The 2017 edition of the National Association of Corporate Directors guidance responds to feedback that it's increasingly difficult to manage cyber risks in the boardroom. At a press conference yesterday morning at the National Press Club in Washington, DC, government officials joined the Internet Security Alliance and the NACD in releasing the "Director's Handbook on Cyber-Risk Oversight."
The free guide (hard copies are $50), introduced by Peter Gleason, CEO of the NACD, and Larry Clinton, CEO of the ISA, comprises five principles that aim to help directors at organizations large and small both better understand cyber risks as well as execute stronger oversight of such risks. The focus is on helping directors understand IT as an enterprise-wide risk-management issue and provides questions a director might ask to assess a board's "cyber literacy," among other tips.
Adam Hickey, deputy assistant attorney general at the U.S. Department of Justice in the National Security Division, was on hand at the event and said work like this demonstrates the value of collaboration between the government and the private sector and that, while roughly half of all cyber attacks are brought to law enforcement's attention by an independent or third-party, that doesn't necessarily have to be the case.
"Our goal is to help companies understand the threats they face before an intrusion occurs," he said. "After an incident .... we seek to hold perpetrators accountable and to raise the costs of bad behavior" by using any government power available to deter it, including economic and diplomatic sanctions.
He added CISOs today really should not be judged by their defense alone, because the sophisticated attacker with enough time and resources "is extremely likely to succeed in breaching his or her intended target."
But that's why it's really important for companies to work with agencies like the FBI, the DoJ and DHS "before you need us," he said. Not necessarily because it will prevent an attack, but because it establishes a relationship that will be essential when one does occur.
But might it be dangerous for companies to lift the hood, so to speak, and potentially expose themselves to scrutiny in the name of establishing that relationship?
Hickey said that's not the case.
"We're talking about something very basic, which is to get to know your local field office. Get to know contacts; something as simple as having a phone number that you can call when you pick up the phone when something goes wrong." — Adam Hickey, U.S. Department of Justice
"We're talking about something very basic, which is to get to know your local field office," he said. "Get to know contacts; something as simple as having a phone number that you can call when you pick up the phone when something goes wrong."
The second part of the relationship is educational, he added, in that the government wants to give the company information that might be helpful to it and not vice versa.
"We're not coming in and asking to diagnose your network or for information," Hickey said. "We're inviting you to get to know us and let us share with you."
Danny Toler, acting assistant secretary for cybersecurity and communications at the Department of Homeland Security, said companies can elect for DHS to go in and conduct preliminary investigations of their infrastructures, identify vulnerabilities in the system and give recommendations on closing those gaps. But if DHS enters into something like that, there are agreements in advance regarding how any information that might come out of such an engagement will be treated.
"Right up front, the private-sector entity knows what we're going to know and needs to feel comfortable with that, or the engagement doesn't happen," Toler said. He added that when companies allow the government to know the kinds of threats they're facing and what's happening internally, it helps the entire ecosystem.
He also said DHS's automated-indicator sharing program has made significant progress and noted the agency's 24/7 incident-response watch center.
"Opening the kimono is not just good for one entity, but for everyone involved," he said.
If you want to comment on this post, you need to login.