Supervisory boards and cyber security In 2019, The European Union Agency for Cybersecurity (ENISA) reported that the scale of cyber attacks had changed significantly. We are seeing a steady increase this year as well. Cyber threats are the fastest growing threats that threaten organizations today. Supervisory boards need to find a way to address them. The risks posed by cyberspace are relatively young, especially for traditional businesses, as there has not been such a high level of digitization and dependence on information technology in the past. Information security has been, and unfortunately still is, lagging behind with new cyber threats, as these are constantly exploiting the vulnerabilities that organizations are producing with a lack of information security management. The recipe for supervisory boards in addressing cyber threats consists of five principles. The Boards are responsible for security incidents and costs incurred due to poor security policy. In doing so, they must, of course, have an appropriate influence on management boards.
Principle 1: Management boards need to be aware that cybersecurity is part of corporate risk management and not an isolated task for IT departments. Principle 2: Management boards need to consider how cyber risks affect the legal consequences as well as the reputation of the organization. Principle 3: Management boards must introduce cyber security reporting, both at the level of management reports to management boards and supervisory boards. Principle 4: Supervisory boards should ensure that management boards establish a comprehensive cyber security risk management framework that includes an organizational culture, capabilities to prevent, detect and respond to perceived cyber security incidents, and to monitor and communicate at all levels. In accordance with the adopted strategy, they must provide a sufficient amount of adequate resources. Principle 5: Supervisory boards and management boards should discuss cyber risks with each other and include principles for their management (reduction, transfer or acceptance of certain risks).
The European Union Agency for Cybersecurity (ENISA) wrote: »Organizations must strive for active participation rather than only ensuring coherence in addressing emerging threats. Management boards have a key role to play in developing an efficient and effective cyber security system. They must enable professionals to work and, above all, they must lead by example. Measures to improve corporate cyber security need to be continuous, interactive and supportive. The human factor is and will remain the main source of vulnerability, so special emphasis must be placed on raising the awareness of all individuals. Being an example, behaving in accordance with security policies, as we are the main target, cooperating with information security experts in finding the most effective solutions to ensure safe operations, must be the principles of every member of the management board.« The same applies to members of supervisory boards. Only by example can we raise the consciousness of individuals "from the top down". In the following, we explain the listed principles that supervisory boards must follow in the management of information and cyber security. Information and cyber security are not technical challenges that can be left to technical departments. The technical departments are not familiar with the overall business and challenges of the organization, so addressing threats from a technical point of view usually does not address key business risks, so resources are allocated inefficiently and more vulnerabilities can be overlooked. Information security risk management must be integrated into corporate risk management and have the same level of awareness as, for example, strategic, financial, environmental or market risks, to name a few. Risks must be supervised by the company's management, as they are responsible for their proper management. It is not enough to look at the solutions of other organizations. Every organization is special, so it needs a tailored approach to risk management. What is a high risk for one organization, whether due to vulnerability or potential consequences, can be completely irrelevant to another and any
investment is irrational. Managements need to develop a culture in the company that will value information security. Management boards must report to the supervisory boards on a regular basis, being open and not covering up vulnerabilities or incidents. They also need to think about the entire ecosystem when reporting, not just their domains. Cybersecurity is not only a matter of reputation, but can also have legal consequences. More and more European and local legislation addresses aspects of information security, so neglecting information security leads to illegal practices. As an example, let's just mention the legislation in the field of personal data protection or protection of business secrets. Supervisory boards must be familiar with all legislation that affects the operation of the organization's information security system, regularly monitor changes and require management to respond to them. Management boards must make decisions on addressing information security in the same way as they make other strategic decisions. Although information technology is not a key product of an organization, in a modern organization it is one of the most important, if not the most important support factor that enables business and without it business would be impossible. Supervisory boards must clearly communicate the expectations and guidelines that management must follow when planning. Normally, information security management supervisory boards are authorized by the body (Information Security Committee). This ensures that the field is usually handled by competent people. Nevertheless, they must constantly monitor the functioning of the committees, because they cannot transfer their responsibilities in this way. Information and cyber security are not and cannot be separate issues, as they are strongly involved in all activities of the organization, so discussing them must be included in all activities of the organization. Management boards must provide resources for information security management. At the same time, they must provide the technical capacity to enable the supervisory boards to constantly monitor the state of risks and measures related to information security. They need to develop a clear system of responsibilities and procedures, monitor them and update them where necessary. All
procedures must be communicated to all those involved. Adequate awareness-raising and training must be provided for the tasks set out in the procedures. Cyber security and resilience must be written into the very genetic record of an organization. Management boards must be able to collect events, risks, threats and vulnerabilities on a bottom-up basis. Management and supervisory boards will not deal with individual incidents that do not cause significant harm, but must be informed of the overall situation in an appropriate, aggregated manner.
way that can calculate as accurately as possible the probability and consequence of the realization of an individual threat in a given time. With the assessment obtained in this way, management boards can confirm individual measures and assert their own appetite for risk. Let us recall once again that if these decisions were left to the technical departments, then there would be a big gap in this part.
Reports can be combined in several ways, just as policies can be combined in several ways. For example, security issues can be grouped across the following areas of IT management: resource management, safety of devices, identity and access management, network security, security in the software, policies and procedures, threat identification.
- Organizational values - what risks are absolutely unacceptable?
Of course, depending on the nature of the work, the degree of maturity or specific factors, organizations can choose their own areas of operation and information security.
- Finance - are we able to accurately assess the value of risks and align them with the projected investments in their management?
When determining risk appetite, organizations should answer the following questions:
- Strategy - what risks do we want to take? - Stakeholders - what risks are we willing to accept or transfer to ourselves and to what extent? - Capacities - what resources are needed to manage individual risks?
- Measurement - are we able to introduce appropriate measurement and reporting that ensures control, monitors trends and ensures proper communication between stakeholders?
Supervisory boards must assess the effectiveness of information security (ROI) inputs. They must check the effectiveness of investments according to the principle of future losses. They must use a so-called Risk-based approach. Management boards and supervisory boards must have credible information relating to the costs of providing information security, which they must assess in the light of risks and their possible realization. The risk assessment must be carried out in a
Without a proper risk assessment, we cannot manage information risks. The organization must adopt a methodology that allows for the desired accuracy and repeatability. All risk owners must be involved in the risk assessment. Risks need to be assessed, appropriate measures proposed and their effectiveness monitored. Supervisory boards must have up-to-date and correct information, and management boards must provide them with this information. There are various ways and tools that supervisory boards can use to do this. We can divide them into 5 tools: - Questions asked by the management boards to the supervisory board (or by the members of the supervisory boards themselves who ask and answer them); this demonstrates the supervisory board's knowledge of the organization's ICT infrastructure and information security maturity. At the same
time, the supervisory board can see what information it requires from the management board. - Questions asked by supervisory boards to management boards; by doing so, the supervisory board assesses the maturity of the organization, the information security management system, can assess the accuracy and credibility of the information it receives from the management. - Metrics monitored by the supervisory board; the metrics to be measured and reported must be well defined and provide data that can be used for decision making. Metrics, such as the number of incidents detected, tell us virtually nothing. - Information security requirements for acquisitions and mergers; in the modern economic environment, sales, acquisitions, acquisitions and mergers are constantly present. Do the supervisory boards know how to properly prepare and assess the information risks in these activities? The principle is known that for threats and vulnerabilities 1 + 1 is not 2, but more.
- Compliance with standards; whether the organization adheres to the principles of any of the standards in risk management and information security, such as ISO / IEC 27001? Is the organization certified according to any of the standards? Cyber risks are a fact. No organization connected to the Internet is immune to cyber threats. Therefore, It needs to develop an effective and efficient cyber security system. Supervisory boards are the ones who have to give the right guidance to management boards so that they can prevent or respond appropriately to cyber security incidents. Only a top-down system can be effective and efficient in addressing cyber security. Let's not act on the principle "we have security policies, we all have to stick to them, but of course, because I am the management board, I don't have to." Marko Zavadlav, PRO.astec d.o.o.