Cyber Risk and Digital Management in the Boardroom, with Larry Clinton
Appropriate response to modern threats.
For any board operating in the 21st century, cybersecurity is a key aspect of risk management. We’re examining the needs that today’s boardroom has, as well as what the future of cybersecurity holds, as we welcome Larry Clinton to the show.
Larry Clinton literally wrote the book – books actually – on cyber risk management for corporate boards namely the Cyber Risk Handbook now available on 4 continents and in 5 languages.
The Cyber Risk Handbooks were written in collaboration with organizations from around the world including the National Association of Corporate Directors, The European Conference of Directors Associations, The Japanese Federation of Businesses, and have been endorsed by the US DHS and DOJ, the German Federation Office of Information Security and the Organization of American States & others
PWC has independently assessed the effectiveness of the Cyber Risk Handbooks and found that organizations that use them generate higher cybersecurity budgets, practice better risk management, have closer alignment between cybersecurity and overall organizational goals, and develop a stronger culture of security.
Mr. Clinton is also the principle author of the Cyber Security Social Contract whose public policy recommendations have been endorsed by the House GOP Task Force on Cyber Security, President Obama’s Executive Order 13636 on Cybersecurity, and the recently released bipartisan Solarium Commission on Cybersecurity and National Defense.
Mr. Clinton teaches a course in cybersecurity at the Wharton School, has testified before Congress on many occasions, has briefed the NATO Cyber Risk Center of Excellence in Estonia, and has been featured on virtually all major media outlets from Fox News to NPR to WSJ to CBS to all the major cable outlets including MTV in India
In today’s episode, Larry shares his extensive expertise on the subject of appropriately identifying and managing cybersecurity risks. As this subject becomes more and more imperative to consider, you won’t want to miss this episode of Boardroom Bound.
Subscribe & Review in iTunes
Are you subscribed to my podcast? If you’re not, I want to encourage you to do that today. I don’t want you to miss an episode. I’m adding bonus episodes to the mix and if you’re not subscribed there’s a good chance you’ll miss out on those. Click here to subscribe in iTunes!
Liked this episode? I would be really grateful if you’d take 30 seconds to leave an honest review in iTunes. Those reviews help other people find my podcast and they’re also fun for me to go in and read. Plus, I love to give shoutouts on the show to everyone who submits a review. Just click here to review, tap “Reviews” and “Write a Review” and let me know what your favorite part of the podcast is.
Let’s Get Social!
I absolutely love connecting with listeners on social media. I’m most active on LinkedIn. (And yes, I do personally post and respond to my accounts!)
This is a great way to hear my latest thinking, get the inside track on new products, and occasionally see a picture of my adorable toddler.
Alexander Lowery (00:00):
Boardroom bound episode 117 cyber risk and digital management in the boardroom with Larry Clinton.
New Speaker (00:34):
Hello and welcome to this episode of boardroom bound. My name is Alexander Lowery, and this is the podcast dedicated to intentional leadership in the boardroom. My goal is to give aspiring existing directors, the tips, tactics, and strategies necessary to transform your confidence and build a successful career as a board director, quick reminder, and get all of today’s show notes at podcast at Gordon at EDU and in today’s show, we’re speaking with Larry Clinton, who is the president and CEO of the internet security Alliance. So today we’re talking all about cyber cyber risks, cyber risk management, don’t lay your eyes glaze over. We do not go into the detail that makes smoke come out of your ears and want to take a nap. Larry is able to break this down into very simple, actionable steps because everyone has a board member, no matter whether it’s for profit or nonprofit, larger small organization, public or private, all of us need to be worried about cyber and frankly, as individuals as well. So Larry gives us a very easy way to understand what’s going on and a cheat sheet of the five principles that we need to take as directors and be able to manage for the organizations we work with. Let’s jump into the show.
Larry Clinton, welcome to the boardroom bound podcast.
Larry Clinton (01:50):
It’s my pleasure.
Well, I’m excited to have you with us today because board members all hear a lot about cyber today. We know there’s risks. We know that there’s things going on that we should know. Some of my colleagues around the boardroom tables totally get cyber others have an iPhone, and that’s the extent of it. And there’s a range everywhere in between. So you are someone who I would just sort of consider you’re you’re testifying in front of Congress. You’re giving all the right information. Lee literally wrote the book on this for the boardroom to understand cyber, you have the thought leadership, the policy advocacy, developing best practices around it. You’re the right person to educate us on it, but you didn’t become that expert overnight. It took a long time for you to get there. Can you give us a sense of your career background experience?
Sure. I actually started as an academic. I was teaching interpersonal communication business communication at the university of Illinois fellow faculty member decided to run for Congress campaign and he asked me to be his campaign manager and that sounded like fun. And we had no expectation of winning, but make a long story short. We and then I came to Washington DC where I spent about six years working on Capitol Hill. And since I, my background was in communication, I worked for the telecommunications and finance subcommittee direction of the fellow who was chairman of that. And that was in the 1990s. And we worked a lot on the rewrite of the 1996 telecommunications act, which was the first act of Congress that ever mentioned the word internet. So that’s where I got into internet stuff was really more on the policy side than the tech side, which is where most people in this space come from. So I worked for a number of years in the in the telephone industry. I was a lobbyist and then I was a trade association executive and then finally in 2002 I was offered the job to come over to the U and I did to the internet security lines which is where I’ve been for the last 18 years
Now as president and CEO of this organization, which does so much education and raising awareness. And I imagine as I put my boardroom hat on here, you’re the kind of person that I’d be calling on more and more every day now. But when did that start? Right. So you’ve been with the organization about 18 years. At what point did you see boards really go, Oh, we need, we need Larry’s expertise
Not right away. So when we when I first started with the ISA it was just after nine 11. And so really the focus of cyber security was on the governmental side. If you can remember back in those days, everybody was scared to death. We didn’t know when the next terrorist attack was going to occur. We didn’t know how it was going to occur. I mean, the fact that they attack the airlines with airplanes was an enormous surprise to everybody. And so I was just part of a group that was put together in industry to begin to look at where were the, the new risks that we’re seeing. And this, as I said, was just at the Dawn of the digital age. So it wasn’t until really the late nineties that the internet became available and useful in the corporate world.
And so we followed this really more as a national security issue back then when we formed the internet security Alliance. So that’s in 2002 or actually formed in 2009, I was brought on as president in 2002. And it wasn’t until five or seven years later that we began to feel that we needed to get the boards of directors more involved in cybersecurity. Now people are all talking for a long time about, we need to get the boards involved in cybersecurity, but mostly those were it people. And what they meant was we need to teach the boards more about it. And well, yeah, I’m sure there was that there was that aspect to it also, but what we found was that the boards were very interested in learning about it. Their eyes would glass over really pretty quickly. And and, and we really weren’t making very much progress in terms of getting them involved in the it wasn’t until we decided that instead of trying to teach the language in the it world, what we needed to do was we needed to learn their language.
And so what we decided to do was to recast this whole idea, not as an it issue, but as an enterprise wine risk management issue. And we decided to talk to try to embed cybersecurity within the sorts of issues that the boards did want to talk about. When a boards want to talk about, they want to talk about innovation, they want to talk about strategic partnerships. They want to talk about mergers and acquisitions. They want to talk about new products, supply lines and the like, and so what we decided to do was to link up with the best people who we could find in that area. And that was the national association of corporate directors. And so we decided to approach them and suggest a handbook that would approach the board at the board level and speak board language, embed, cybersecurity. And so we began working with them in 2012, we published our first handbook in 2014. And it’s been a great success ever since.
And w I should just put this into context and I’m going to date myself a little bit here, but I remember growing up and there was what would now seem like a bad old movie was young. Matthew brought our called war games where we’re using the computers, and he’s kind of hacking into NORAD and you think missiles are being fired. And you sort of made this point before, originally this was viewed as government stuff. We’re worried about Russia and the Americans and how we’re hacking each other. And we’re seeing that playing out in the news with the Iranian centrifuges blowing up and things like that. So I think we can wrap our heads around that, but for many people, it might be a bit of a stretch to think about how the boardroom is going to be in that same sort of situation and worry about it.
Now we’re at my prior roles at JP Morgan. You’re talking about one of the biggest, most important banks in the world, too big to fail. Literally we could not afford for that to ever happen. And what JP Morgan did, they spend over a hundred million dollars a year on cyber. They built three state of the art facilities to follow the sun around the world. So New York, London, Hong Kong, 24 seven, there are people in there because banks are being tested. If not penetrated on a daily basis. Now, smaller banks can’t compete like that, but other businesses have to worry about this, too. If you are a big name, say a Procter and gamble or pick any company world, people would love to have the valuable data that you have, and maybe do malicious things. Is this how you get boards to conceptualize? Hey, this is really important for you is to break it down to that level. If not, how do you go about sort of opening their eyes to it?
Well, no, you’re exactly right. I mean, you have to speak in language that your audience is going to understand. So if you go to a board and as many people for many years and still do, and some of the less sophisticated places now that the other JP Morgan and organizations like that but a lot of people will come to them and they’ll talk about, you know, ISO standards and this frameworks and you know how to do patch management, et cetera. And it just doesn’t resonate. So what we found was that, as I said, you needed to speak in terms that a board cares about. And then you needed to embed cyber security within that. And what the the tipping point, if you were may be, is when they begin to realize that actually cyber security is important in almost everything they do.
So we’ve now emerged to the point where virtually every business decision that a board addresses be in a merger or an acquisition, a strategic partnership, innovation, whatever has an important cyber security component in it. And so you need to address cyber security, none of the technical issue, but as a strategic risk management issue and boards are used to strategy and and, and, and, and, and enterprise wide perspectives on things. And so by enveloping it within those contexts, yeah, you can do it. We’re at the stage now where the notion of being attacked is now no longer an unusual notion. You say, well, I mean, you mentioned that, you know, virtually all companies are being probed all kinds of fortunately, every company at this stage has been successfully breached. When I go out and do presentations, I don’t use the moniker.
It’s not when it’s insomnia, if it’s, when it’s that there are two kinds of companies, those companies that know they’ve been successfully compromised. And those companies that don’t know that they’ve been successfully compromised. But if you have valuable data in virtually any organization is going to have valuable data, you don’t have to have the most valuable data, valuable data. Then you are a likely target for attack. And moreover, it’s likely that you’re going to be penetrated because the systems that we use are vulnerable, they’re inherently vulnerable. They were built vulnerable. The internet is an open system, meaning that when they designed it, they designed it to be available to everybody. It was back in the, in the kumbaya days, sixties and seventies, free love, free fees, free speech, free information. You know, the end of the information should be free. So that’s how they design the system.
So it’s inherently vulnerable and it’s getting more and more vulnerable all the time, all these wonderful little items that we have and our smartphones and our tablets and the internet of things, AI, all these things dramatically increase the vulnerability of the system. So it is almost impossible to keep your system from being hacked, which is why we have largely had to educate the boards that you need to do more than just perimeter security. You need to be managing on a risk management basis. And actually it turns out that we have more control over the hackers once they’re inside our system, rather than when they’re outside their system. And so the, the the new model of cyber security is not perimeter defense stuff, keep the bad guys out, it’s manage the attack once it occurs which is an entirely different thing. They say, boards are used to managing risk.
They just need to be educated as to how to manage this particular risk. They need to be aware of it. And then they need to be given the the principles with which they can work with management so that they can oversee management’s efforts to manage risks. The board does not do cyber risk management management does cyber risk management, but the boards have to work with management in order to make this an enterprise wide sustainable effort. So that’s an entirely different level of understanding that the boards in my experience are just beginning to get to leading boards are beginning to understand that this is a much more sophisticated problem, and they’re beginning to evolve new mechanisms to work with their management team in order to resolve it on an ongoing basis.
And Larry let’s make sure we explain this fully for our audience, even if it’s in simplified way, because you, I think we can all imagine someone sitting I don’t know, maybe an Eastern Europe or somewhere like that in a dark room, doing some coding, trying to find a server that wasn’t patched and connect in that way, but it’s not just about the technology and the boxes. It’s about the human being. So one of, I would assume the greatest weaknesses is the staff and the employees who might be stressed and under duress and not realize what’s happening and accidentally clicked on a link in an email and let someone in. So it’s, it’s the human beings we’re also trying to manage. So I’m assuming you’re working with the organizations, not just making sure you have the right it, but build the systems and the processes in place with your human beings.
Absolutely. Yeah. So excuse me, the number one vector of attack, the human beings. It’s not so much that the technology is bad. Technology is actually pretty amazing but people don’t know how to use the technology. And it’s not just you’re right lazy staff, et cetera, but they’re also compromised staff by that. I mean that we now are well aware that the criminal elements, we will seek out employees and bribe them pay bounties in order to assist them in making a tax work within the system. So you have ill trained employees. You have a lazy employees, you have corrupted employees and you have angry employees. One of the greatest vectors for a cyber attack is the disaffected employee, particularly the disaffected it employee who can leave a back door into their system so that once they have been terminated, for example, once you’re very, very careful about cleaning up after them they can come back and cause tremendous damage.
So yeah, what we’re now working with boards on is to understand that this is not an it problem and that the management of cyber risks should not be located in the it department. What we’re advocating is that cyber risk needs to be at a managed by an enterprise wide risk management team not led by it should be led by a executive who has an enterprise one perspective, a chief risk officer or chief operating officer, a chief financial officer, perhaps who manages a team that goes across so that the human resources, people who are critical to managing cyber risk are at the table with the it people and the finance people. And frankly, with the public relations people, because if you get attacked from a board perspective, the potential reputational risk is a massive element of your cyber risk. And so you need to have the enterprise wide table involved, including even the public relations people, which would, of course also includes the legal people and the compliance people, et cetera. So when we say it’s an enterprise wide problem and certainly human resources involved, but something so is everybody else
That makes sense. And every board member is one bad news story away from being a public official. If you’re one of those companies that gets hacked and, you know, Larry, I imagine for a lot of our audience, we can sit here listening to this going, Oh, I get JP Morgan or Coca-Cola or Deloitte, or these big companies that are international in scope have tons of employees that are big brands and reputations. We get that they should be spending on cyber and they’re open to attack, but it’s not just them. So we have people listening who are on private, maybe smaller company boards, family held where people are on nonprofit boards, anybody is vulnerable, right. And you might argue that maybe some of these smaller, the nonprofit ones are the most vulnerable because they don’t have some of the ability to spend like a hundred million like JP Morgan does a year, or don’t have the enterprise wide organization set up in some ways and organizations know they can get into them, which lets them get to somewhere else. How do you advise more of the up and coming whether to start up or just a smaller operation to try and deal with this sort of complexity?
Well, you’re absolutely right. The smaller firms are just as vulnerable and arguably more vulnerable because they, they do have less resources to expend on on cyber risk management. So yeah, it’s, it’s a major problem. And a lot of the cybersecurity problem revolves around economics. And and so what we would advise us at first of all smaller organizations need to be aware that they’re, they are vulnerable to attack and that they are worthy of being attacked. If you have any valuable data you are you’re subject to attack. And the attacks now tend to be in very often are, are, are automated. So they’re attacking everybody at the same time. And so you know, if you’re a small company or a large company, you probably get hit with pretty much the same sort of automated attack.
And if you are a situation, your your network is more vulnerable because you haven’t spent the time and money to help protect it. You’re you’re going to be compromised. So the first thing that we advise smaller companies to do is that they need to have a cyber security framework. And at this stage you can really outsource that fairly easily. You can link up with some of the major cloud providers. There are all sorts of different cloud providers. There are all sorts of managed security services and you need to fold that in to business operation. You think of that the way in the old days, you used to think about, you know, having locks on your doors and you know, security people walking around your plans. This is your, this is your base security investment. And you need to be following the the core hygiene of cyber security. You need to be associated with any one of the major frameworks and have your people work with them to make sure that you’re following Mr. ISO or whatever most organizations use a combination of of different ones. So yeah, you need to do the basics. You need to outsource where need be, and then you need to make sure that you are following through, on all of these things.
Now, Larry, I imagine for a lot of people listening tech and cyber and it or not, they’re ballywick and ballywick, and if you want to put it into someone’s mindset, I imagine most people think about digital transformation and they get to how the world has moved to on, and we have to have an app version and we need to have the better website and we needed to do that. And I kinda, I kinda imagine some of our audience coming, what’s the chicken egg here. Do I have to get all of my cyber ducks in a row first before I do the other stuff to make sure we’re okay, or do we just recognize digital’s going to be leading the way in the cyber, we’ll be catching up to it. If you’re a board member trying to make sure the organization is headed in the right direction with the right priorities, how would you advise around this sort of pulling back and forth?
Well, you’re absolutely right. I mean, virtually every enterprise that wants to work in the in the digital age needs to be aware of and be embracing some sort of digital transformation and you need to realize that cyber is part of your enterprise growth strategy. So yes, you need to involve this within the entire process. I mean, we like to say that cyber is the same sort of issue as is legal and finance. There’s not a single business decision you make without considering the legal aspects of it without considering the financial aspects of it in the 21st century. There’s not a single business decision that you would make a major business decision that doesn’t have a cyber security aspect to it, hiring personnel, developing strategic partnerships, putting in your your your public relations strategy, whatever all of these things are going to have an element of cyber risk.
And you need to blend that in. Now, the best thing I would think that a startup or a small company would do, would be to go to the national association of corporate directors website and download their cyber risk handbook. The cyber risk handbook is written for board members. It is not a technical document. It is easily understandable in plain English and outlines five core principles that every organization, large or small should and can follow those principles. In number one, as we’ve already discussed, you have to understand that this is not an it issue. This is an enterprise wide risk management issue. Second, you need to understand what are your unique, legal obligations most are changing. So you need to kind of stay on top of those. You need to have outside counsel to help you monitor that, but every board needs to understand what are my unique, legal obligations.
Third, you need to be able to assure that you have access to adequate cyber security expertise. Now, maybe you can have that from your staff. Maybe you need to outsource that with any one of the major providers, but finding someone who can help counsel you on your cyber security is important. You need adequate outside representation. The fourth and fifth principles are not for the board alone, the four, how the board should relate to management. So the fourth principle is that management needs to bring to your board a cybersecurity framework. And we mean that in two sentences, before sense is the sense that we’ve already talked about. You need to know how your data is being used. You need an it security framework is any one of the major frameworks that are available. They’re available open source, not a problem, your it, people should be very comfortable with that, but the second framework is a little bit more difficult.
You need to have a structural management cyber risk framework. That is, you need to have a team of people. As I described before, who are managing this risk on an enterprise wide basis. And then finally, the fifth principle is that boards need to insist it management, bring to them a comprehensive cyber risk analysis. Where are your crown jewels? What data can you afford to lose and how much what is the cost of all the potential threats that you were seeing? And you need to be able to map this in an economic Imperial framework, the same way you would with financial risk or environmental risk. You need to be able to do the same with cyber risk. What, what what, what data what risks can you accept as a company? What risks do you not want to accept? So maybe you want to work in China.
Maybe you don’t want to work in China. What risks are there that you can mitigate? There’s somewhat of risk, but I can, I can buy it down with technology. What risks can you accept if you can transfer the risk, maybe with an insurance policy, and finally, what risk do you, are you willing to take as a board? What is the cost of a likely attack? How can I medicate that back down to my risk appetite? Now, there are fairly simple procedures that any sophisticated board and I can be a small board, sophisticated board can go through the cyber risk handbook, outlines these all in very understandable terms so that any, any legitimate business should be able to do a cyber risk assessment that fits in with at least due diligence, with respect to their business operations.
Yeah, that didn’t sound very tech or geeky at all. It sounded like something we can all digest and understand. And I guess that’s why it’s available on four continents and in five different languages.
Also, I should, I should mention it is you know, in, in, in the big cyber security world the only set of best practices that has ever been independently assessed and found to work from security perspective are the principles in the NACD ISA cyber-risk handbook Pricewaterhouse, which has nothing to do with creating them actually has done research and found that organizations that follow those five principles have higher cybersecurity budgets, better cybersecurity, risk management, culture, alignment of cybersecurity with their business goals better budgeting and are, are better able to create a culture of security within their organization. And if there were one thing that I was going to leave you with today, it would be that what a board wants to do, because the board is in charge of culture. They set the tone from the top. And if you can establish a culture of security within your organization, that is going to go a long way towards being able to have, have a sustainably secure program, not withstanding what kind of new attack vector comes out of the of the digital world. That’s the most important thing?
Well, there, you have it easy, actionable advice that all of us implement, which is great. And, and Larry, I know this won’t be your last book because you’re working on your next one, right? What is the next one going to be about?
Well, we’re currently developing two books right now. The next book is really a public policy book. And as I mentioned at the outset ISA really started more focusing on public policy than an enterprise policy. But this is called the cybersecurity social contract wherein we argue essentially that well, first of all, just state the obvious we are losing the battle to secure cyberspace and we’re losing it big con the, a world economic forum reports that we are currently losing 2 trillion with a T trillion dollars a year to cyber crime. All of our infrastructures are, are, are terribly vulnerable and control dependent on these cyber systems. So we have a major problem, but we haven’t changed our cybersecurity approach here in the United States for 30 years. Meanwhile, our Chinese friends have developed a very sophisticated strategic program of digitalization called the digital silk road.
As we look at the competitive world from a public policy point of view we have a lot of catching up to do to the Chinese with respect to how they are pursuing their digital agenda. So we present that problem in this book. And then we talk about how we would like to see our government engaged much more closely with industry and a social contract so that we change the current modality that we have with government. The current modality is that government kind of sees itself as the parent and industry is the unruly child that they need to discipline them. That’s the wrong approach with cybersecurity, all the stuff you hear from the sec, and from some members of Congress, et cetera, you know, try to blame industry because they suffer is misplaced. We need to be behaving with each other much more like a good marriage and a parent child relationship.
The reality is that the criminals and the nation States are part of the criminals stealing personal data is still in corporate intellectual property and they’re stealing national secrets. So this isn’t like Enron and WorldCom. And in this particular fight, we’re all on the same side. The bad guys were attacking individuals, companies and the federal government. We need to be working together. We need to develop that social contract that uses market forces, not regulatory forces to enhance an ever-growing sentiment of cybersecurity. And we have a number of very specific proposals. We’ve got sector to sector, to sector talking about how we need to change the economics of the digital age, so that we can have a more productive and growing economy that will be competitive with our adversaries who are attacking us all the time. It’s not just the Chinese, it’s the Iranians, it’s the North Koreans.
It’s, it’s it’s a lot of state affiliated people, certainly the Russians. So we’re under constant cyber attack and we need to fundamentally change that model. So that’s what the first book is about. The second book is an attempt to take those changes away from the public policy arena and focuses back on the enterprise arena. And in that book, what we have attempted to do is take the principles for boards of directors, which we developed with national association of corporate directors. And now we’re collaborating with the world economic forum to come up with a consensus group of these cyber principles, very similar to the ones I just mentioned a little while ago, and now we want you to retarget these down from the board level to the management level. And so the next book will be sort of a business-oriented textbook if you will, for how businesses at the managerial letter level should be taking those principles that were designed for the corporate board and implementing them at a managerial level.
So we will go through how should the human resources department be relating to this? How should the finance department be related to this? How should organizations be structuring themselves for the digital age? Because the reality is that most organizations are still structured in an industrial age model. We have a legal department and the finance department and 19 department and a public relations department, et cetera, et cetera, et cetera, but in the digital world, all those things cut across. So we need to flatten out the organizational structure so that we can approach 21st century issues on an enterprise wide basis. So that’s what the second book will deal with.
Well, Larry, this has been eyeopening, I think perhaps a wake up call for some of us, but for the rest, really just a playbook for how we can proceed and be more knowledgeable about this and working in their organization. So we’re delighted to have you on the show today and thank you for sharing your insights and helping all of us to be boardroom bound. It’s my pleasure. I really appreciate the opportunity. That’s it. For this episode of boardroom Pam, I really enjoyed chatting with Larry Clinton. Larry literally wrote the book. Well, actually books, plural, and cyber risk management for corporate Fords. Think about the cyber risk handbook that we talked about today, and that’s available on for confidence in five languages. I’ve never found someone who could distill this down more simply for us into what we need to know and understand clearly. That’s why he’s testifying before Congress.
Everybody can follow what Larry’s got. If you, if you head over to podcast out Gordon EDU, you will find links to what we talked about today. Like that cyber risk handbook. Please know that the boardroom bound team and I are so proud to be your go-to podcast, for all things that connect, prepare, and empower you to land a board seat, be sure to subscribe to this podcast. Don’t miss any of the high quality content of ringing to every Wednesday. Thanks for joining me today. I can’t wait to share more stories and strategy from brilliant business minds with you again, next week. Remember to keep tuning in, to be boardroom bound.