While an executive or board member has every right to ask about a company's cybersecurity posture, the problem is that CIOs generally do not have the metrics necessary to answer the most cutting inquiries, namely: "Are we spending enough on cybersecurity?" or "Do we have a reasonable cybersecurity program in place?"
Astute CIOs understand that the quality of a cybersecurity program cannot be accurately measured simply by dollars spent. Sure, everyone would like a larger budget to buy some more widgets or hire new engineers but ultimately the quality of a cybersecurity program is best measured by its effectiveness, not its dollar outlay.
More frustratingly, no real consensus exists on what makes a cybersecurity program "effective." Any company can take a "snapshot" of its cybersecurity program and say how it is performing on a given day, but that is a poor substitute for determining the program's ongoing effectiveness.
Most problematic for the Board and C-suite is the fact that such snapshots stand little chance of serving as compelling evidence that a cybersecurity program was "adequate" or "reasonable" once the lawsuits start rolling in after a cyber-attack.
So where should companies turn to in order to establish the reasonableness or adequacy of their cybersecurity programs? Interestingly, companies should turn to the Department of Homeland Security's SAFETY Act process.
The SAFETY Act was entrusted to the Department of Homeland Security (DHS) as a way to determine whether security technologies - including cybersecurity products, policies and procedures - would be helpful in deterring, defeating, mitigating or otherwise responding to serious physical or cyber-attacks.
Some readers are probably familiar with the SAFETY Act thanks to the unmatched liability protections it offers. Specifically, companies making or using SAFETY Act-approved items can enjoy limits on tort damages or even immunity from such claims.
The DHS review of the cybersecurity product or program is key - if a CIO puts her program through this process, she can forcefully argue that the cybersecurity program is, in fact, "reasonable". Here is why:
- The DHS review is thorough. By law, it must involve a comprehensive review to determine whether the product or policy actually deters, defeats or mitigates cyber-attacks.
- Further, DHS will not grant an award unless it is provided evidence demonstrating that the company is capable of reliably implementing its cybersecurity program. Practically speaking, that means companies will have to show that the employees involved in the cybersecurity program are properly educated, trained and supervised.
- They will also have to demonstrate that the cybersecurity program is regularly reviewed and updated, and that any problems with it are quickly resolved.
Consider how powerful all of that would be when arguing to a board of directors that a company's cybersecurity policies are "reasonable" or adequate. It is hard to say that the policies are inadequate if DHS has seen fit to grant a SAFETY Act award covering those same policies.
Keep in mind as well the flexibility offered by the SAFETY Act. For instance, in order to obtain SAFETY Act protections, the product, process or policy does NOT have to be 100% effective. Rather, it simply has to have a high level of effectiveness and utility against a cyber-attack.
Similarly, the product or process does NOT have to be designed exclusively for cybersecurity purposes - so long as there is a cybersecurity application, SAFETY Act protections can be obtained.
Remember too that ANY company can apply for SAFETY Act protections, including foreign companies and companies that have products, policies, or procedures only they use (e.g., internal security policies that will only be used by the company that created them).
Finally, do not forget that companies benefit merely by purchasing and using SAFETY Act-approved items. Consider, for example, FireEye: it has SAFETY Act protections for its multi-vector detection engines and cloud intelligence platforms. Any company that buys those products or services will be eligible to receive applicable SAFETY Act protections under Federal law, as well as argue that they had made a good cybersecurity investment choice. After all, the products had been affirmatively vetted by DHS.
The same arguments could be used to push back against aggressive regulators. While the SAFETY Act does not relieve companies of any regulatory obligations, having successfully navigated the review process should provide strong evidence that a company's cybersecurity program was, in fact, appropriate or reasonable. Imagine how powerful that could be when the Federal Trade Commission comes in and argues that a company's cybersecurity policies or software security process was "unreasonable" or "inadequate?"
There are no "slam dunks" when it comes to cybersecurity, but there certainly are measures companies should strongly consider. The SAFETY Act is one of them. While the NIST Framework, SANS Top 20 controls and other programs certainly merit attention, only the SAFETY Act brings with it the legitimacy of a government review. If nothing else then, a CIO should be prepared to answer why they have not chosen to go through the SAFETY Act process.
Brian Finch (@brianefinch) is a partner at Pillsbury Winthrop Shaw Pittman. He can be reached at brian.finch@pillsburylaw.com.