How Corporate Governance Upholds Information Security

In today’s networked environment, global commerce is enabled by our critical infrastructure and its physical security is supported by information security. There is no technological silver bullet that would solve the massive issues we face. Without corporate governance, the accountability to avoid disasters would be lost. For example, the Enron failure forced the company, its employees, and shareholders into bankruptcy. In a more recent event was the Target breach in 2014. The Securities and Exchange Commission (SEC) concluded there was a lack of disclosure at the board level. SEC commissioner Luis Aguilar said board oversight of cyber-risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks. There is no substitution for proper preparation, deliberation, and engagement on cybersecurity issues.

The Rule of Law
Corporate governance consists of the set of policies and internal controls by which organizations, irrespective of size or form, are directed and managed. In 2004 the U.S. Department of Homeland Security published a set of recommendations by an information security governance task force comprised of industry, academia and government experts. This report provides a model as part of the overall governance policy that:
    • Establishes risk management,
    • Recognize roles and responsibilities within management structures,
    • Establish security assurance benchmarks,
    • Defines best practices and metrics,
    • Institutionalize training and testing,
    • Define best practices and metrics.
    • Develop accountability with people, process, and technology.

    Risk management is more than just an IT issue, it is a crucial component of enterprise risk management that requires board-level oversight. Within several organizations, the CISO has gained a seat on the board of directors as their cybersecurity expert.  Audit committees have leveraged external security organizations and are covering all domains of cybersecurity as part of the internal audit functions. Cyber risks do have legal ramification with outsourcing to third-party providers. It is important to understand that states and countries globally have enacted divergent legislation. With this in mind know where your organization operates with regard to privacy, security and breach notifications.
    Board directors must ensure management has implemented an effective security framework that communicates the enterprise risk management.  They must also ensure the CISO is reporting at the right level of the organization. In many organizations there is a conflict between the CIO and CISO and the board should take the necessary steps this does not occur.  The CISO may need to be a direct report to the CEO or COO. The board and management must assess cyber risk equivalent with other enterprise risks in an effort to identify, avoid and mitigate these risks.

    The Causes of Non-Governance and Red Flags
    The lack of corporate governance is caused by a variety of reasons over time and become systemic throughout the organization until a serious incident affecting their livelihood occurs. A common example is a risky behavior to push revenue generation bypassing proper governance controls. This would seriously diminish the role information security has over the company’s products and services it provides, in addition, increased vulnerability to its internal infrastructure.
    Some of the signs that a company lacks corporate governance are these:
      • The absence of an independent audit and board committees usually consisting of just a few or a single member.
      • The absence of Rule of Law, for instance, management that deliberately circumvents governance structures, controls and providing misrepresentation to auditors.
      • Incompetent board members where they do not have appropriate information security knowledge and qualifications on committees they serve.
      • Denial and ignorance of federal and state regulators, auditors, and analysts over the company’s financial disclosures.
      • Insufficient board transparency, responsiveness, participation and accountability.

      Equifax, Yahoo as well as many others are the result of incompetence, suspicious behavior, and failures responding to these massive breaches. For example, in the Equifax breach, they confirmed cyber attackers penetrated its system in May 2017 through a vulnerable web application. A patch for this vulnerability was widely available in March which was not applied. In essence, Equifax failed to apply the patch for more than two months or take necessary steps to mitigate the venerably affecting over 143 million people.

      The Road Ahead
      Executive management often views information security as technical issues having nothing to do with its business focus. However, more executives are realizing that information security is crucial to how the business of global commerce is conducted today.
      Responsible corporate governance must involve risk management, executive accountability, reporting controls, and training. Active CEO and board engagement are essential to upholding information security as part of corporate governance. Using a well-executed governance framework, CEOs and boards of directors will create a safe business environment internally. Moreover, extended to their customers and business partners interconnected throughout the critical infrastructure.
      We have become increasingly aware of the integrity of the information and IT systems used by all public and private enterprises.  State legislatures and Congress have taken notice by passing several laws and regulations with direct implications concerning everything from network security, privacy to financial reporting. For instance, the Enron calamity brought attestations signed by CEOs declaring that the internal controls in place comply with the Sarbanes-Oxley Act. This act carries criminal penalties, and legislators in California, as well as other states, have established regulatory regimes that determine how companies must structure their networks and secure consumer information if they want to avoid severe civil penalties, reputation damage, and massive class-action litigation.