Trends, Regulation and Risk in the Cybersecurity Landscape

Edna Twumwaa Frimpong

Trends, Regulation and Risk in the Cybersecurity Landscape

Listen to Episode 93 on Spotify

Guest: Robert Silvers, Undersecretary of Policy for the U.S. Department of Homeland Security

Hosts: Dottie Schindlinger, Executive Director of the Diligent Institute, and Meghan Day, Vice President of Marketing for Diligent ESG & Data Intelligence

Summary:

In this episode of The Corporate Director Podcast, Robert Silvers, Undersecretary of Policy for the U.S. Department of Homeland Security discusses the Cyber Safety Review Board, the Cyber Incident Reporting Council, the biggest cybersecurity threats for businesses today and what companies can do to better prepare. 

In This Episode:

  1. Cybersecurity Oversight: Silvers discusses the Department of Homeland Security's role in cyber oversight. 
  2. The Cyber Safety Review Board: Silvers shares how the CRSB was founded, its goals and everyday functions. 
  3. Empowering Chief Information Security Officers:  Silvers advises directors on the importance of ensuring that CISOs are effective and empowered in today’s business climate.

Cybersecurity Oversight 

Silvers begins by giving some background on his role within the Department of Homeland Security (DHS): “Our organization is in charge of cybersecurity in addition to the border, a range of law enforcement functions, aviation security, responses to natural disasters and more. My office's job is to serve as the nerve center of this department. We look at the biggest security challenges and we do what we can to address them."

He continues on to share some trends on cybersecurity: “The last couple of years have been very significant in cybersecurity, from the SolarWinds incident to the shutdown of the Colonial Pipeline. Ransomware cases in the last year also heightened tensions around the Ukraine crisis and what breaches would mean for cybersecurity risk. Interestingly, last December, we discovered the biggest software vulnerability, something called Log4J, which virtually every company had somewhere in their environment. It's been a busy time, for network defenders, and I think it's safe to say that the risk landscape right now is as intensive as it's ever been."

"At the end of the day, neither the government  nor companies alone are fully prepared to take on this challenge. Companies own the infrastructure that is often under attack. It's their networks that are open to attacks like the Colonial Pipeline incident. That's privately owned infrastructure, but the impacts are on the whole nation." -  Robert SilversUndersecretary of Policy for the U.S. Department of Homeland Security

The Cyber Safety Review Board

Silvers shares the reason behind the formation of the Cyber Safety Review Board (CSRB): “In the world of aviation and transportation accidents, we have the National Transportation Safety Board (NTSB). So whenever there is a big accident, the NTSB comes in, gathers the facts and puts out a report detailing what happened and  recommendations to the community going forward to avoid a repeat of the incident. We've never had something like that for cybersecurity. So earlier this year, the Department of Homeland Security created  the CSRB, which I'm proud to chair."

He continues: “The CSRB derives half of its members from people who are considered to be leading cyber luminaries from the private sector and founders of the biggest cyber security companies, which includes some of the world's leading software security and engineering experts. We review significant incidents using an authoritative fact gathering process, and then we take away lessons learned and make recommendations to the broader community. Our first review as a board was a bit earlier this year. We reviewed that Log4J software vulnerability that I mentioned earlier, and that review in December 2021 kicked off one of the largest cyber incident responses in history because that software was  incorporated into tons of commercially available off-the-shelf software products that virtually every company in the United States uses.”

"The Cyber Safety Review Board is really focused on big, significant incidents that  capture national attention, so that we can make sure that all these incredible experts are benefitting the overall community." - Robert Silvers, Undersecretary of Policy for the U.S. Department of Homeland Security

Empowering Chief Information Security Officers

Silvers concludes with advice on how corporations can better empower their CISOs: “Many CISOs are not necessarily comfortable speaking with directors. They don't know if they can share their true feelings about the program or about what they need. They may have asked for more resources to accomplish their goals, and the CFO may have declined. As a director, you need to ask the right kinds of questions and give the CISO the space to share their real feelings about where the program stands and what they need.”

"As a necessity, organizations must properly resource information security programs. CISO and CSO burnout is a real thing. Information security teams are under a lot of stress. They are constantly investigating new potential incidents because they're too thinly resourced. They're negotiating with the business over what they can do." -Robert Silvers, Undersecretary of Policy for the U.S. Department of Homeland Security.

Also in this episode…

Silvers also discusses how boardrooms are likely to change over the next decade: “I think that as organizations get more and more connected, you're going to see cybersecurity creep up more as an issue that pervades virtually everything. Products that were never connected before are now connected to the internet. We see that boards themselves are receiving their confidential materials digitally and boards have to reckon with possible risk as a result."

Resources from this episode:

 

Edna Twumwaa Frimpong
Edna Frimpong is an experienced research analyst with a demonstrated history of working in the information technology and services industry. In her role with the Diligent Institute, Edna oversees and directs corporate governance research projects and partnerships internationally, outside the US. She joined Diligent Institute in 2021 after six years with CGLytics' -- a corporate governance analytics firm based in Amsterdam, The Netherlands, acquired by Diligent -- where she served as Head of Research for the EMEA region. Previously, Edna held research positions at firms including Sustainanalytics and Carnomise.' She received her Master's Degree in Finance and Law from the Duisenberg School of Finance in Amsterdam, and her Bachelor's Degree in Administration, Insurance and Risk Management from the University of Ghana.