UPDATED 14:00 EST / AUGUST 28 2017

BIG DATA

Former DHS secretary says corporate boards must manage risks and expectations

Data breaches in the enterprise are no longer just a minor irritant. They have become a fact of life — a situation that brings renewed focus to the role that boards of directors should play in a company’s cybersecurity strategy.

But the challenges facing corporate boards are also tough, because the reality of today’s cybersecurity world is that building a secure perimeter around information technology infrastructure simply doesn’t work anymore. Intruders are going to get through, so it becomes more a strategy of risk mitigation, prepared to handle breaches when they occur. This is the kind of message that chief information security officers are bringing to their boards.

“You’re managing the risk, and you’re not guaranteeing that nothing bad will happen. That sense of managing expectations is critical for the board,” said Michael Chertoff (pictured, right), former secretary of the Department of Homeland Security and co-founder and executive chairman of The Chertoff Group LLC, a global advisory firm.

Chertoff spoke about board responsibility and other topics with Jeff Frick (@JeffFrick), host of theCUBE, SiliconANGLE’s mobile livestreaming studio, at the Chertoff Group Security Series “Security in the Boardroom” in Palo Alto, California. They were joined by Jim Pflaging (left), principal and technology sector and strategy practice lead for The Chertoff Group, to discuss the results of a recent study on board security program awareness, how corporations should approach security issues, the importance of data privacy and the ongoing quest to bridge public and private sector interests. (* Disclosure below.)

This week theCUBE features Michael Chertoff and Jim Pflaging as our Guests of the Week.

Study shows board knowledge gap

The Chertoff Group recently conducted a study based on interviews with more than 100 senior executives. The study showed that large, public U.S. companies in the critical infrastructure sectors (finance, healthcare and telecommunications) were well-versed in cybersecurity practices. “It’s been discussed; it’s part of a risk management program,” Pflaging said.

But directors for companies outside of those critical sectors self-reported that they were not where they should be on cybersecurity education. And their companies, more often than not, did not have the kind of robust plans and knowledge to deal with the rising threat landscape.

“I really sympathize with small and medium enterprises which simply don’t have the money to invest in terms of building up a whole standalone security system,” said Chertoff, who described alternatives such as outsourcing security functions to managed intelligence and information services. “Even if their heart is in the right place, they just don’t have the scale to do what a major bank can do in terms of an operations center.”

This dilemma will force corporate boards to examine security options in much the same way that a patient manages his or her own health. “You don’t go to doctor and say, ‘I want you to guarantee I’ll never get sick,’” Chertoff explained. “The doctor would throw you out of the office, or they’d have you committed.”

Instead, the focus should be on how to build a healthy immune system to repel and eliminate attacks. “If the board wants to understand what are the most important parts of our corporate body we have to protect and how to build layers of defense to keep us healthy, then I think you can have an intelligent discussion about how much investment is enough,” said the former DHS Secretary.

That level of investment has become a key focus of board-level cybersecurity discussions and is leading many executives to talk openly about the correlation between IT spending and reducing business risk. Boards know they must protect the company, but they need guidance from the CEO or CISO on where to make the best investment in technology.

Private sector focus on data privacy

The challenges of enterprise security management also involve data privacy protection. Technology platforms such as personal voice-activated assistants like Amazon’s Alexa or connected devices in cars and home appliances are raising concern that a company could increasingly end up knowing more about a particular user than anticipated.

“As we hurtle into [Internet of Things] and driverless cars that are generating massive amounts of information, more and more we are going to want to do business with people that are good stewards of the information that they collect,” Pflaging said.

The growing data lake of personal information, gathered and then stored out of sight from the contributors, has put additional pressure on businesses to also implement privacy and security policies that consumers can trust. “Although individual items collected may seem fairly benign, the ability to aggregate and store all the amount of data is huge,” Chertoff said. “I do think we’re on the cusp of having some serious conversation about this.”

Ongoing dialogue around corporate security practices and board responsibility has caught the attention of Congress as well. During The Chertoff Group event, one of the advisory’s firm’s executives pointed out that there are currently 127 pieces of legislation dealing with cybersecurity pending action in the House and Senate. One of those is Senate Bill 536, the “Cybersecurity Disclosure Act of 2017,” that would require publicly traded companies to disclose whether any board member has cybersecurity expertise and would require action by the company if not.

This kind of activity underscores initiatives led by The Chertoff Group and others to open new channels of dialogue between government officials and the technology community. Last fall, The Chertoff Group produced a whitepaper post-election on “Prioritizing Security in the Digital Economy,” summarizing discussions with corporate executives and government officials on dealing with cyber threats.

“The government has tended over the years to develop a very rigid system of procuring, or interacting with, the private sector, and out here in Silicon Valley and other tech centers there’s a lot of focus on being innovative and nimble,” Chertoff stated. “Sometimes those two cultures need to be bridged.”

Watch the complete video interview below, and be sure to check out more of SiliconANGLE’s and theCUBE’s coverage of The Chertoff Group Security Series “Security in the Boardroom.” (* Disclosure: TheCUBE is a paid media partner for The Chertoff Group Security Series “Security in the Boardroom.” The Chertoff Group LLC does not have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU