Prepared by Evelyn D'An
Board Member, NACD Florida
President, D'An Financial Services
Cybersecurity: What Directors Need to Know
Nora Denzel, Ericsson director and board member of the NACD Northern California Chapter, moderated an active panel and audience discussion on cybersecurity in the boardroom, hosted by the NACD Florida Chapter. The panel consisted of leading chief information security officers (CISOs) from companies such as Lennar, Royal Caribbean, and AutoNation.
Cybersecurity Focus in 2018: What the CISOs Had to Say
Juan Gomez-Sanchez, CISO of Lennar Corporation, kicked off the discussion with what he believes will be a trend in 2018: shifting cybersecurity focus from defensive capabilities to offensive capabilities. Expect this to be a year of response. Directors should be asking “What are you notdoing that you should be doing?” The key will be more transparency around these risks, along with the ability to prioritize them and understand how they are being funded.
Ken Athanasiou, vice president and CISO of AutoNation, believes identity and authentication management will be important in 2018, as both of these complex processes are a critical part of cybersecurity readiness. The authentication process in cybersecurity is considered one of the weakest links in computer security today. Authentication technologies such as biometrics, tokens, and others will elevate the ability to protect user credentials. Mr. Athanasiou explained that directors should understand “the current authentication process in place where it resides in the priority list.”
Renee Guttmann-Stark, former CISO of Royal Caribbean International, presented another perspective on a 2018 trend. According to Ms. Guttmann-Stark, personal accountability will be a focus, and breaches are increasingly going to be associated with individuals. For example, Uber’s chief security officer was recently fired after a massive data breach cover-up. Ms. Guttmann-Stark also commented on crisis communication and the need to classify the various types of incidents companies are going to see. As a director, which critical items should be shared with you? In the case of Equifax, directors were not made aware of the data breach until three weeks after the initial hacking. (Read more)