SolarWinds attack leads to renewed focus on IT relationships with corporate boards

Dive Brief:

The SolarWinds cyberattack is forcing companies to take a hard look at communications between their IT departments and board of directors. Cybersecurity officials need to gain more immediate and open access to corporate boards and learn how to clearly articulate these concerns to board members before the next major incident takes place, according to research from ISACA.
Cybersecurity professionals need to better understand the role board members play within a company and be able to articulate everything from budgetary issues and supply chain risks to worst case scenarios in case of attack, according to Rob Clyde, a board director at ISACA and executive adviser to ShardSecure.
Companies need to create clear lines of communication between IT departments and board members, so they can make sure that investors, customers and other key stakeholders are promptly notified, according to Rick Tracy, CSO at Telos Corp. Such communication can allow organization to avoid legal liabilities from shareholders, regulatory scrutiny and long-term damage to the brand.

Dive Insight:

The sophisticated nation-state attack that impacted about 18,000 companies and top federal agencies that used the SolarWinds Orion platform has opened up a dialogue in the IT, legal and other industries about the role of cybersecurity in the upper ranks of U.S. companies.

It has highlighted the need for cybersecurity officials to articulate potential risks and liabilities to senior management and board members before a major incident like this takes place in the future.

"What the SolarWinds [attack] did was kind of shine a bright light on in particular, the risk that companies face because of our rather complicated supply chains, how we get code, how we run code within our organizations," said Clyde.

However IT professionals need to learn how to articulate issues beyond lists of potential vulnerabilities and clearly translate issues, going beyond the technical jargon so board members can more easily understand them and take relevant action.

"The board is going to be far more concerned with some really high level questions, which is how much should we spend on cybersecurity?" said Clyde. "How do we know if what we're doing is good enough?"

Corporate boards need to also take their own series of steps to make sure they are getting accurate and independent information that hasn't been stovepiped up the chain of command and can withstand outside scrutiny, Clyde said.

For example, corporate boards in many cases have risk committees, whose job is to investigate issues like the risk of a data breach or similar cyber incident. They might need to hire an outside consulting firms to give them an honest overview of a company's vulnerabilities and how to mitigate those risks against a future attack.

There needs to be clear lines of communication between IT security teams and top corporate executives and board members, according to Tracy, in an emailed statement. He argues that specific people should be designated as part of the line of communication between these various parts of a company to maintain accurate information.

"Perhaps the more challenging task is to understand the audience and using appropriate language to help people understand the details," he said. "Highly technical language for a non-technical audience is not helpful."

Concerns about the relationship between cybersecurity professionals and corporate boards has predated the SolarWinds attack. A rise in sophisticated, global ransomware attacks in recent years, including WannaCry and other incidents has forced companies to rethink the structure and responsibilities of corporate boards in preventing and responding to cybersecurity risk.