The Cybersecurity Canon: Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers

We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite. 

The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!

Book Review by Canon Committee Member, Rick Howard: Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers (2015) by Palo Alto Networks and the New York Stock Exchange

Executive Summary

Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers is a collaboration among Palo Alto Networks, the New York Stock Exchange and a number of authors. Its first edition was published in October 2015, and is available to download at SecurityRoundtable.org.

It is the first comprehensive book designed to enlighten and educate corporate directors and officers in terms of cybersecurity. The book includes more than 30 contributors, so it is meaty, and while there is some overlap in the material covered, it contains a dense collection of information around fundamental principles for the board members to do their jobs, board standards to consult, the executive whom they should rely on – the CISO, which committees they should create to support their efforts, what they should worry about in terms of fiduciary responsibility and the potential for litigation, the perceived cybersecurity disconnect between shareholders and board members, and finally, how they should think about disclosing breach information to the public.

This book is essential reading for every corporate leader in the world. It is Cybersecurity Canon-worthy, and if you haven’t read it already, it should be on your short list of must-reads.

Introduction and Full Disclosure

Palo Alto Networks is one of the publishing partners on Navigating the Digital Age. Since I work for Palo Alto Networks, you may suspect a book review written by an employee of the publisher to be a bit biased, and you would be right to note that as a concern. But let me make the case as to why this review is not biased in the way that you may think.

First, if you are reading this review, you already know that Palo Alto Networks sponsors the Cybersecurity Canon. As mentioned above, Palo Alto Networks created a “Rock & Roll Hall of Fame” for Cybersecurity Books in 2013. The project’s goal is to identify a list of must-read books for all cybersecurity practitioners – be they from industry, government or academia – where the content is timeless, genuinely represents an aspect of the community that is true and precise, reflects the highest quality and, if not read, will leave a hole in the cybersecurity professional’s education that will make the practitioner incomplete.

In 2015, the Palo Alto Networks leadership team noticed that there were not a lot of cybersecurity books on the market that target the C-Suite or the people who sit on company boards. There are gazillions of books out there for the day-to-day network defenders of the world, but there is really not that much available to help senior leaders, who are usually not security geeks, think about cybersecurity.

Second, Palo Alto Networks published this book as a free giveaway in conjunction with the New York Stock Exchange. The goal is to enlighten the community, and as cybersecurity becomes more and more important to the business world, it makes sense that business leaders have a reference to turn to in order to think about the issues. Truth be told, we were hoping that such a book or resource already existed. Since it didn’t, we decided to make it ourselves, for them, and found a willing partner in the New York Stock Exchange and a number of other collaborators, including:

• 5 CEOs (including ours)
• 4 CISOs/CIOs
• 6 Company executives (including one of ours)
• 1 Academic
• 14 Legal firms
• 1 Government official
• 3 Economics experts

(Note: A full list by name can be found at the end of this review.)

All of these contributors, despite their different backgrounds, have a similar goal: discuss the main issues that every C-level executive and board member should be thinking about in terms of cybersecurity and the companies they are responsible for, and offer actionable advice on what to do. That is why you should not be concerned about my bias.

And the book is good, too, albeit a little long. Since a committee wrote it, there is some overlap in the subject matter. But I have to say, I have never seen a book with this much material concentrated specifically for the C-Suite and board of directors, including:

• 5 essays on preventing material impact
• 2 essays on fundamental principles
• 1 essay on information sharing
• 1 essay on threat prevention
• 12 essays on what board members should be thinking about
• 22 essays on what the C-Suite should be thinking about

(Worth noting is that the discussion continues on SecurityRoundtable.org, a community that launched when the book published. Many of the book’s authors – along with other contributors recognized for their contributions to the cybersecurity discourse – are active there with essays, videos and other forms of content.)

The Fundamental Principle – Prevent Material Impact

The consensus of the authors is that the fundamental task of all board members in terms of cybersecurity is to ensure that the corporation is taking the appropriate steps to prevent material impact. If they are doing anything else, then they are wasting resources that could be used for it. In other words, the corporation’s risk assessment should consider all risks through this material impact lens and adjust accordingly.

The Standards

The authors make it pretty clear that C-Suite executives and board members should be familiar with three reference documents regarding standards: the U.S. Government’s Framework for Improving Critical Infrastructure Cybersecurity, commonly referred to as the NIST Framework, the International Organization for Standardization’s ISO/IEC 27014: Information technology — Security techniques — Governance of information security, and the National Association of Corporate Directors’ (NACD) Cyber-Risk Oversight.

The NIST Framework provides a tool to assess and measure the corporation’s current cybersecurity posture and was created in collaboration between the public sector and private industry. Many in the legal community believe that when the U.S. Government published it, they created a standard of care that might be used by plaintiff attorneys to allege negligence or worse. If board members are ever sued for cybersecurity negligence, this is the document that will make or break the case.

The ISO 27014 document establishes six principles as the foundation for information security governance. In other words, this is what the board should be driving the company to accomplish:

1. Establish organization-wide information security (not just cyber but physical and logical as well).
2. Adopt a risk-based approach (just like every other company decision).
3. Set the direction of investment decisions (in terms of preventing material impact from cyber risk).
4. Ensure conformance with internal and external requirements (external regulations, internal policy, audit to make sure it gets done).
5. Foster a security-positive environment (from the top down).
6. Review performance in relation to business outcomes (evaluate security programs in terms of risk mitigation to the business – not for the sake of security alone).

ISO/IEC 27014 also sets forth separate roles and responsibilities for the board and executive management within five processes:

1. Evaluate
2. Direct
3. Monitor
4. Communicate
5. Assure

The Cyber-Risk Oversight document lists five steps that its members should take to ensure their enterprises properly address cyber risk:

1. Treat cyber risk as an enterprise risk.
2. Understand the legal implications of cyber risk.
3. Discuss cyber risk at board meetings, giving it equal footing with other risks.
4. Require management to have a measurable cybersecurity plan.
5. Develop a board-level plan for how to address cyber risk, including which risks should be avoided, accepted, mitigated or transferred via insurance.

Where Should the CISO Work?

This has been a pet peeve of mine for the past five years. I even presented my thoughts about it at the RSA Security Conference in 2015 last year. I am glad to see that I am in-line with the combined authors when they say that the CISO should not report to the CIO. (This is also the opinion of Cybersecurity Canon author Rich Baich, who too appears in this book.) The CIO and the CISO should be peers and there should be a natural tension between the two organizations that they manage. The CIO is trying to innovate in order to keep the company competitive. The CISO is trying to mitigate any risk introduced by the new innovation. The two C-level executives should work together to improve the organization. If the CISO works for the CIO, then it would be easy for the CIO to override the CISO’s recommendations.

Which Committees?

There is not one right answer for all boards – each is unique. One thing that the combined authors did point out is that many companies overload the audit committee with the responsibility to monitor the company’s InfoSec programs. The audit committee is already one of the busiest committees for any board. Saddling it with monitoring the InfoSec program will increase the workload. The authors suggest that the board create a separate committee to relieve the burden. Jody R. Westby recommends that, “A Risk Committee is the best choice for governance of cybersecurity because IT risks must be managed as enterprise risks and integrated into enterprise risk management and planning."

Litigation and Legal Challenges

The authors discussed at length the probabilities of directors and officers (D&Os) getting sued for negligence for not properly overseeing their fiduciary duty to protect the organization’s assets and the value of the corporation in terms of cyber. It turns out that there is good data about what is theoretically possible and what is really going on in the corporate world today. The authors rolled out case studies about five corporations that were the subject of very public data breach attacks: Home Depot, Target, Wyndham, TJX, and Heartland Payments. Although there is some variation, most lawsuits focused on two allegations:

1. That the directors breached their fiduciary duties by making a decision that was ill-advised or negligent.
2. By failing to act in the face of a reasonably known cybersecurity threat.

According to Antony Kim,

“The risk that directors will face personal liability is especially high where the board has not engaged in any oversight of their corporations’ cybersecurity risk."

But he also mentions that,

“Generally, directors will be protected by the business judgment rule and will not be liable for a failure of oversight unless there is a ‘sustained or systemic failure of the board to exercise oversight’...”

He says that plaintiffs must overcome a powerful court presumption that company officers have acted in good faith.

Direct litigation is not the only threat either. Activist shareholders may seek replacement of board members citing lack of confidence. In the Target example, shareholders demonstrated their lack of faith. Target’s top 10 largest investors cast votes against one or more of the company’s directors.

Disconnect Between Stock Holders and Board Members

Patrick McGurn and Martha Carter, whom at the time were writing from roles with Institutional Shareholder Services, pointed out an apparent disparity between what the directors and officers think they are doing in terms of cybersecurity and what shareholders think they are doing. They say that the good news is that directors and officers are increasingly talking about cybersecurity issues in the boardroom. The bad news is that it appears that shareholder concerns are not in alignment with those of board members.

Their observations came from looking at the results of two surveys conducted by PwC in 2014: one from the survey of 863 directors in PwC’s 2014 Annual Corporate Directors Survey; the other from the survey of institutional investors with more than $11 trillion in aggregate assets under management in PwC’s 2014 Investor Survey.

Crisis Response Plan:

• 74 percent of investors believe it is important for directors to discuss their company’s crisis response plan in the event of a major security breach.
• 52 percent reported having such discussions.

Disclosures:

• 74 percent of investors urged boards to boost cyber risk disclosures in response to the SEC’s guidance.
• 38 percent of directors reported discussing the topic.

Outside Security Consultants:

• 68 percent of investors believe it is important for directors to discuss engaging an outside cybersecurity expert.
• 42 percent of directors had done so.

Hire a CISO:

• 55 percent of investors said it was important for boards to consider designating a chief information security officer.
• 26 percent reported that such a personnel move had been discussed in the boardroom.

Use the NIST Framework:

• 45 percent of investors believe this is important.
• 21 percent use it.

Disclosure

In 2010, Commissioner Luis Aguilar of the Securities and Exchange Commission (SEC) warned public companies that the SEC will be expecting much more disclosure in public statements from companies that have been breached. On the other hand, Gus Coldebella says that there is no duty for companies to disclose material information for cyber incidents because there are currently no existing laws or rules explicitly demanding it. Clearly though, the SEC is interested in much more disclosure, and Mr. Aguilar has hinted in the past that the SEC expects to see it. Their guidance is that companies should disclose when:

• One or more cyber incidents materially affected the company’s products, services, customer or supplier relationships, or competitive conditions.
• If any litigation emerges as a result of a cyber incident.
• If significant costs are associated with cyber preparedness or remediation.

If there is no regulation or law that requires disclosure, why would a company do it? The authors suggest that you might disclose, as a way to fend off shareholder litigation, if your program is robust enough to withstand public scrutiny or as a way to mitigate damage to brand reputation with your customers. Responsibly responding to a cyber incident in the public may actually improve your brand reputation, if done correctly, but this is not something you do on the fly. You have to plan and practice how you respond. There are not too many examples of companies doing this correctly.

Then there is the question of when to disclose.

“Target took two months after the world knew of its massive data breach to issue an 8-K; Morningstar, which releases an 8-K regularly on the first Friday of every month, disclosed its 2012 breach a little more than one month after becoming aware. Anthem, [chose] instead to wait until the next periodic report.”

The question is: do you immediately disclose with the information you have or wait until you have a better understanding of the big picture? If you go early, you can demonstrate to the world that you are on top of the situation, although you may look foolish later when the things you thought you knew change. If you wait though, and the public finds out that you waited, you run the risk of appearing to hide things. According to the authors, it is generally better to wait to disclose.

Conclusion

Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers is the first book that I have encountered which has such a rich collection of cybersecurity advice and education meant for C-level executives and board members. This is not a book that is meant for cybersecurity professionals, although they would benefit from it because they would learn how their senior managers should think about their problem domain. This is a book meant for all corporate leaders that tells them which issues they should be concerned about for their InfoSec programs.

The authors represent a host of cybersecurity experience: CEOs, CISOs/CIOs, company executives, security consultants, economists, lawyers, and even a government official. They discuss fundamental principles for the board members to do their jobs, board standards to consult, the executive whom they should rely on – the CISO, which committees they should create to support their efforts, what they should worry about in terms of fiduciary responsibility and the potential for litigation, the perceived cybersecurity disconnect between shareholders and board members, and finally, how they should think about disclosing breach information to the public. This book is essential reading for every corporate leader in the world, it is Cybersecurity Canon-worthy, and you should have read it by now. (Get it at SecurityRoundtable.org)

References

• “Advisory Group Opposes Re-election of Most of Target’s Board,” by Elizabeth A. Harris, The New York Times, 28 May 2014, Last Visited 9 January 2016
• “CYBERSECURITY CANON AWARD WINNERS: 2015 Award Winners,” Palo Alto Networks, Last Visited 12 January 2016
• “Data Breaches Hit the Board Room: How to Address Claims Against Directors & Officers,” by Jon Talotta, Michelle Kisloff, & Christopher Pickens, Hogan & Lovells: Chronicle of Data Protection, 23 January 2015, Last Visited 9 January 2016
• “Partnering for Cyber Resilience: Towards the Quantification of Cyber Threats,” by the World Economic Forum, 2015, Last Visited 20160109
• “Target Directors and Officers Hit with Derivative Suits Based on Data Breach,” by Kevin LaCroix, The D&O Diary, 3 February 2014, Last Visited 9 January 2016
• “Why Data Breaches Don’t Hurt Stock Prices,” by Elena Kvochko and Rajiv Pant, Harvard Business Review, 31 March 2015, Last Visited 12 January 2016

Combined Authors

CEOs
Axio Global: Scott Kannry, CEO
Axio Global: David White: Chief Knowledge Officer

Coalfire: Larry Jones: CEO
Coalfire: Rick Dakin: CEO

Dell: SecureWorks: Mike Cote: CEO

Internet Security Alliance: Larry Clinton: CEO

Palo Alto Networks: Mark McLaughlin: CEO
Palo Alto Networks: Davis Hake: Director of Cybersecurity Strategy

Visa: Charles W. Scharf: CEO

CSOs/CISOs/CIOs
Department of Energy: Robert F. Brese: Former CIO of the United States

Intercontinental Exchange and New York Stock Exchange: Jerry Perullo: CISO

Rackspace: Brian Kelly: Chief Security Officer

Wells Fargo & Company: Rich Baich: CISO

C-Level
Delta Risk LLC: Thomas Fuhrman: President

Governance Services: Adam Sodowick: President

The Chertoff Group: Michael Chertoff: Executive Chairman
The Chertoff Group: Jim Pflaging: Principal
The Chertoff Group: Mark Weatherford: former Principal

Consultants
Booz Allen Hamilton: Bill Stewart: Executive Vice President
Booz Allen Hamilton: Dean Forbes: Senior Associate,
Booz Allen Hamilton: Agatha O'Malley: Senior Associate,
Booz Allen Hamilton: Jaqueline Cooney: Lead Associate and
Booz Allen Hamilton: Waiching Wong: Associate
Booz Allen Hamilton: Sedar LaBarre: Vice President
Booz Allen Hamilton: Matt Doan: Senior Associate
Booz Allen Hamilton: Denis Cosgrove: Senior Associate
Booz Allen Hamilton: Jason Escaravage: Vice President
Booz Allen Hamilton: Christian Paredes: Associate
Booz Allen Hamilton: Tony Gaidhane: Senior Associate
Booz Allen Hamilton: Laura Eise: Lead Associate
Booz Allen Hamilton: Jason Escaravage: Vice President
Booz Allen Hamilton: Anthony Harris: Senior Associate
Booz Allen Hamilton: James Perry: Senior Associate
Booz Allen Hamilton: Katie Stefanich: Lead Associate
Booz Allen Hamilton: Lori Zukin: Principal
Booz Allen Hamilton: Jamie Lopez: Senior Associate
Booz Allen Hamilton: Erin Weiss Kaya: Lead Associate
Booz Allen Hamilton: Andrew Smallwood: Lead Associate

Egon Zehnder: Kal Bittianda
Egon Zehnder: Selena Loh LaCroix
Egon Zehnder: Chris Patrick

Fidelis Cybersecurity: Jim Jaeger: Chief Cyber Strategist
Fidelis Cybersecurity: Ryan Vela, Regional Director

Korn Ferry: Jamey Cummings: Senior Client Partner
Korn Ferry: Joe Griesedieck: Vice Chairman and Co-Leader, Board and CEO Services
Korn Ferry: Aileen Alexander: Senior Client

Lockton Companies: Ben Beeson: Senior Vice President: Cybersecurity Practice

Stroz Friedberg LLC: Erin Nealy Cox: Executive Managing Director

Academia
Georgia Institute of Technology: Jody R. Westby, Esq., Adjunct Professor"

Legal
BakerHostetler: Theodore J. Kobus: Partner
BakerHostetler: Craig A. Hoffman: Partner

Baker & McKenzie: David Lashway: Partner
Baker & McKenzie: John Woods: Partner
Baker & McKenzie: Nadia Banno: Counsel, Dispute Resolution
Baker & McKenzie: Brandon H. Graves: Associate

BuckleySandler & Treliant Risk Advisors LLC: Elizabeth McGinn: Partner
BuckleySandler & Treliant Risk Advisors LLC: Rena Mears: Managing Director
BuckleySandler & Treliant Risk Advisors LLC: Stephen Ruckman: Senior Associate
BuckleySandler & Treliant Risk Advisors LLC: Tihomir Yankov: Associate
BuckleySandler & Treliant Risk Advisors LLC: Daniel Goldstein: Senior Director

Covington & Burling LLP: David N. Fagan: Partner
Covington & Burling LLP: Nigel L. Howard: Partner
Covington & Burling LLP: Kurt Wimmer: Partner
Covington & Burling LLP: Elizabeth H. Canter: Associate
Covington & Burling LLP: Patrick Redmon: Summer Associate

Fish & Richardson P.C.: Gus P. Coldebella: Principal
Fish & Richardson P.C.: Caroline K. Simons: Associate

Kaye Scholer LLP: Adam Golodner: Partner

Institutional Shareholder Services: Patrick McGurn: ISS Special Counsel
Institutional Shareholder Services: Martha Carter: ISS Global Head of Research

K&L Gates LLP: Roberta D. Anderson: Partner

Latham & Watkins LLP: Jennifer Archie: Partner

Littler Mendelson P.C.: Philip L. Gordon, Esq., Co-Chair, Privacy and Background Checks Practice Group

Orrick, Herrington & Sutcliffe LLP: Antony Kim: Partner
Orrick, Herrington & Sutcliffe LLP: Aravind Swaminathan: Partner
Orrick, Herrington & Sutcliffe LLP: Daniel Dunne: Partner

Pillsbury Winthrop Shaw Pittman LLP: Brian Finch: Partner

Sard Verbinnen & Co: Scott Lindlaw: Principal

Wilson Elser Moskowitz Edelman & Dicker: Melissa Ventrone: Partner
Wilson Elser Moskowitz Edelman & Dicker: Lindsay Nickle: Partner

Government
Department of Justice: CCIPS Cybersecurity Unit

Economics
World Economic Forum: Elena Kvochko: Head of Global Cyber Security Strategy and Implementation at Barclays
World Economic Forum: Danil Kerimi: Director, Center for Global Industries