When Anthem revealed in early February that hackers had breached a database containing the personal information on 80 million of its customers and employees, the news hit a little too close to home for Gary Scholten, executive vice president and CIO of Principal Financial Group. His first order of business that day was to gather all the information he could to reassure his board of directors that the financial services provider did not have similar vulnerabilities.
He contacted the industry's Financial Services Information Sharing and Analysis Center to get detailed intelligence on the exact nature of what Anthem publicly called a "very sophisticated external cyber attack" and was able to assure his board members that Principal's customer and employee data was not at risk from the type of attack launched against Anthem.
Anthem is one of the nation's largest health insurers. Because of the size of its breach, the industry in which it occurred and the media attention it received, Scholten wanted to get ahead of the questions that Principal's directors might ask. "Cybersecurity is a huge priority for them because the service we provide is so reputation-based," says Scholten. "It's a top-of-mind board issue."
[ See "8 tips for education your board" on page 4]
Scott Angelo, CIO of K&L Gates, was in Miami for the annual meeting of the law firm's management committee (a private company's version of a board) when the Anthem news hit. "They wake up, and the first thing they want to know about is Anthem," says Gates, who was hired three years ago specifically to strengthen the firm's cybersecurity stance. "They're inundated with all this information that's out there."
The Anthem breach was just the latest in a string of cybersecurity incidents that have occurred over the past couple of years (you know the litany of contretemps: Target, Home Depot, Sony Pictures, JPMorgan Chase and so on). And corporate boards are on high alert. Cybersecurity is "in the press every day," says Peter Gleason, president of the National Association of Corporate Directors (NACD). "It's the foremost issue on directors' minds right now because it's tied into the risk structure of the organization."
Cybersecurity oversight is the second most important topic for boards in 2015--just behind strategic planning--according to law firm Akin Gump Strauss Hauer & Feld. "It's not just financial services firms or regulated companies -- everyone is interested now," says Kimberly Peretti, partner and co-chair of the security incident management and response team at law firm Alston & Bird.
In 2014, 42.8 million security incidents were detected, a 48 percent increase over the previous year, according to PricewaterhouseCoopers. The average size of the financial hits attributed to those incidents was $2.7 million, and the number of organizations reporting incident-related losses of more than $20 million increased 92 percent last year, PwC reports. But the true cost may never be known. As many as 71 percent of compromise victims did not detect the breach themselves, according to a 2014 report by cybersecurity firm Trustwave.
Yet board members complain that they're not getting the right information. More than one-third of them are dissatisfied with the quality of information they get regarding cybersecurity risk, and more than half are unhappy with the quantity of information provided, according to a NACD survey of 1,013 public companies.
There's a positive correlation between how much the board is engaged with cybersecurity issues and the strength of IT security profiles, according to a study by business risk consultancy Protiviti. That's why CIOs like Scholten and Angelo are focused on effective communication with their boards. By providing corporate directors with meaningful intelligence on a regular basis, savvy CIOs and CISOs not only educate their boards about the issues they should focus on as they oversee security-related initiatives; they also garner high-level support for building robust security systems and adopting processes and policies necessary to protect corporate data.
Defining the threat
Keith Turpin joined Universal Weather and Aviation as CISO last summer to revamp the security program. Historically, cybersecurity had not been a strategic priority for the board of the international flight planning and support services provider. "My job was to come in and build a strategy to take to the board and get the support that would allow the program to be successful," says Turpin.
Explaining IT security to a nontechnical audience was going to be a challenge. "I've seen people go into board meetings with a network diagram," says Turpin. "You might as well be showing them a crop circle."
So Turpin turned to his background in physical security. He built a small door and fitted it with several seemingly secure locks. He asked the directors in the room if they thought the door was protected. "They looked at me like I was crazy," Turpin recalls. But he explained to them, as he exploited the critical flaw in each of the locking mechanisms in less than a minute, that while the door looked well protected, it was vulnerable. Cybersecurity, he said, was about having the right controls in place to protect the company's data should an IT vulnerability--of which there are thousands--be exploited. He then presented the board with a risk assessment forecast and a security strategy. "[But] the thing they still remember was that door," he says.
"You can't go in there and tell them about the ISO 27000 standard. That's not an effective message," Turpin says. "You have to boil it down to the core business risks for your company: What could have the most significant impact on our revenue stream?" Once the board understands the fundamentals, it's easier to update them on the impact of security investments and address issues as they arise, he explains. After that first meeting, the board quickly approved Turpin's proposed IT security budget; the COO even asked if he needed more money.