Today’s Menu: The “Cybersecurity BLT” (Board Literacy Training)

While typically thought of as a seasonal menu item, one could argue that the BLT (Board Literacy Training) should be served at every credit union and CUSO year-round. To enable effective strategic planning and risk management at the top level, a solid understanding of the existing threat landscape and the risk it poses to business operations is a requirement.

A key challenge for many stems in part from the fact that most awareness and training materials available today tend to focus on end-user behavior and system administration. While both are extremely important, having an understanding from a GRC (governance, risk, and compliance) perspective is needed to ensure a balanced approach between security posture and risk appetite.

Board-level cybersecurity training is perhaps best accomplished with a blend of internal and external resources, focused on industry-specific guidelines, and aligned with business objectives. Fortunately, the NCUA has provided an excellent starting point with the Letter to Boards of Directors and Chief Executive Officers, outlining the Board of Directors’ Engagement in Cybersecurity Oversight. Links to additional training resources are provided, as well as recommendations for the provision of recurring training at all levels of the organization.

Cybersecurity fundamentals

From a board’s perspective, it is important the members understand the basics of cybersecurity. They are not required to become subject matter experts, but should understand the language, terminology, and key concepts specific to the industry and markets they serve. Having a knowledge of the common types of attacks and methods used can assist in the design and approval of the strategic technology plan and resources required to best manage the risk. While not necessarily from an administrative-level role, board members should be able to grasp the fundamentals of information security and privacy principles, as they apply to compliance requirements. This level of knowledge will enable board members to ask applicable questions and contribute to ongoing discussions on the topic.

The frequency of cyberattacks such as ransomware and phishing may have peaked or leveled off; however, the sophistication and business impact that result have grown exponentially, especially with the proliferation of tools such as artificial intelligence and distributed computing. As computer networks continue to become more integrated and complex in hybrid environments that include a mix of on-premises hardware and hosted or cloud solutions, boards need to be aware of evolving threats in order to make informed decisions about future investments in risk mitigation solutions.

A future-proof training program seeks to understand cybersecurity from both sides of the line of scrimmage.  A strong defense requires knowledge of the opponent’s tools, tactics, and procedures. Fortunately, or unfortunately, if you were a former victim of an attack, we have access to a portion of the playbooks used by many of the groups.

The board’s role and responsibilities

Approving policy changes and strategic plans is only one element of the board’s role. There is a unique opportunity to drive the desired cybersecurity culture across the organization and engage staff at all levels by setting a clear cyber strategy and being visible as examples of the behavior they wish to create. Setting and communicating the desired security target state and risk appetite helps to avoid confusion and leverage efforts in awareness and training, as well as getting maximum value from investments made in the controls implemented to mitigate risk.

The board has a fiduciary responsibility to protect the credit union’s assets, including sensitive data, in addition to its reputation as a financial institution. Cybersecurity incidents can lead to significant losses, legal penalties, and reputational damage.

Referring back to the NCUA Letter, the board is responsible for overseeing management of the credit union, focusing on the following cybersecurity areas:

• Third-party Due Diligence
• Embedding Cybersecurity and Operational Resilience into the Organizational Culture
• Providing Cybersecurity Resources
• Vulnerability/Patch Management and Threat Intelligence
• Auditing Function
• Reporting
• Protecting and Managing Backups
• Membership Education

By focusing on these key areas, the board of directors can significantly improve the credit union’s cybersecurity posture and protect the interests of the members. This begins with the understanding that cybersecurity is not an IT function; it’s a critical component of any credit union’s overall governance and risk management strategy.

Developing a network of cybersecurity experts

In addition to internal and external training resources, it is important to develop and engage with a network of cybersecurity experts, both within the organization and across the industry. Intelligence sharing is key to remaining up to date on the current trends, tactics, and techniques used by bad actors and cyber groups. This is an area where being a cooperative and participating in CUSO networks can add significant value and help keep costs down, while at the same time encouraging collaboration and fostering open communication channels for the benefit of all parties.

Boards should challenge management on the adequacy of resources allocated to cybersecurity, both in technology and skilled personnel. Too often, credit unions over-invest in technical controls and under-invest in the talent and skills of their staff. Those few knowledgeable experts and teams are often forced to wear multiple hats, are overworked, and understaffed. Developing and maintaining a knowledgeable and prepared team to respond to cyber threats is the heart of the information security program.

Bridging the language barrier between technology and governance

The body of knowledge relative to cybersecurity spans a large range of domains. While a general overview of concepts is necessary at the foundational level, understanding the technology deployed at the credit union, including extended network connections to key third parties and service providers, is needed to enable the board to dive deeper into the content that is most applicable to the organization.

Asking questions to seek understanding during the review of audit and examination results helps to demonstrate the desire to learn while providing feedback and identifying areas where additional training may be needed.

Participating in regular tabletop exercises with response teams is also an excellent opportunity to interact with teams who may not typically engage with executives at the top level. This also provides a perspective of what a response might look like during a business continuity or incident response scenario from the front line.

The language barrier bridge spans both directions. It’s just as important, if not more so, that the board of directors coach internal experts in how to communicate in a manner that is most helpful for them.

Keeping the board current on the status of the cybersecurity program

The primary channel for communicating with the board is through reporting. It’s important when creating reports for the board to review that all of the key details are included, along with the organization’s interpretation of the details, and action items it is taking as a result. Cybersecurity is an area where transparency in reporting is vital. Only communicating what you perceive the board wants to read will inevitably omit key context and details that are necessary to obtain a clear picture of the status of the risk and security posture of the credit union.

The cybersecurity threat landscape is continuously changing and does not follow formal cycles or schedules. Timeliness of information for the board is imperative for them to understand the business impact of cyber risk and to respond quickly and effectively when necessary.

Key areas for communicating program status include:

• Information Security Risk Assessment and IT Audit Results
• IT and Information Security Policy Changes
• Security Incidents/Attacks
• IT Strategic Planning
• Vendor Management Reviews
• Business Continuity and Incident Response Test Results
• Cybersecurity Insurance Policy Coverage
• Recommendations for changes to the Information Security Program.

Strong cybersecurity is not just about compliance; it is a competitive advantage that yields trust with members and partners. It helps create the boundaries and guardrails within which the credit union can innovate and grow.

Promoting a cybersecurity-aware culture

The threat and associated risk of cyber attacks is not going away any time soon. The potential impact on business operations is documented regularly in daily news reports. Experts warn that it’s not a matter of if but when we will be the victim of an attack. How we will respond depends largely on how we have prepared.

Each board member has an obligation and opportunity to be a key driver in the success of the cybersecurity program. It starts with leading by example and demonstrating personal commitment. Challenging and supporting management to continuously improve their awareness and training programs is paramount, as case studies continue to identify social engineering as the primary point of initiation for more than 80% of all security breaches. Recurring training should be provided at all levels. As a cooperative, seek to leverage the investments by sharing the intelligence and knowledge gained with your network.

Cybersecurity should be understood by all

Here’s my challenge to you, the reader. Take this opportunity to assess the current cybersecurity competency of your board and design your own BLT program to improve the level of awareness and participation of their involvement in your credit union’s overall program. Invite them to become the role models for the corporate culture and security posture they want to see. There are several resources available to you to implement and maintain an effective training program. Start by reaching out to those in your CUSO network and ecosystem and make a difference starting today.