This (cyber security) is not a server room issue

For anyone who has listened to me over the last 10 years, this is old news.  I have been saying that cyber security is no longer an IT problem, but rather a Board Room problem.

Now I am getting some support from an interesting place.

Gus Coldebella, former general counsel at the Department Of Homeland Security and now a partner at Goodwin Procter (the 38th wealthiest U.S. law firm with about 900 attorneys) is saying it too.

In a white paper for the security firm Bit9+Carbon Black, Coldebella says:

If there is one overarching success that we in the cybersecurity community can claim over the last year to 18 months, it’s that the mantra “this is not a server room issue, it’s a boardroom issue” has finally started to take hold.

I might argue about how well it is taking hold, but there is certainly a lot of discussion about that subject, which is a good start.  Probably, at Target and Home Depot, it IS a boardroom issue, but what about the millions of mid-tier companies?

Coldebella (and I) recommend a top to bottom risk assessment, considering risk, vulnerability and consequence.  I would say this should be part of any merger, acquisition or major investment, as well.

Coldella further says that companies have probably over invested in protecting PII and under invested in protecting corporate information that could cause more long term harm.

To assess vulnerability, the company must, in light of the digital assets that it has, ask high-level strategic questions: What data might the attackers be interested in? How is it safeguarded? What systems are in place to let the company know that that data has been exfiltrated or tampered with? And if the data is stolen or altered, who will be affected, and how can the company recover? Companies are starting to realize that the bad guys aren’t just interested in personally identifiable information. For too long, companies have focused on, and probably overinvested in, PII security, because PII generally requires some disclosure under various states’ laws. This seems to have resulted in underinvestment in the security of other digital assets—such as intellectual property, executive communications about sensitive matters such as M&A transactions, other important business and financial information, and even private conversations that could be embarrassing or worse if disclosed—all of which could cause more harm to a company’s reputation, value, and future   prospects than even a PII breach could.

One last quote – Director’s liability

This is not a “one-and-done” board meeting. Boards of
directors must remain vigilantly focused on security of a company’s digital assets, given that the threat is always changing and the adversary is constantly improving. Under the Caremark standard (after Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959 (Del. Ch. 1996)), members of boards of directors could be found to have violated their duty of loyalty—and could be held legally liable—if they fail to oversee management’s approach to cybersecurity, so from a corporate governance point of view, it is better for the board of directors to act than not to act.

It is fair to say that Gus is an attorney and he practices cyber security law, so he also has a vested interest in the subject, but it is also fair to say that Goodwin Procter likely has a pretty good legal department, so they are not going to let him say anything they don’t believe.