Directors face the new future of security

Boards say leaders have adapted well. But the adaptation has just begun.

Businesswoman using a tablet and standing The “new normal” is defined by change, and those changes will continue.

“I think it’s well established that we’re neck-deep in the new normal,” said Grant Thornton Principal and Forensic Technology Practice Leader Johnny Lee. Managers have responded well so far, according to a poll at a recent forum hosted by Grant Thornton and the National Association of Corporate Directors (NACD). In the poll, 93% said that their management teams have handled the pandemic “Very well” or “Extremely well.”

NACD chart

During the forum, Shelley Leibowitz, Director of E-Trade Financial and Massachusetts Mutual Life Insurance Company, recalled that “One seasoned financial services CEO told me ‘I didn’t realize we could function so well remotely, and I didn’t realize our technology would be so reliable.’”

Leibowitz noted that many years of work have built up the tools and infrastructure for connectivity – but recent events drove the behavioral change that put those tools to the test. “Anybody who has worked in digital transformation knows that it requires behavioral change. Who thought we would have parents and grandparents of all ages, and all sorts of technical comfort levels, signing on to Zoom sessions this year? To me, the biggest surprise in this new normal is the behavioral change.”

But when behaviors change, risks change, and today there are new risks that might remain exposed. “As the workforce continues to get stretched and distributed, defenses are weakened and enterprises become prime targets,” said NACD Special Advisor on Cybersecurity Chris Hetner. “This is all going to translate into a larger and more advanced attack surface – the number of devices is now greater than the number of humans, and that creates exposure.”

“With that, it’s incumbent upon the board and enterprise risk management to identify how these risks will manifest themselves, and how they will impact the business,” Hetner said.

Most companies have done a great job of adapting to the pandemic’s new operational challenges, but many have not adapted to new cybersecurity risks.

Continue the adaptation So, how can boards help ensure that management is prepared for cybersecurity risks?

Atlanta Johnny Lee“The key to this is management’s agility to pivot when needed and where needed… scenario planning can help both boards and management teams prepare.”

– Grant Thornton Principal and
Forensic Technology Practice Leader
Johnny Lee
Boards should ask their management teams about newly introduced technologies and security practices, to see if they have adapted new detective and preventive controls that address these changes. “The key to this is management’s agility to pivot when needed and where needed,” Lee said. “There is, of course, a risk of over-engineering or under-engineering for adaptation, but couching the conversation in terms of risk is the great equalizer, because it allows for conversations about cybersecurity risk that are multi-disciplinary and comprehensive.”

“There has been a shift in the perimeter that we have to protect. For many organizations, it’s debatable whether there’s a perimeter at all,” Lee said. “In March, the perimeter changed from a fairly well-defined enterprise phenomenon to – in many cases – the personal laptops of hourly employees. That is not a trivial change, and it doesn’t lend itself to traditional defensive strategies like purchasing a firewall or locking down data transfers via a data loss prevention system.”

Prepare for future changes Directors need to help management teams adapt their focus on cybersecurity risks – and understand that even more changes are coming.

“I think everyone has a genuine appreciation that the pandemic introduced forced digital transformations for many organizations,” Lee said. “But, organizations now face another adaptation on the near-term horizon, one that will resemble neither the current crisis state nor what preceded it.” Leibowitz agreed that “we will be in massive transition over the next 18 to 24 months.”

Cyber-attacks can lead to a risk of business interruption, data loss, regulatory violations, balance sheet impacts, customer litigation and more. “When you talk about those risks and the cost of restoring systems, you start wrapping some economic and business value around cyber events, and that conversation resonates with the board,” Hetner said. Leibowitz agreed, “There’s a progression I’ve seen in the last ten years, and that progression was moving from a very technical, low-level and granular focus on cybersecurity, to a broader focus on privacy, now to content and voice and what you say in the public domain. I think it’s really important to have enough understanding of cybersecurity to put it in a business context and a framework for decision making.” Lee said “We need to reposition cybersecurity as another enterprise-wide risk – not a purely technological phenomenon.”

To ensure that management focuses on cybersecurity risk and prepares for future changes, boards can consider some key risk management questions:

Ask about process
  1. Are there processes that require us to integrate security as part of introducing new technology, partnering with third-party suppliers, creating new platforms or products internally, or other business advancements?
  2. Are there processes that require security checks and evaluations as part of other strategic decisioning?
  3. Is there a governance approach where business owners include security in discussions about how to ingrain or engage cybersecurity in platform design before engaging cloud providers or third-party partners?
  4. When we employ new technological solutions, such as AI-driven marketing, how do we evaluate the new solution’s risks for cybersecurity, data privacy and business decision making?

Ask about adaptation
  1. Given recent changes, what is new or accelerated that might have introduced new risks (such as new behaviors, tools, services or offerings)? How has cybersecurity been included in those changes?
  2. Have our access controls for internal employees changed (such as pausing quarterly revalidation of access)? How are we regulating that and reducing that risk?
  3. Have our access controls for external partners changed (such as providing more access and integration with our system)? How are we monitoring that?
  4. Have our external partners changed access controls on their side (such as suppliers, offshore contractors, outsourcers or other partners allowing employees to work from home)? How are we evaluating and managing any new technological, contractual, policy or other subsequent risks? Have we taken actions (such as segregating our network) for partners whose security environment has changed?

Ask about trust
  1. How do we become, or continue to be, the trusted provider in our business, industry, space and products?

On the final question, Leibowitz insisted that trust is a key differentiator. “Today, people have things they need to do in a different way, so they’re choosing among providers. And their question is, ‘Which providers do I trust?’”

Use scenario planning The key to successful adaptation is a strategy for candid enterprise risk management. That strategy should be informed by detailed and tailored scenario planning which incorporates cybersecurity as an enterprise-wide risk.

By using cybersecurity scenarios, boards can also ground conversations in the organization’s unique business model and technology infrastructure. “Being able to handle a range of scenarios, being reliable in terms of the products and services that you are committed to deliver in a way that engenders trust in all your constituencies – that’s an incredibly important consideration particularly for people in board seats,” Leibowitz said.

Then, businesses must be prepared to track their results and adapt those scenarios as needed. “Everybody has learned recently that this is about agility and adaptability. So, how do you think about the data points and indicators that actually help you measure that agility or adaptability? I think you have to be incredibly careful about the data you use and how you think about the results. It’s not just quantifiable information or qualitative information,” Leibowitz said. “You collect a whole set of data points to support good decision making, and there is going to be no single data point or set of data points that will give you all the answers.”

Lee agreed that “organizations have their hands full with managing cybersecurity risk in this new normal, so it will take a concerted effort to do that while preparing for an entirely new business environment on the horizon.”


Atlanta Johnny LeeJohnny Lee
Principal and Forensic Technology Practice Leader
T +1 404 704 0144