A Board Recipe for Minimizing Supply-Chain Cyber Loss
After attending corporate board meetings for approximately 85 different Fortune 500 organizations and listening to CEOs and CISOs discuss cyber risk in supply chains; and after then meeting with many of them personally, we came away with three primary takeaways. First, the main cybersecurity interest of most upper-level managers is primarily in avoiding major negative consequences (i.e., Black Swans) to their firms. Second, over 90% of corporate board members we have met with are either neutral or not confident with their security program’s effectiveness. But finally, and of major concern to us, was the observation that CISOs primarily tell their boards “anecdotes” or “stories,” and they do not present boards with any substantive and specific direction to avoid supply-chain cyber loss. We believe this is unfortunate because, based on a different set of experiences we have had, namely performing several thousand forensic studies, including about one thousand for the U.S. Secret Service-most with about 100 page or more reports, we believe corporate boards can take specific reasoned actions and thereby reduce significantly their organization’s exposure to, and subsequent losses from, supply-chain cyber-attacks.
