The following post by SmartEdgeLaw Group attorney, Richard Santalesa, was originally published Oct. 27, 2015 at the International Association of Privacy Professionals’ Privacy Perspectives website.
Is this the Definitive Cybersecurity Guide?
While many companies come up short on their cybersecurity programs or ability to safeguard data privacy, one area where no gap exists is in the number of security guidance documents—from industry groups, federal regulators, consultants, law firms and others. Joining this crowd of guidance through a partnership effort between the New York Stock Exchange, Palo Alto Networks Inc., Georgia Tech, the Internet Security Alliance and the Security Roundtable with their recently released, free 355-page Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers.
The guide is available for free download in PDF, Kindle and EPub formats at SecurityRoundtable.org. But what does the hefty 355-page tome have to say that isn’t covered already elsewhere or in more “persuasive” regulatory guidance for privacy professionals?
Nine Sections, Forty-Six Chapters
For starters, there is a wealth of solid information, best practices, useful checklists and meaningful recommendations contained in the guide that any corporate director or officer would do well to absorb and implement. If they did, it’d make our daily challenges as privacy professionals a great deal easier—with most chapters taking the form of short chapters from four to six pages. The introductory 40-page section itself could serve a solid primer for corporate leadership and is both concise and specific enough to throw the fear of God into any reasonable board and C-level personnel on the importance of and effort required for solid cybersecurity.
The remaining sections focus on cyber risk’s importance to boards of directors; the risk posed to corporate structures by digital threats; best practices in designing threat-based approaches and breach prevention; the complexity of incident response issues; managing cybersecurity risks in supply chains and with third-party vendors (an increasingly important area for virtually every sector); notable legal and regulatory concerns; “investing” in cyber insurance and data security, and finally, the vital importance of employee education and clear internal communications on cyber risk matters.
While privacy doesn’t garner a leading role in the guide it suffuses the entire contents, with at least one chapter focused primarily on privacy concerns (e.g., Chapter 15 – Securing Privacy and Profit in the Era of Hyperconnectivity and Big Data). But as any IAPP member knows, data security and privacy are ultimately joined solidly at the hip. The remaining sections strive to cover important topical segments that the leadership of any company, public or private, should address regarding cybersecurity matters.
While ostensibly directed toward “public” companies, given the NYSE’s orientation, the guide’s recommendations for effective privacy and data security measures don’t ultimately require an entity to be listed on an exchange and are as useful to privately held corporations as those whose stock is traded daily.
If your time commitments don’t lend themselves to a leisurely read of 300+ pages of material, start by carefully reviewing the table of contents and highlighting specific chapters within sections of main interest as this isn’t a work designed to be read from start to finish, but rather one designed to be dipped into those areas where expertise is most usefully needed in short order. It’s well suited for both those advising a board of directors as well as board members themselves.
Finally, a few small carps: The “definitive” moniker is hyperbole, unless sheer mass is your touchstone of definitiveness, since like other NYSE labeled guides, this one is more a collection of discrete topical opinions than a closely-edited consensus of the field. While the approach is perfectly valid and the guide’s materials provide detailed and discerning insight on cybersecurity, and peripherally privacy issues, from numerous highly-skilled practitioners across the data and privacy spectrum, one should understand the potential for a range of individual axes to be ground and that the target audience who will benefit most is one that is already experienced in the field.
An extremely well-versed colleague, a senior attorney at a major financial institution, reviewed the guide’s decision tree chart labeled, “How the New York Stock Exchange says companies should decide whether to disclose hacks,” drawing my attention to a branch answer labeled, “Really? Are you Sure?” quipping, tongue-in-cheek, it’s “nice to know that going public with a data breach (according to the NYSE) follows the same general protocol as my three-year-old telling me she wants to go on the Big Slide by herself.”
While every corporate risk posture is obviously unique, the lessons that can be learned from this free guide and the actionable information it offers for all involved in the privacy and data security fields means you should have a copy on hand, whether on your Kindle, tablet, laptop, or, yes, even the printed copy on your shelf.