We modeled the Cybersecurity Canon after the Baseball or Rock & Roll Hall-of-Fame, except for cybersecurity books. We have more than 25 books on the initial candidate list, but we are soliciting help from the cybersecurity community to increase the number to be much more than that. Please write a review and nominate your favorite.
The Cybersecurity Canon is a real thing for our community. We have designed it so that you can directly participate in the process. Please do so!
Book Review by Canon Committee Member, Rick Howard: Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers (2015) by Palo Alto Networks and the New York Stock Exchange
Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers is a collaboration among Palo Alto Networks, the New York Stock Exchange and a number of authors. Its first edition was published in October 2015, and is available to download at SecurityRoundtable.org.
It is the first comprehensive book designed to enlighten and educate corporate directors and officers in terms of cybersecurity. The book includes more than 30 contributors, so it is meaty, and while there is some overlap in the material covered, it contains a dense collection of information around fundamental principles for the board members to do their jobs, board standards to consult, the executive whom they should rely on – the CISO, which committees they should create to support their efforts, what they should worry about in terms of fiduciary responsibility and the potential for litigation, the perceived cybersecurity disconnect between shareholders and board members, and finally, how they should think about disclosing breach information to the public.
This book is essential reading for every corporate leader in the world. It is Cybersecurity Canon-worthy, and if you haven’t read it already, it should be on your short list of must-reads.
Palo Alto Networks is one of the publishing partners on Navigating the Digital Age. Since I work for Palo Alto Networks, you may suspect a book review written by an employee of the publisher to be a bit biased, and you would be right to note that as a concern. But let me make the case as to why this review is not biased in the way that you may think.
First, if you are reading this review, you already know that Palo Alto Networks sponsors the Cybersecurity Canon. As mentioned above, Palo Alto Networks created a “Rock & Roll Hall of Fame” for Cybersecurity Books in 2013. The project’s goal is to identify a list of must-read books for all cybersecurity practitioners – be they from industry, government or academia – where the content is timeless, genuinely represents an aspect of the community that is true and precise, reflects the highest quality and, if not read, will leave a hole in the cybersecurity professional’s education that will make the practitioner incomplete.
In 2015, the Palo Alto Networks leadership team noticed that there were not a lot of cybersecurity books on the market that target the C-Suite or the people who sit on company boards. There are gazillions of books out there for the day-to-day network defenders of the world, but there is really not that much available to help senior leaders, who are usually not security geeks, think about cybersecurity.
Second, Palo Alto Networks published this book as a free giveaway in conjunction with the New York Stock Exchange. The goal is to enlighten the community, and as cybersecurity becomes more and more important to the business world, it makes sense that business leaders have a reference to turn to in order to think about the issues. Truth be told, we were hoping that such a book or resource already existed. Since it didn’t, we decided to make it ourselves, for them, and found a willing partner in the New York Stock Exchange and a number of other collaborators, including:
(Note: A full list by name can be found at the end of this review.)
All of these contributors, despite their different backgrounds, have a similar goal: discuss the main issues that every C-level executive and board member should be thinking about in terms of cybersecurity and the companies they are responsible for, and offer actionable advice on what to do. That is why you should not be concerned about my bias.
And the book is good, too, albeit a little long. Since a committee wrote it, there is some overlap in the subject matter. But I have to say, I have never seen a book with this much material concentrated specifically for the C-Suite and board of directors, including:
(Worth noting is that the discussion continues on SecurityRoundtable.org, a community that launched when the book published. Many of the book’s authors – along with other contributors recognized for their contributions to the cybersecurity discourse – are active there with essays, videos and other forms of content.)
The consensus of the authors is that the fundamental task of all board members in terms of cybersecurity is to ensure that the corporation is taking the appropriate steps to prevent material impact. If they are doing anything else, then they are wasting resources that could be used for it. In other words, the corporation’s risk assessment should consider all risks through this material impact lens and adjust accordingly.
The authors make it pretty clear that C-Suite executives and board members should be familiar with three reference documents regarding standards: the U.S. Government’s Framework for Improving Critical Infrastructure Cybersecurity, commonly referred to as the NIST Framework, the International Organization for Standardization’s ISO/IEC 27014: Information technology — Security techniques — Governance of information security, and the National Association of Corporate Directors’ (NACD) Cyber-Risk Oversight.
The NIST Framework provides a tool to assess and measure the corporation’s current cybersecurity posture and was created in collaboration between the public sector and private industry. Many in the legal community believe that when the U.S. Government published it, they created a standard of care that might be used by plaintiff attorneys to allege negligence or worse. If board members are ever sued for cybersecurity negligence, this is the document that will make or break the case.
The ISO 27014 document establishes six principles as the foundation for information security governance. In other words, this is what the board should be driving the company to accomplish:
ISO/IEC 27014 also sets forth separate roles and responsibilities for the board and executive management within five processes:
The Cyber-Risk Oversight document lists five steps that its members should take to ensure their enterprises properly address cyber risk:
This has been a pet peeve of mine for the past five years. I even presented my thoughts about it at the RSA Security Conference in 2015 last year. I am glad to see that I am in-line with the combined authors when they say that the CISO should not report to the CIO. (This is also the opinion of Cybersecurity Canon author Rich Baich, who too appears in this book.) The CIO and the CISO should be peers and there should be a natural tension between the two organizations that they manage. The CIO is trying to innovate in order to keep the company competitive. The CISO is trying to mitigate any risk introduced by the new innovation. The two C-level executives should work together to improve the organization. If the CISO works for the CIO, then it would be easy for the CIO to override the CISO’s recommendations.
There is not one right answer for all boards – each is unique. One thing that the combined authors did point out is that many companies overload the audit committee with the responsibility to monitor the company’s InfoSec programs. The audit committee is already one of the busiest committees for any board. Saddling it with monitoring the InfoSec program will increase the workload. The authors suggest that the board create a separate committee to relieve the burden. Jody R. Westby recommends that, “A Risk Committee is the best choice for governance of cybersecurity because IT risks must be managed as enterprise risks and integrated into enterprise risk management and planning."
The authors discussed at length the probabilities of directors and officers (D&Os) getting sued for negligence for not properly overseeing their fiduciary duty to protect the organization’s assets and the value of the corporation in terms of cyber. It turns out that there is good data about what is theoretically possible and what is really going on in the corporate world today. The authors rolled out case studies about five corporations that were the subject of very public data breach attacks: Home Depot, Target, Wyndham, TJX, and Heartland Payments. Although there is some variation, most lawsuits focused on two allegations:
According to Antony Kim,
“The risk that directors will face personal liability is especially high where the board has not engaged in any oversight of their corporations’ cybersecurity risk."
But he also mentions that,
“Generally, directors will be protected by the business judgment rule and will not be liable for a failure of oversight unless there is a ‘sustained or systemic failure of the board to exercise oversight’...”
He says that plaintiffs must overcome a powerful court presumption that company officers have acted in good faith.
Direct litigation is not the only threat either. Activist shareholders may seek replacement of board members citing lack of confidence. In the Target example, shareholders demonstrated their lack of faith. Target’s top 10 largest investors cast votes against one or more of the company’s directors.
Patrick McGurn and Martha Carter, whom at the time were writing from roles with Institutional Shareholder Services, pointed out an apparent disparity between what the directors and officers think they are doing in terms of cybersecurity and what shareholders think they are doing. They say that the good news is that directors and officers are increasingly talking about cybersecurity issues in the boardroom. The bad news is that it appears that shareholder concerns are not in alignment with those of board members.
Their observations came from looking at the results of two surveys conducted by PwC in 2014: one from the survey of 863 directors in PwC’s 2014 Annual Corporate Directors Survey; the other from the survey of institutional investors with more than $11 trillion in aggregate assets under management in PwC’s 2014 Investor Survey.
Crisis Response Plan:
Disclosures:
Outside Security Consultants:
Hire a CISO:
Use the NIST Framework:
In 2010, Commissioner Luis Aguilar of the Securities and Exchange Commission (SEC) warned public companies that the SEC will be expecting much more disclosure in public statements from companies that have been breached. On the other hand, Gus Coldebella says that there is no duty for companies to disclose material information for cyber incidents because there are currently no existing laws or rules explicitly demanding it. Clearly though, the SEC is interested in much more disclosure, and Mr. Aguilar has hinted in the past that the SEC expects to see it. Their guidance is that companies should disclose when:
If there is no regulation or law that requires disclosure, why would a company do it? The authors suggest that you might disclose, as a way to fend off shareholder litigation, if your program is robust enough to withstand public scrutiny or as a way to mitigate damage to brand reputation with your customers. Responsibly responding to a cyber incident in the public may actually improve your brand reputation, if done correctly, but this is not something you do on the fly. You have to plan and practice how you respond. There are not too many examples of companies doing this correctly.
Then there is the question of when to disclose.
“Target took two months after the world knew of its massive data breach to issue an 8-K; Morningstar, which releases an 8-K regularly on the first Friday of every month, disclosed its 2012 breach a little more than one month after becoming aware. Anthem, [chose] instead to wait until the next periodic report.”
The question is: do you immediately disclose with the information you have or wait until you have a better understanding of the big picture? If you go early, you can demonstrate to the world that you are on top of the situation, although you may look foolish later when the things you thought you knew change. If you wait though, and the public finds out that you waited, you run the risk of appearing to hide things. According to the authors, it is generally better to wait to disclose.
Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers is the first book that I have encountered which has such a rich collection of cybersecurity advice and education meant for C-level executives and board members. This is not a book that is meant for cybersecurity professionals, although they would benefit from it because they would learn how their senior managers should think about their problem domain. This is a book meant for all corporate leaders that tells them which issues they should be concerned about for their InfoSec programs.
The authors represent a host of cybersecurity experience: CEOs, CISOs/CIOs, company executives, security consultants, economists, lawyers, and even a government official. They discuss fundamental principles for the board members to do their jobs, board standards to consult, the executive whom they should rely on – the CISO, which committees they should create to support their efforts, what they should worry about in terms of fiduciary responsibility and the potential for litigation, the perceived cybersecurity disconnect between shareholders and board members, and finally, how they should think about disclosing breach information to the public. This book is essential reading for every corporate leader in the world, it is Cybersecurity Canon-worthy, and you should have read it by now. (Get it at SecurityRoundtable.org)
CEOs
Axio Global: Scott Kannry, CEO
Axio Global: David White: Chief Knowledge Officer
Coalfire: Larry Jones: CEO
Coalfire: Rick Dakin: CEO
Dell: SecureWorks: Mike Cote: CEO
Internet Security Alliance: Larry Clinton: CEO
Palo Alto Networks: Mark McLaughlin: CEO
Palo Alto Networks: Davis Hake: Director of Cybersecurity Strategy
Visa: Charles W. Scharf: CEO
CSOs/CISOs/CIOs
Department of Energy: Robert F. Brese: Former CIO of the United States
Intercontinental Exchange and New York Stock Exchange: Jerry Perullo: CISO
Rackspace: Brian Kelly: Chief Security Officer
Wells Fargo & Company: Rich Baich: CISO
C-Level
Delta Risk LLC: Thomas Fuhrman: President
Governance Services: Adam Sodowick: President
The Chertoff Group: Michael Chertoff: Executive Chairman
The Chertoff Group: Jim Pflaging: Principal
The Chertoff Group: Mark Weatherford: former Principal
Consultants
Booz Allen Hamilton: Bill Stewart: Executive Vice President
Booz Allen Hamilton: Dean Forbes: Senior Associate,
Booz Allen Hamilton: Agatha O'Malley: Senior Associate,
Booz Allen Hamilton: Jaqueline Cooney: Lead Associate and
Booz Allen Hamilton: Waiching Wong: Associate
Booz Allen Hamilton: Sedar LaBarre: Vice President
Booz Allen Hamilton: Matt Doan: Senior Associate
Booz Allen Hamilton: Denis Cosgrove: Senior Associate
Booz Allen Hamilton: Jason Escaravage: Vice President
Booz Allen Hamilton: Christian Paredes: Associate
Booz Allen Hamilton: Tony Gaidhane: Senior Associate
Booz Allen Hamilton: Laura Eise: Lead Associate
Booz Allen Hamilton: Jason Escaravage: Vice President
Booz Allen Hamilton: Anthony Harris: Senior Associate
Booz Allen Hamilton: James Perry: Senior Associate
Booz Allen Hamilton: Katie Stefanich: Lead Associate
Booz Allen Hamilton: Lori Zukin: Principal
Booz Allen Hamilton: Jamie Lopez: Senior Associate
Booz Allen Hamilton: Erin Weiss Kaya: Lead Associate
Booz Allen Hamilton: Andrew Smallwood: Lead Associate
Egon Zehnder: Kal Bittianda
Egon Zehnder: Selena Loh LaCroix
Egon Zehnder: Chris Patrick
Fidelis Cybersecurity: Jim Jaeger: Chief Cyber Strategist
Fidelis Cybersecurity: Ryan Vela, Regional Director
Korn Ferry: Jamey Cummings: Senior Client Partner
Korn Ferry: Joe Griesedieck: Vice Chairman and Co-Leader, Board and CEO Services
Korn Ferry: Aileen Alexander: Senior Client
Lockton Companies: Ben Beeson: Senior Vice President: Cybersecurity Practice
Stroz Friedberg LLC: Erin Nealy Cox: Executive Managing Director
Academia
Georgia Institute of Technology: Jody R. Westby, Esq., Adjunct Professor"
Legal
BakerHostetler: Theodore J. Kobus: Partner
BakerHostetler: Craig A. Hoffman: Partner
Baker & McKenzie: David Lashway: Partner
Baker & McKenzie: John Woods: Partner
Baker & McKenzie: Nadia Banno: Counsel, Dispute Resolution
Baker & McKenzie: Brandon H. Graves: Associate
BuckleySandler & Treliant Risk Advisors LLC: Elizabeth McGinn: Partner
BuckleySandler & Treliant Risk Advisors LLC: Rena Mears: Managing Director
BuckleySandler & Treliant Risk Advisors LLC: Stephen Ruckman: Senior Associate
BuckleySandler & Treliant Risk Advisors LLC: Tihomir Yankov: Associate
BuckleySandler & Treliant Risk Advisors LLC: Daniel Goldstein: Senior Director
Covington & Burling LLP: David N. Fagan: Partner
Covington & Burling LLP: Nigel L. Howard: Partner
Covington & Burling LLP: Kurt Wimmer: Partner
Covington & Burling LLP: Elizabeth H. Canter: Associate
Covington & Burling LLP: Patrick Redmon: Summer Associate
Fish & Richardson P.C.: Gus P. Coldebella: Principal
Fish & Richardson P.C.: Caroline K. Simons: Associate
Kaye Scholer LLP: Adam Golodner: Partner
Institutional Shareholder Services: Patrick McGurn: ISS Special Counsel
Institutional Shareholder Services: Martha Carter: ISS Global Head of Research
K&L Gates LLP: Roberta D. Anderson: Partner
Latham & Watkins LLP: Jennifer Archie: Partner
Littler Mendelson P.C.: Philip L. Gordon, Esq., Co-Chair, Privacy and Background Checks Practice Group
Orrick, Herrington & Sutcliffe LLP: Antony Kim: Partner
Orrick, Herrington & Sutcliffe LLP: Aravind Swaminathan: Partner
Orrick, Herrington & Sutcliffe LLP: Daniel Dunne: Partner
Pillsbury Winthrop Shaw Pittman LLP: Brian Finch: Partner
Sard Verbinnen & Co: Scott Lindlaw: Principal
Wilson Elser Moskowitz Edelman & Dicker: Melissa Ventrone: Partner
Wilson Elser Moskowitz Edelman & Dicker: Lindsay Nickle: Partner
Government
Department of Justice: CCIPS Cybersecurity Unit
Economics
World Economic Forum: Elena Kvochko: Head of Global Cyber Security Strategy and Implementation at Barclays
World Economic Forum: Danil Kerimi: Director, Center for Global Industries
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.