By: Kevin Magee
In light of the countless cyber incidents reported daily—including high-profile database breaches that have impacted millions of patients—the question of risk responsibility is more front and center than ever before. To date, there's remained a troubling tendency to view cyber security as fundamentally different and separate from other organizational risks. Or, it's simply viewed as an "IT problem" best left handled by those with the requisite experience and operational subject matter expertise.
Just because something is complex and highly technical doesn't absolve senior leadership of their responsibility for it. Hospital board members and executives have long been responsible for protecting their organizations from complicated and complex risks associated with quality, patient safety, and evolving medical innovations without the benefit of having attended medical school.
Needless to say, cyber security can no longer be ignored or treated separately by senior leadership. Because if it is, who then owns cyber security risk management?
The Role and Responsibility of the Board
Many boards delegate cyber security governance and oversight to an audit or risk committee. Others approach it as a separate strategic priority or within an existing enterprise strategic risk management governance structure. Some don't address it at all.
The size, industry, and business complexity of an organization often dictates the approach. For example, the board of a bank concerned for the most part with financial matters would likely take a very different approach to cyber security governance than a Hospital with extensive IP-enabled medical devices physically attached to patients.
Regardless of the approach, just as boards are ultimately responsible and legally accountable for overseeing an organization's financial health, systems and controls, so, too, are they responsible for providing strategic risk management direction to senior leadership as well as oversight of systems, policies, processes and controls in regards to cyber security.
While board members may not actually need to be able to write firewall rules themselves, they certainly must attain and maintain an acceptable level of "cyber security literacy." And they need to ensure the fulfillment of their governance, oversight and fiduciary responsibilities by making cyber security a strategic priority and holding management accountable for managing and reporting results.
The National Association of Corporate Directors has nicely distilled these responsibilities down to five principles:
PRINCIPLE 1: Directors need to understand and approach cyber security as an enterprise-wide risk management issue, not just an IT issue.
PRINCIPLE 2: Directors should understand the legal implications of cyber risks as they relate to their company's specific circumstances.
PRINCIPLE 3: Boards should have adequate access to cyber security expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda.
PRINCIPLE 4: Directors should set the expectation that management will establish an enterprise-wide, cyber-risk management framework with adequate staffing and budget.
PRINCIPLE 5: Board discussion of cyber risk management should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
More complete details on these principles are available in the NACD Director's Handbook on Cyber-Risk Oversight.
The Role and Responsibility of the CEO
While the board is responsible for providing strategic direction and oversight, the CEO is ultimately accountable to the board for the operational management of cyber security risk and the implementation of policies, procedures and controls to ensure these objectives are being met. This responsibility includes reporting to the board in a timely, transparent and detailed manner.
Often, the CEO will defer to the chief information officer (CIO) or, if the organization is larger and more complex, possibly the chief information security officer (CISO) to present quarterly or annually to the board. These presentations can sometimes take the form of assurances that "everything possible is being done" and may also include metrics and key performance indicators as data points for review.
Where this approach falls short of proper governance is in the case where there was an inability to meet key performance indicators or an actual breach occurred. The CEO cannot shift responsibility onto the shoulders of the CIO or CISO and lay blame with the IT department. This would be the equivalent of the CEO differing to the CFO to present a dismal financial report to the board and blaming the accounting department for a drastic financial error or loss.
The inability of a CISO to meet key performance indicators might be due to insufficient budget priority given to cyber security in general or, alternatively, a drastic decline in revenue might have resulted from loss in confidence due to a security or privacy breach. Today, there is no way to separate cyber security from all other strategic objectives and operations of any organization, regardless of its complexity.
Moreover, each individual department must also embrace cyber security as a daily operating imperative and priority. The extent to which they do so will be a direct reflection of the level of strategic priority given to it by both the board and CEO.
Along with setting the proper "tone from the top," the CEO must provide direction and resolve conflicts related to conflicting departmental priorities. For example, public relations may want to ensure that a new website feature is easy to use and insist on removing friction to patient adoption of the service such as second-factor authentication or other security enhancements demanded by the I.T. department.
Balancing the need to drive adoption to increase efficiency and improve patient satisfaction versus the need to protect patients and the organization is not a decision that can be made by front line management. Nor should they shoulder the responsibility without at least some level of strategic guidance.
Ultimately, there is no escaping the reality that the board is responsible for oversight and strategic direction of risk management related to cyber security while the CEO owns operational management responsibility. However, these responsibilities need to be aligned and integrated into all other strategic and operational business decisions.
Accordingly, the IT department or the CISO are responsible for the day-to-day activities required to implement, manage and report on cyber security risk and should report to a member of the senior leadership team or the CEO directly who can oversee the enterprise's cyber security program decision-making, and to whom the board can look as accountable for cyber security.
So who owns management of cyber security risk?
The question is best answered in terms of who owns financial risk within the organization? Or who owns patient safety risk? Or who owns risk associated with overall community confidence? These questions simply cannot be separated from who owns cyber security risk management because they are completely intertwined.
Each organization may take a different approach to answering these questions, however elevating cyber security risk to the strategic level of these other risk categories, recognizing that it also intersects significantly with all of these other risk categories and dealing with it as a strategic priority at all levels of the organization is no longer optional.
Kevin Magee will be facilitating the upcoming Practical Cyber Security Governance for Hospital Boards and Executives program on May 5, 2017. For program information and to register, click here