When selecting new board members, aim to bring on at least one person who’s technically savvy.
High Contrast
When selecting new board members, aim to bring on at least one person who’s technically savvy.
Boards should go through an incident response drill or a tabletop exercise on a breach to help ensure preparedness.
Having a comprehensive plan to respond to a breach is critical to mitigating damages.
Boards have contended with many risks recently, from the pandemic to supply chain disruptions to the war in Ukraine to the threat of a recession. But one risk should always remain top of mind: cyber risk. Cybersecurity should be a priority not only within the board's company, but also within that company's ecosystem of vendors and customers, as well as in the governments in countries where those parties do business.
Sudhir Kondisetty, a partner, consulting principal and national information technology risk leader at RSM US LLP, sat down with Directors & Boards (D&B) to discuss the board’s role in addressing cyber risk, including how to mitigate potential attacks.
Below is a transcript of the discussion; the conversation has been edited for clarity and length.
D&B: Sudhir, can you provide us a landscape view of potential infrastructure risks and concerns around cyber risk?
Kondisetty: It has really changed over the last decade. It used to be that cyber risk was focused on building a perimeter defence, including firewalls and external devices, to protect your internal data and systems. However, what we've seen with the growth of cloud applications and data centre outsourcing is that very little information is stored exclusively on-premises of an organization.
In the last few years, there has been a refocus on, how are you protecting your data, wherever it is? Consider cloud due diligence, data centre due diligence, vendor risk management, looking at all the possible attack factors for an intruder—for not only yourself, but also your vendors. And that's been the biggest sea change we've seen in cybersecurity in the last 10 years.
A breach is a big deal. We don't like to use that word breach until it really is a breach. But knowing how to identify it, having a plan in place, knowing who you're going to call—that's all important to have built out before an incident happens.
D&B: As a current RSM board member, you have a unique perspective on how boards can look at such risks. What do you recommend boards do to get ready for those kinds of risks—cloud and off-premises risks?
Kondisetty: It's twofold. Number one is you really need to dig into what your security department and IT department are doing. If you get the answer, “They've just outsourced it, so everything's fine; they don't have to worry about the problem,” that is the problem. You have to make sure they're understanding that their responsibility around security does not stop when they've outsourced it.
You need to dig into, what are they doing to perform that due diligence on their vendors? What is their responsibility, as opposed to their vendors’ responsibility? That is when most attacks occur. They originate from inside, meaning someone's desktop or mobile device is compromised and sends information out. That person may have trusted access to an application in the cloud, and they're pulling data down, and now that's available. Your security and IT departments still have a responsibility on the internal network.
But I think the most important thing is, security is not absolute. I think we've seen that with Fortune 100 companies that have spent millions of dollars on security infrastructure and personnel, and with government agencies that have been hacked and suffered data loss. The idea must be, it’s not a matter of if we're going to be hacked, it's when—and are we going to be in a position where we can suffer data loss?
Having a good plan in place to respond to an intrusion is really important. A breach is a big deal. We don't like to use that word breach until it really is a breach. But knowing how to identify it, having a plan in place, knowing who you're going to call—that's all important to have built out before an incident happens.
D&B: Do you recommend that a board go through an incident response drill or a tabletop exercise on a breach to help exercise the muscles?
Kondisetty: Absolutely. Just like you do with a disaster, you go through the exercises. You don't actually have to call the FBI. You don't actually have to execute the plan. But, yes, a tabletop exercise making sure people are available.
I've seen some clients actually pull the plug on the internet. Those that can operate predominantly in business hours, they can take that step of actually disconnecting and see what happens. That does give you a little bit of extra protection and understanding of, if this system's down, how does it affect other systems? I would go so far as to investigate if that's possible. If not, a tabletop exercise with all the parties involved is a great idea.
D&B: What key takeaways do you have for board members as they think about cyber risk? It's easy to say this is too technically complicated. What can they do to be better at this?
Kondisetty: One important thing is when you are selecting board members, have someone on the board who's technically savvy. That does not mean they have to be an energy security engineer or a hardcore programmer or anything like that. But they should have a background in and understanding of technology.
Number two, I would have regular updates from the security office—or if you don't have a security office, the CIO—on what is happening on the security front. We, for example, have a quarterly meeting with our CIO and CSO concurrently in one of our committees, and then they do an annual presentation to the board. This allows us to see trends, what struggles they're facing, what new technology they're putting in place.
Security is always changing, and you need that steady rhythm of communication from management to really understand what's happening.