Who Owns Cybersecurity Risk Management?

In light of the countless cyber incidents reported daily—including the high-profile Yahoo database breaches that impacted hundreds of millions of customers—the question of risk responsibility is more front and center than ever before. To date, there’s remained a troubling tendency to view cybersecurity as fundamentally different and separate from other organizational risks. Or, it’s simply viewed as an “IT problem” best left handled by those with the requisite experience and operational subject matter expertise.

 And there’s the rub. Just because something is complex and highly technical doesn’t absolve senior leadership of their responsibility for it. That includes Yahoo’s CEO Marissa Mayer as well as, say, hospital board members and executives who have long been responsible for protecting their organizations from complicated and complex risks associated with quality, patient safety, and evolving medical innovations.

Cybersecurity can no longer be ignored or treated separately by senior leadership. Because if it is, who then owns cybersecurity risk management?  

The Role and Responsibility of the Board

Many boards delegate cybersecurity governance and oversight to an audit or risk committee. Others approach it as a separate strategic priority or within an existing enterprise strategic risk management governance structure. Some don’t address it at all.

The size, industry, and business complexity of an organization often dictates the approach. For example, the board of a bank would likely take a different approach to cybersecurity governance than, perhaps, a mining company with extensive IP-enabled machinery and control systems.   

Regardless of the approach, just as boards are ultimately responsible and legally accountable for overseeing an organization’s financial health, systems and controls, so, too, are they responsible for providing strategic risk management direction to senior leadership as well as oversight of systems, policies, processes and controls in regards to cybersecurity.

While board members may not actually need to be able to write firewall rules, they certainly need to attain and maintain an acceptable level of “cybersecurity literacy.” And they need to ensure the fulfillment of their governance, oversight and fiduciary responsibilities by making cybersecurity a strategic priority and holding management accountable for managing and reporting results.

The National Association of Corporate Directors has nicely distilled these responsibilities down to five principles:

PRINCIPLE 1: Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.

PRINCIPLE 2: Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances. 

PRINCIPLE 3: Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.

PRINCIPLE 4: Directors should set the expectation that management will establish an enterprise-wide, cyber-risk management framework with adequate staffing and budget.

PRINCIPLE 5: Board discussion of cyber risk management should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.

More complete details on these principles are available in the NACD Director’s Handbook on Cyber-Risk Oversight.

The Role and Responsibility of the CEO 

While the board is responsible for providing strategic direction and oversight, the CEO is ultimately accountable to the board for the operational management of cybersecurity risk and the implementation of policies, procedures and controls to ensure these objectives are being met. This responsibility includes reporting to the board in a timely, transparent and detailed manner.

Often, the CEO will defer to the chief information officer (CIO) or, if the organization is larger and more complex, possibly the chief information security officer (CISO) to present quarterly or annually to the board. These presentations can sometimes take the form of assurances that “everything is being done” and may also include metrics and key performance indicators as data points for review.

Where this approach falls short of proper governance is in the case where there was an inability to meet key performance indicators or an actual breach occurred. The CEO cannot shift responsibility onto the shoulders of the CIO or CISO and lay blame with the IT department. This would be the equivalent of the CEO differing to the CFO to present a dismal financial report to the board and blaming the accounting department for a drastic decline revenue.

The inability of a CISO to meet key performance indicators might be due to insufficient budget priority given to cybersecurity in general or, alternatively, a drastic decline in revenue might have resulted from loss in consumer confidence due to a security or privacy breach.  Today, there is no way to separate cybersecurity from all other strategic objectives and operations of any organization, regardless of its complexity.

Moreover, each business unit or department must also embrace cybersecurity as a business imperative and priority. The extent to which they do so will be a direct reflection of the level of strategic priority given to it by both the board and CEO.

Along with setting the proper “tone from the top,” the CEO must provide direction and resolve conflicts related to conflicting departmental priorities. For example, marketing and sales may want to ensure that a product is easy to use and insist on removing friction to user adoption such as second-factor authentication or other security enhancements demanded by product engineering that may impede a potential consumer from choosing and purchasing the product or service. 

Balancing the need to drive adoption and, consequently, revenue versus the need to protect both customers and the organization and therefore the brand is not a decision that can be made by front line management. Nor should they shoulder the responsibility.

Ultimately, there is no escaping the reality that the board is responsible for oversight and strategic direction of cybersecurity while the CEO owns operational management responsibility. However, these responsibilities need to be aligned and integrated into all other strategic and operational business decisions.

Accordingly, the IT department or the CISO are responsible for the day-to-day activities required to implement, manage and report on cybersecurity risk and should report to a member of the senior leadership team or the CEO directly who can oversee the enterprise’s cybersecurity program decision-making, and to whom the board can look as accountable for cybersecurity.

So Who Owns Management of Cybersecurity Risk?

The question is best answered in terms of who owns financial risk within the organization? Or who owns patient safety risk? Or who owns risk associated with shareholder value? Each organization may take a different approach to answering these questions, but elevating cybersecurity risk to the strategic level of these other risk categories, recognizing that it also intersects significantly with all of these other risk categories and dealing with it as a strategic priority at all levels of the organization is no longer optional. 

Originally posted in Boards, Official Publication of the Ontario Hospital Association’s Governance Centre of Excellence, May 2017, Issue 19.