Report: Boards Typically Updated On Cybersecurity Only After An Incident

A recent report from the Ponemon Institute suggests that boards of directors may need to improve communication with IT teams in order to protect against growing cyber-attacks on industrial controls systems (ICS) and operational technology (OT) environments. In fact, some may only be updated on cybersecurity matters when a security lapse occurs.

According to the report, many companies are not addressing the fact that different governance controls and procedures are required to safeguard different areas of the company. Boards should work to ensure that they understand the expanding scope of cyber risk, and that there is a comprehensive cybersecurity strategy in place with clearly defines the roles for the IT team, management executives and corporate directors.

The report said that 63 percent of the 603 survey respondents’ organizations had experienced an ICS or OT cybersecurity incident within the last two years, yet only 35 percent had implemented a unified security strategy program to secure both the IT (industrial) and OT (operational) environments of the company.

Additionally, the report found that C-suite executives and the board of directors are not regularly informed about the efficiency, effectiveness and security of their cybersecurity program. Only 35 percent of respondents said that someone responsible for ICS and OT cybersecurity reports information about IT and cybersecurity initiatives to the board. And of those, 41 percent said that they only received cybersecurity updates when a security incident occurs. If management executives, the board and the IT teams aren’t sharing the same information, it will be nearly impossible for companies to stay ahead of fast-evolving cyber threats. To combat this risk, boards should consider:

• Conduct a comprehensive review of the cybersecurity measures currently being implemented by all IT teams. The board and the management team must understand what is currently in place in order to determine if the company has adequate cybersecurity. If the board does not have a true cybersecurity expert among its ranks to oversee a review of all security systems, it may be necessary to bring in an outside consultant to determine where vulnerabilities are and how they can best be mitigated.

This comprehensive review should also be used as an opportunity to educate the board and management teams about the interaction between all those responsible for the industrial control systems (ICS) and operational technology (OT) systems of the company. The report authors make it clear that there are “fundamental differences between the problems and goals of a corporate IT environment—data safety and security—and industrial environments, where human health and safety, loss of physical production and facility shutdowns are real risks.” Effective cybersecurity measures will account for those differences and create clearly defined roles for industrial and operational team members, management executives and board members to follow if a cyber incident occurs. According to the report, only 48 percent of respondents said their organization understands cyber risks and have specific security processes and policies for OT and ICS environments.

A comprehensive review of cybersecurity measures will also allow the board and management to allocate an appropriate budget for security programs. A clear picture of what is currently being spent on security and what new risks the company faces will give the board enough information to determine what level of resources will be needed to protect the company’s industrial and operational systems.

• Create a cybersecurity or IT committee that reports to the board or appoint a cybersecurity expert to the board. Cybersecurity will continue to be an ongoing threat to all companies in all industries, so someone should be appointed to monitor these threats and keep the board and management team informed about strategies that can protect against security-related disruptions. A committee of IT executives that is responsible for cybersecurity measures and reports to the board may work for some companies, while having a board member with extensive cybersecurity experience who can suggest effective security procedures and evolving safety measures may also be effective.