risk Oversight" insists that they should and must play a bigger role, spelling out five basic principles (see graphic, above) that first involve gaining in-depth understanding, then helping set an "enterprise-wide cyber-risk management framework" while also considering cyber-insurance might be worthwhile in order to cover the considerable costs that a data breach might entail.

DHS assistant secretary Ozment said the DHS wasn't explicating endorsing the notion of cyber-insurance per se, nor any particular products, but did view insurance as one option related to legal liability that companies might want to consider.

Although the NACD thinks "risk oversight should be the function of the board," according to the Handbook, the problem today is that many corporate boards remain divided on the subject and haven't determinedly taken up the banner on that yet.

The NACD "Handbook on Cyber-Risk Oversight" notes "a large percentage of boards continue to assign the majority of tasks related to risk oversight to the audit committee--even though more than half of the directors believe risk oversight should be allocated to the full board, and roughly a quarter believe it ought to reside within the audit committee." There's considerable debate as to whether one approach might have a single board member assigned to cyber-security oversight or not.

ISA president Larry Clinton said business leaders focus on growth, profitability, and innovation, so cybersecurity should be seen as critical in ensuring that.

Join the CSO newsletter!

Error: Please check your email address.

Tags cybersecurityDepartment of Homeland Securitysecurity

More about Andrew Corporation (Australia)CERT AustraliaInternet Security Alliance

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts