Cybersecurity and Fiduciary Duty

A classic cop-out technique for an MBA student who is stumped by a question is to blurt out, “The managers of this company need to ask themselves what they’re doing, and why…” It’s a proven grade-saver and the subject of many business school jokes. It’s a question worth asking in cybersecurity, though. We are in a moment when companies are spending billions of dollars on security, often without having a clear understanding of the purpose of the entire endeavor.

Why are we defending the network? Why patch servers? Why adopt data protection policies? The root answer has to do with fiduciary duty. If you’re the CISO, you’re a corporate officer tasked with protecting the shareholders’ assets from cyber threats that can diminish their value. This may seem a little abstract, but it’s the essence of the CISO’s job. As a corporate officer, the CISO has a fiduciary obligation to protect the financial value of assets like proprietary data, share price and the brand itself.

If you’re the CISO, you’re a corporate officer tasked with protecting the shareholders’ assets from cyber threats that can diminish their value.

The Board of Directors is similarly engaged with the cyber defense of corporate assets. While board members may not be too interested or familiar with IT and cybersecurity, they are well acquainted with cash flow problems that affect the stock price and brand damage that arises from data breaches. The board and the CISO are now typically partnered in cybersecurity budgeting and review of security program results.

It’s not an optimal partnership, however. Even with the best of intentions, the board and the CISO are often coming at the problem with different backgrounds and agendas. To resolve differences and find a way to work together productively, companies are increasingly turning to outside advisors who are experienced in risk management. For big corporations, this means the major audit firms like E&Y, PWC and Deloitte.

There are a few advantages to bringing in an established outside advisory firm. For one thing, they come with a profound understanding of fiduciary duties and possess deep experience in implementing policies to protect shareholder asserts. They’ve been doing this for industrial assets for decades. Now, they’re applying the same principles to digital assets. With this background, they can command the respect of all major stakeholders.

“We work on making the CISO more brand aware, and the board more tech savvy,” said Sean Peasley, a Partner in Deloitte’s Risk & Financial Advisory practice.

“We work on making the CISO more brand aware, and the board more tech savvy,” said Sean Peasley, a Partner in Deloitte’s Risk & Financial Advisory practice. “And then, we need to bring OT to the table,” he added, referred to Operational Technology. “Malware doesn’t discriminate. When Petya infected OT systems, it affected share prices even if OT was outside the purview of the CISO. It’s everyone’s problem.”

The specific cyber fiduciary and risk management conversations vary widely, but they tend to focus on recurring themes like dealing with vendor sprawl. As Dave Burg, EY’s Americas Cybersecurity Advisory Leader, explained, “When you’re trying to scope out risk and determine how to manage it, the answer is not to buy more products and hope they work.”  The better idea is, as he put, “Ask what you’re doing with the products you have.”

“When you’re trying to scope out risk and determine how to manage it, the answer is not to buy more products and hope they work.” – Dave Burg, EY’s Americas Cybersecurity Advisory Leader

His team has a long track record of getting people from different parts of the organization to sit down and think through how they will or won’t use certain existing security solutions. “It can be a sensitive issue,” he explained. “People are invested in certain technologies. Reputations and careers may even be riding on them. However, it’s really important to keep the bigger picture in focus—what is the impact on corporate assets?”

Knowledge of the IT estate was another area where firms like E&Y and Deloitte can drive productive dialogues. “Auditing the entire environment requires an investment of time and money,” said Peasley. “But, you absolutely have to know what you’re running on your network if you want to protect your assets. Consider it another layer of your fiduciary duty as a corporate officer.”

Burg echoed this sentiment, noting, “You can’t be unsure about 10% of your devices, a situation that’s more common than we might imagine. It’s not anyone’s fault, really. It just sort of happens over the years, with M&A and staff turnover. All of a sudden, you run a scan and discover network-attached hardware that no one even knew existed.”

“We advise clients to be evidence-based, which can be challenging in the cloud… where you may not have a clear idea of who did what, and where…” – Dave Burg, EY

The cloud is amplifying risks to digital assets, according to Burg and Peasley. Burg commented, “We advise clients to be evidence-based, which can be challenging in the cloud… where you may not have a clear idea of who did what, and where…” For Peasley, the cloud needs to be part of a discussion of “composite risk,” which measures risk to digital assets across the entire ecosystem.

Having practical and proven approaches to risk management is essential to enabling the CISO’s and Board’s cyber fiduciary duties. What’s arguably more important, though, is the basic trust relationships involved. “We provide a neutral zone for open conversations,” Peasley explained. “Everyone knows we’re auditors. Auditors have heard it all, and then some. People feel they can be honest about what’s going on and what needs to be done.”