An Approach to Cybersecurity Risk Oversight for Corporate Directors

*This article first appeared in In-House Defense Quarterly on April 3, 2018

The growing volume and severity of cyber-attacks directed against public companies has caught the attention of federal regulators and investors. Recent guidance from the Securities and Exchange Commission (SEC) on disclosure and enforcement actions by the Federal Trade Commission (FTC) make clear that cybersecurity is no longer a niche topic, but a concern significant enough to warrant the oversight of corporate boards of directors. A high-profile cyber incident may cause substantial financial and reputational losses to an organization, including the disruption of corporate business processes, destruction or theft of critical data assets, loss of goodwill, and shareholder and consumer litigation. More and more, directors are viewing cyber-risk under the broader umbrella of corporate strategy and searching for ways to help mitigate that risk. Increasingly, thought leaders, professional organizations, and government agencies are beginning to provide answers.

Despite the plethora of cyber-risk guidance that has surfaced in recent years, however, there is no “silver bullet” for cyber incident response and prevention. Even the most resilient systems today can still be breached with the right tools and sufficient resources, and there is not yet a unified theory or framework for addressing vulnerabilities in every context. Information security is not yet a science; outside of the handful of issues falling under the field of cryptography, there is no formalized system of classification. The most prepared cybersecurity programs of today will not attempt to implement a static, “out-of-the-box” solution to cyber risk. Instead, they should remain adaptive to the particularized needs of their organization, responsive to new industry developments, and vigilant of changes to business objectives that could affect the cyber threat landscape.

While there may be no perfect path to cybersecurity, this article provides a roadmap for organizations to consider when seeking to mitigate cyber risk. Its prescription can be understood as an enterprise-level, targeted guidance approach. In particular, it advocates (1) treating the cyber risk as an organization-wide, enterprise-level strategic priority, and (2) targeting cyber-risk at applicable stages in the data lifecycle—including collection, use, sharing, and destruction—by deploying credible industry guidance, as appropriate to the organization. Such an approach carries the benefit of enabling organizations to tie their programs to recognized frameworks without sacrificing long-term flexibility. As industry developments occur, directors can operationalize new guidance, as appropriate, with minimal disruption to business processes or IT systems. The hope is that the strategy outlined herein will help corporate directors and executives who support them (e.g., legal, information technology security, privacy, compliance, and audit) make practical use of the various technical guidelines available without misaligning their systems from the broader corporate mission.

Note that the volume of cyber guidance available is too large for one article to address all facets comprehensively. Additionally, the quantity of issues that can arise throughout the data lifecycle would require a longer investigation than the scope of this paper will cover. Instead of attempting either of these Sisyphean tasks, this article seeks to demonstrate the utility of the enterprise-level, targeted approach at the governance stages, and in the implementation of certain technology tools during the stages of the data lifecycle, as appropriate. More specifically, a practical implementation of the enterprise-level, targeted approach might include:

  • Designing an Enterprise-Level Approach
    • Creating an enterprise-wide governance structure
    • Aligning cyber risk with corporate strategy
  • Implementing a Targeted Guidance Strategy
    • Adopting the NIST Cybersecurity Framework
    • Encrypting critical data assets
    • Using appropriate access controls
    • Managing digital identities

The sections below on designing an enterprise-level approach and implementing a targeted guidance strategy may help to bolster corporate directors’ understanding of their organizations’ potential areas of cyber risk. Per the SEC’s recent disclosure guidance, among other things, the effectiveness of disclosure controls and procedures are tied to an organization’s ability to enhance communications between technical experts and disclosure advisors on data management processes that may address such risks. This may, in turn, promote clearer and more robust disclosures about such risks and increase shareholder value. In each case, directors across industries may adapt the approach for their particular circumstances, which may include the size and complexity of the organization, the nature and scope of the activities at issue, the security policies and practices in place, the type and sensitivity of the data being processed, and new developments in the industry groups involved.

Designing an Enterprise-Level Approach

The first step in addressing cyber risk effectively is to view it as an organization-wide strategic priority. In January 2017, seeking to provide practical advice for directors to address their oversight responsibilities, the National Association of Corporate Directors (NACD) released its (revised) Handbook on Cyber-Risk Oversight (NACD Handbook). The NACD Handbook advocates treating cyber-risk management as an enterprise-level concern, rather than a technical or operational issue to be handled by the information technology (IT) department, while also alluding to a number of compliance strategies for elevating cyber-risk oversight to the board level with minimal disruption to other matters of corporate governance. In doing so, the NACD Handbook outlines five, action-oriented key principles for directors to follow:

  • Principle 1
    Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT-issue.
  • Principle 2
    Directors should understand the legal implications of cyber risks as they relate to the company’s specific circumstances.
  • Principle 3
    Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.
  • Principle 4
    Directors should set the expectation that management will establish an enterprise-wide cyber risk management framework with adequate staffing and budget.
  • Principle 5
    Board-management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.

In addition, evidence is mounting that regulators also view oversight of cyber protections as a board responsibility. On February 21, 2018, the SEC issued an additional cybersecurity disclosure guidance document to assist public companies in drafting their cybersecurity disclosures in their SEC filings. As detailed in a March 2, 2018, article on Sidley Austin’s Data Matters Blog entitled SEC Issues New Guidance on Cybersecurity Disclosure Requirements, the components of this publication are intended to ensure that information about cyber risks and incidents is processed and reported to the appropriate company personnel; this will enable senior management to make disclosure decisions and certifications. As noted in the guidance, the effectiveness of disclosure controls and procedures are tied to the organization’s ability to:

  • identify cyber risks and incidents;
  • assess and analyze their impact on a company’s business;
  • evaluate the significance associated with such risks and incidents;
  • provide for open communications between technical experts and disclosure advisors; and
  • make timely disclosures regarding such risks and incidents.

This SEC cybersecurity disclosure guidance appears consistent with the guidance from the NACD Handbook, certain FTC enforcement activity, the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework) issued in 2014, and various NIST special publications, including the NIST Framework for Designing Cryptographic Key Management Systems, Assessment of Access Control Systems, and Digital Identity Guidelines.

Recent industry developments also weigh in favor of NACD’s enterprise-level approach to cyber oversight. Fortinet’s quarterly Threat Landscape Report, for instance, measured an eighty-two percent increase in cyber exploits in the fourth quarter of 2017, driven in large part by growth in the use of automated “swarm” attacks, which seek to target multiple vulnerabilities, devices, and access points simultaneously. Fortinet also continues to report increases in unique malware variants, suggesting an accelerating rate of sophistication on the part of cyber criminals. These trends imply a need for a rapid, cross-departmental response that originates at the top level, as well as a greater unity between matters of cyber-risk and matters of corporate strategy and resourcing.

Finally, corporate executives themselves are beginning to recognize cyber risk as a strategic priority. In PricewaterhouseCoopers’ 2017 Annual Corporate Directors Survey, seventy-two percent of directors expressed a desire to increase cybersecurity expertise on their boards. And according to the 2017 BDO Cyber Governance Survey, seventy-nine percent of public company directors report greater personal involvement with cybersecurity issues than twelve months prior. Increasingly, a consensus is emerging that cyber security is not just an IT issue, but a core, enterprise risk issue as advocated in the NACD Handbook.

Creating an Enterprise-Wide Governance Structure

Directors seeking to implement an enterprise-level cyber risk management structure should align their strategic approach with the principles outlined in the NACD Handbook. The NACD Handbook principles provide directors with a high-level understanding of how to think about cyber issues from the perspective of corporate strategy. Key to implementing these principles will be ensuring that directors are made aware of legal implications of cyber breaches. These include current liability issues faced by the organization and directors in addressing their duty of care, as well applicable reporting and SEC disclosure obligations related to cybersecurity risks and cyber incidents. Most importantly, the board should support the enactment of a manageable framework for evaluating the resilience of its cyber infrastructure and establishing clear organizational targets.

The NIST Cybersecurity Framework provides a strong benchmark in this respect. In particular, the NIST Cybersecurity Framework’s flexible approach uses five core functions  to organize cybersecurity recommendations and standards. These core functions are helpful in describing the benchmarks by which an organization may evaluate its information security program, cybersecurity preparedness, and maturity. Moreover, enforcement actions by regulators, and in particular by the FTC, provide several data security program “watch outs” and concrete examples of the consequences when companies fall short of these minimum standards; indeed, the FTC has highlighted where its enforcement activity aligns to each of these core functions, providing in itself a roadmap for corporate directors of areas for potential risk mitigation in their own organizations. In particular, in a blog article entitled, The NIST Cybersecurity Framework and the FTC, dated August 31, 2016, the FTC provided guidance suggesting that the NIST Cybersecurity Framework is consistent with the agency’s approach followed since the late 1990s in over 60 law enforcement actions and in business education guidance. While the FTC’s Consent Orders are intended to apply only to the respondents to which they are subject, the agency also uses them to provide guidance to other similarly-situated organizations and assist in their compliance with FTC Act requirements. Specifically regarding cybersecurity risks, the FTC has provided guidance to companies that aligns to the NIST Cybersecurity Framework’s five core functions:

  • Identify,
  • Protect,
  • Detect,
  • Respond, and
  • Recover.

The NIST Cybersecurity Framework also provides context for evaluating cyber risk practices across the various functional areas, and meets organizational goals with respect to each. The four NIST Cybersecurity Framework implementation “tiers” (partial, risk informed, repeatable, and adaptive) describe an increasing degree of rigor and sophistication in cyber risk management. NIST’s tier-based approach is an appealing instrument for organizations to balance the increasing security provided by certain technologies with the potentially higher cost of deployment. For example, organizations dealing with the most sensitive data—such as defense contractors—should target the adaptive tier across functional areas, while organizations with a lower risk profile may decide to target lower tiers when designing their systems. In making this determination for a given system, an organization should take into account important items impacting company strategy, such as the kinds and quantity of data at risk, the size of the attack surface, the level of digital literacy among its user base, the cost of implementing system-wide changes, and the amount of risk the organization’s stakeholders are willing to tolerate. Note, however, that NIST advises all organizations to, at a minimum, target the risk informed tier when implementing the Cybersecurity Framework.

Aligning Cyber Risk with Corporate Strategy

An organization must ensure that the level of security in its IT systems and processes are aligned with its corresponding level of risk tolerance. Since technologies that reduce the risk of intrusion can be expensive to deploy at scale, directors must be prepared to communicate their strategic priorities effectively with cybersecurity professionals and oversee an appropriate implementation that is consistent with their corporate mission and vision. To accomplish this task, directors should have an understanding of the types of data at risk (e.g., including company “crown jewels” such as IP assets, and personal information of stakeholders), where that data is located and transferred to and for what purposes, and at least a base understanding of how that data is secured. This is one place where a targeted view of the data lifecycle can be valuable; knowing where, when, and how critical data assets are collected, used, shared, and destroyed can help with the strategic planning and communications processes for the deployment of information security controls concerning such assets. This approach can work both with existing business processes and IT systems, as well as future potential areas of growth. Cybersecurity is not a “one and done” effort; directors should continually evaluate their cyber strategy, including governance structures, prior to and after deployment of critical new business processes and in the wake of data incidents that may occur. Indeed, organizations should be preparing to deploy such enterprise-level, targeted guidance strategies today, as doing so will prepare them for what will become increasingly complicated cybersecurity issues going-forward, in areas such as the Internet of Things (IoT), blockchain, and smart contract spaces.

Key to effective implementation will be ensuring that directors and cyber-professionals are speaking the same language. Emphasis should be placed on maintaining strong cross-departmental lines of communication, including ensuring that cyber risk is discussed at board meetings, developing a common vocabulary based on industry guidance, and scheduling deep-dive discussions on issues of cyber risk and its relation to company performance. In addition, the board should assign a specific chain of command and accountability structure for incident response and the implementation of new cybersecurity protocols.

The NACD Handbook, in this respect, suggests steps such as nominating a cyber-expert to the board itself, creating a cross-departmental cyber committee that reports directly to the board, or implementing formal director-education training. Directors should consider which of these solutions best serves the needs of their organization, taking into account factors such as the market availability of such cybersecurity expertise, the breadth of the organization’s attack surface, and the sophistication of the organization’s data processes. In particular, organizations that already possess a defined hierarchy in the field of information security and privacy, including the designation of individuals as a Chief Information Security Officer (CISO) and/or Chief Privacy Officer (CPO), may benefit by also including individuals on the board with credentials and experience in creating and implementing related strategies; these individuals may also assist in communicating with staff CISOs and CPOs on appropriate information security and privacy measures and resources needed to help enable company strategic priorities. In contrast, organizations wherein issues of information security are horizontally integrated may be more inclined to implement a committee-based approach that would include staff CISOs and CPOs in board matters involving cybersecurity strategy, as appropriate; this may enable the synthesis of various security and privacy processes across departments. Finally, organizations with a lower budget for addressing information security may benefit from implementing a director-education solution that includes training on cybersecurity issues, and reports on cybersecurity testing and monitoring. Periodic cybersecurity assessments, including those done by third parties, as well as appropriate legal advice by in-house or outside counsel is recommended in all cases. In sum, directors should not be left “in the dark” about issues of cyber risk, but rather should set the “tone from the top” by gaining facility with discussing such issues in the same context as other matters of corporate strategy.

Implementing a Targeted Guidance Strategy

While the idea of enterprise-level cybersecurity oversight is conceptually appealing, concrete standards and procedures to achieve that oversight may remain elusive. The rapid evolution of the cyber threat landscape combined with the expanding attack surface that accompanies the digitization of corporate processes imposes an increasingly high burden on directors both to remain aware of industry trends and to proactively address system vulnerabilities while they arise and before they can be exploited. Addressing these responsibilities is further complicated by the particular nuances of the cybersecurity field. Conducting cybersecurity attacks is relatively inexpensive, but can be highly profitable, even without a particularly advanced skillset, while corporations can have difficulty in justifying cybersecurity spending from the perspective of achieving an adequate return on investment. And although legislatures, regulators, and thought leaders continue to search for the right approaches, actually implementing specific solutions is far from straightforward, given the variety of risk profiles and investment levels that can apply to a particular corporate context.

Adopting the NIST Cybersecurity Framework

The aforementioned difficulties point to the fact that there is no one-size-fits-all guide for appropriate cybersecurity and information security controls. Despite the fluid nature of the cyber landscape, however, corporate directors may mitigate the risk of scrutiny from the press or shareholder litigation by aligning their company information security program to appropriate, recognized cyber frameworks. These include the aforementioned NIST Cybersecurity Framework and accompanying NIST special publications, the International Organization for Standardization (ISO) Guidelines for cybersecurity, FTC case law and guidance in this area, and various guidance pieces proffered by the SEC that are tailored specifically toward cybersecurity issues for publicly traded companies. These organizations’ publications provide credible instruments for directors to help address their oversight responsibilities in relation to cyber risk management, while the NIST publications, in particular, provide a flexible framework for internal benchmarking and designing tailored solutions for implementation in specific functional areas.

So, which cybersecurity framework is recommended for your organization? It is worth noting that implementation of the NIST Cybersecurity Framework has been referenced by the NACD, FTC, and SEC as a viable approach that can help to address company cybersecurity needs. Additionally, statements by SEC commissioners demonstrate that they take board cybersecurity oversight responsibilities very seriously, and point to the NIST Cybersecurity Framework as a basis for devising solutions. For example, in a February 27, 2018, press release announcing new SEC interpretive guidance on disclosures, SEC Chairman Jay Clayton stated, “I believe that providing the Commission’s views on these matters will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors . . . . In particular, I urge public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.” The 2018 guidance supplements the SEC’s October 13, 2011, CF Disclosure Guidance: Topic No. 2, which provides “the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.” Also, at a conference at the New York Stock Exchange on June 10, 2014, SEC Commissioner Luis Aguilar warned that “boards that chose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril,” and suggested that boards consider the NIST Cybersecurity Framework, in particular, as a “conceptual roadmap” for assessing the company’s cybersecurity measures, explaining that “it will likely become a baseline for best practices by companies” and that certain firms have chosen to “create a separate enterprise risk committee of the board” with primary responsibility for overseeing cybersecurity in order to translate the NIST Cybersecurity Framework concepts into action plans.

As illustrated above, the NIST Cybersecurity Framework is worthy of consideration. Moreover, the sections below seek to provide means for operationalizing relevant NIST technical guidance. This information may be useful for organizations seeking to mitigate cyber risk in these areas; the approach taken may also be demonstrative of how to deploy the targeted guidance strategy to address problems of cyber risk as they arise.

Encrypting Critical Data Assets

Directors should develop at least a high-level familiarity with how data is secured (e.g., encryption of critical company data, both while at rest and in motion). One place to start may be ensuring organizational awareness and use (by the IT security, legal, and audit departments, in particular) of the NIST Framework on Cryptographic Key Management Systems (CKMS Framework), published in 2013. The CKMS Framework provides design specifications and a technical checklist for the cryptographic protection of an organization’s critical assets within an information system. It focuses in particular on three high-level functions served by cryptography across an information supply chain:

  • Confidentiality
    Confidentiality describes encryption that provides protection of data from unauthorized disclosure through the use of encryption algorithms that transform plaintext into unintelligible ciphertext and decryption algorithms that do the reverse.
  • Integrity
    Integrity describes encryption that provides protection of an information system from unauthorized modification through the use of authentication algorithms that calculate an authentication code or digital signature as a function of the protected data and a separate cryptographic key.
  • Source Authentication
    Source Authentication describes encryption that provides assurance that data came from a particular entity through the use of verification algorithms against digital signatures.

Intended for use by designers, the CKMS Framework also is of use to directors, who should understand the above three functions because they illustrate why systems are encrypted under specific circumstances. Directors should also ensure that cyber professionals are aware of its existence and understand the various mechanisms that are available to encrypt data across these three functions. Finally, as noted in the SEC’s Cybersecurity Ransomware Alert from May 2017, it is becoming increasingly helpful for executives to know what encryption protocols are in place across various systems—specifically whether systems utilize a 128-bit, 196-bit, or 256-bit cipher—as well as whether periodic cyber-risk assessments, penetration resting, and regular employee security awareness training are in place. For example, the results of deploying a framework such as CKMS to address company critical information assets, and its impact on cyber risk, could readily be rolled-up into a dashboard for review by an appropriate board committee on cybersecurity, or the full board, as needed. Such information may prove critical for internal discussion and decisions related to appropriate SEC disclosures.

Using Appropriate Access Controls

With the growing sophistication of Trojan horse attacks, malware, and other Incidents of Compromise (IOCs) rooted in unauthorized access, it is very important for organizations to understand which users have access to critical infrastructure, as well as what controls are in place to ensure that those privileges are available only for those users. Such access can result in critical company data compromise, theft, lateral movement by bad actors within company systems or between operating companies, and even exfiltration of the data. Directors can provide value to the organization by effectively communicating their strategic priorities to cyber professionals and helping ensuring that access control policies serve corporate risk objectives.

Directors can utilize NIST’s Assessment of Access Control Systems (NIST Assessment), which seeks to provide guidance on determining the allowed activities of legitimate users and how authorizations are structured. Access control policies implicate which users have the ability to read, write, modify, or communicate data within a system, as well as which ones are able to install new software, modify system processes and system configurations, and create or modify system access controls. This NIST Assessment outlines the most commonly used access control policies for organizations and specifies, in technical detail, the mechanisms available to implement those policies; these policies may be tailored to an organization, based on its size and scope, and types of data managed. While the original document was published in 2006, NIST has confirmed the continued relevance of this NIST Assessment as recently as in 2016 as an access control policy framework.

The specific technical mechanisms used to implement access control policies are the domain of cyber professionals—who should therefore be made familiar with its findings—but the NIST Assessment is also helpful to directors insofar as it categorizes access control policies. At a base level, directors should familiarize themselves with the various categories of access control policies and where their own systems may align; this knowledge provides a high-level understanding of how access rights are determined, ensuring a correct policy design choice can thereby could mitigate the risk of assigning unauthorized privileges to sensitive data. Indeed, given that U.S. state data breach notification law requirements often are triggered when certain types of personal information has been accessed or acquired by someone who is unauthorized, company privacy and cyber attorneys, IT security professionals, and privacy and audit teams should be brought into the discussion, as well. The access policy design structures outlined in the NIST Assessment include:

  • Discretionary Access Control
    The weakest but most flexible form of access control, discretionary policies enable any user with access to an object to extend that access unilaterally to another user. Because discretionary access control policies share this transitive characteristic and also are particularly vulnerable to Trojan horse attacks, these policies should be limited to contexts with non-sensitive data or among a trusted subset of users.
  • Mandatory Access Control
    Commonly used in military contexts, mandatory policies imply that all access control policy decisions are made by a centralized authority, such that individual users cannot change access rights.
  • Role-Based Access Control
    Role-based policies assign roles to users based on their competencies and responsibilities within the organization, and can therefore be prudent for systems utilized across multiple departments in an enterprise.
  • Temporal Access Control
    Temporal policies impose time-based restrictions on access and can therefore be useful in limited resource scenarios where the organization seeks to constrain use to particular times (e.g., 9 a.m. to 12 a.m. on weekdays) or to control time-sensitive activities.

In addition to the NIST Assessment, directors may also rely  on sector-specific guidance, including a NIST white paper entitled Privileged Account Management (tailored for the financial services sector), the ISO’s guidelines entitled Privilege Management and Access Control (tailored for healthcare organizations), and the SEC’s Regulation S-ID (for broker-dealers). Although these materials do not substantially differ in their high-level conclusions regarding access control policy, their sector-specific guidance may be particularly useful for business process owners during a major new system’s implementation phase, depending on the industry group. This is particularly the case given that questions of access control are interwoven with the vertical and horizontal structure of an organization, as well as the types of data that are being handled, both of which can have sector-specific characteristics.

Managing Digital Identities

Increasingly, cyber-attacks are occurring through a compromise of user credentials, including the use of phishing, keylogging, and brute force attacks. These types of incidents give rise to a distinct set of issues because they involve the ways in which users enter a system, rather than (as in the case of access control policies) what resources they are able to access and modify once they have entered. Once again, however, directors can provide value through effective cross-departmental communication and understanding the high-level issues involved.

In this vein, NIST published its four-volume Digital Identity Guidelines on June 22, 2017, seeking to provide guidance for building more secure forms of digital identities for authentication. The primary purpose of the Digital Identity Guidelines is to promulgate technical requirements for federal agencies; however, businesses could use the Identity Guidelines as a baseline for evaluating their own cybersecurity systems—both to establish credibility and enhance the user experience. The first volume of the Digital Identity Guidelines provides an overview of digital identity systems. Each subsequent volume focuses on one of three components of identity assurance:

  • Enrollment and Identity Proofing
    Enrollment involves (1) resolving a claimed identity to a single unique user, (2) validating the accuracy of the identity data against authoritative sources, and (3) verifying that a claimed identity is that of the user claiming it.
  • Authentication and Lifecycle Management
    Authentication is the ongoing process of associating subscribers with their online activity based on (1) “something you know” (e.g., passwords), (2) “something you have” (e.g., smartphones), or (3) “something you are.”
  • Federation and Assertions
    Federation occurs when a third party authenticates a given subscriber and subsequently submits the relevant identity information to the system owner.

Across all three components, NIST places particular emphasis on adopting design practices to reduce unnecessary user frustration with password and identity systems. For each functional area, directors can add value by ensuring that the organization has internalized certain high-level concepts.

In the area of enrollment, NIST emphasizes: (1) minimizing data collection to the smallest and least invasive set of data; (2) incorporating automated processes to validate identity data against authoritative sources, including government datasets; and (3) avoiding repetitive data input by tying allowing users to use a single authentication across multiple sources. The key priority here is to ensure that a digital user can be tied to a human identity with minimal data collection and efficiency losses.

In the area of authentication, NIST emphasizes simplifying password rules (including allowing passphrases with spaces and not requiring special characters, capital letters, or numbers), eliminating expiration dates on passwords, and allowing multiple methods for secondary factor authentication (e.g., email, text, or biometric). Although these specific suggestions may seem counterintuitive to some, empirical analysis has found that such requirements hurt rather than enhance information security. This is because burdensome password requirements do not meaningfully enhance system resilience in the face of modern hacking techniques, and the higher user frustration resulting from such requirements increases that likelihood that passwords will be stored unsafely.  That is to say, a growing consensus is emerging that authentication systems should “favor the user”—which should come as welcome news for directors hoping to enhance their organization’s productivity while also increasing security.

The final area of digital identity management subject to NIST treatment is federation, which describes the use of password managers and other third-party identity managers (IdPs). Like NIST’s recommendations in the area of authentication, password managers can substantially enhance security for the average user, while also eliminating the need for a human user to remember his or her password for every system. Through a password manager, the human user need only remember the password for the password manager itself, which can then automatically enter passwords into other systems, including highly-complex, strong passwords that are more resilient to cyber-attack. The NIST Digital Identity Guidelines favor allowing the use of password managers and other IdPs, including allowing these managers to enter passwords automatically into organizational systems. Therefore, if they have not already done so, directors should consider discussing the organization-wide use of password managers with cyber professionals and others working for the company, as appropriate.


While the dynamic and evolving cyber threat landscape can be intimidating, corporate directors seeking to oversee cybersecurity in their business operations are not without resources. The NACD, NIST, FTC, and SEC have all provided guidance for managing and reducing the costs associated with cyber risk. Directors should establish enterprise cybersecurity governance and ensure their cybersecurity and privacy professionals are aligned on strategies to operationalize the guidance at appropriate stages of the data’s lifecycle. NIST has emerged as a viable cybersecurity framework for companies; directors should understand that the approach to its implementation will be tempered by the size and complexity of the organization, the nature and scope of its business activities, security policies and practices, the type and sensitivity of the data processed, and developments in the industry. Such an approach should help directors with enhancing communications between technical experts and disclosure advisors regarding data management processes that may address such risks; it should also foster a “tone from the top” and a cyber-resilient corporate culture.

The first step is to treat cyber risk as an enterprise-level priority, rather than an issue purely for the IT department. This occurs by opening up effective lines of communication between directors and cyber professionals—including bringing the latter to the board table—and providing directors with an understanding of the issues involved. This article advocates a targeted guidance approach that deploys credible benchmarks, mechanisms, and cyber risk strategies at appropriate points in the data lifecycle within organizations; the launch of a major new strategic initiative or business process may be a good place to start. This approach gives directors a basis upon which to begin addressing cyber risk at the enterprise-level, while also providing both the flexibility to tailor authoritative guidance to the specific circumstances of the organization and the adaptability to stay up-to-date with industry trends. The key in many cases will be effectively aligning an organization’s broader corporate strategy to the specific risks identified in your company’s cyber threat landscape.

As stated previously, directors should be considering this approach with existing business processes and IT systems, as well as future potential areas of growth. Organizations should be preparing to deploy such enterprise-level, targeted guidance strategies today, as doing so will prepare them for a future filled with increasingly complicated cybersecurity issues in areas such as the IoT, blockchain, and smart contract spaces.