Published on June 5th, 2019 📆 | 5430 Views ⚑0
Is your organization meeting the cybersecurity “Standard of Care”?
and board members are increasingly under the microscope when it comes to
managing cyber risk. The financial, legal, and regulatory impact that cyber
incidents can have upon organizations have transformed what was once an “IT
problem” into a whole of company challenge.
But in a world where cyber incidents and breaches have become so common
– even for the world’s more sophisticated, risk-focused organizations — how
should CEOs and board members think about managing this challenge? One idea
with legal and historical roots is for executives to focus on whether they are
meeting a “standard of care” when it comes to their organization’s
What is a Standard of Care for Cybersecurity?
A “standard of care” is a test used to describe the reasonableness of a
particular set of approaches to deal with a problem. When an organization’s
practices fall outside of the reasonable standards or approaches used in their
industry or sector that is typically viewed as negligent behavior. A famous application
of the standard of care argument came in the early 1920s when a tugboat
operator was found negligent for failing to equip his boats with radios, which
were becoming more commonly used by others in the industry.
Applying this line of thinking to the cybersecurity context, executives
and board members should strive to implement reasonable approaches and
practices that are used by organizations within their particular industry or
But when it comes to cybersecurity, determining what others are doing in
cybersecurity has always been a challenge. What’s reasonable? What’s best
practice? How are other organizations doing? Are they doing it better than we
The executive seeking to meet a “reasonable” level of
cybersecurity must therefore focus on obtaining high quality measurements and
metrics about peer- and sector-wide security performance. This focus on
benchmarking allows the executive to determine what the standard of care
within their sector or peer set truly is, and then whether or not the
organization is actually meeting its standard of care.
Understanding and Meeting the Cyber
Standard of Care
of the standard of care as essentially a benchmark that is useful in measuring
your organization’s cybersecurity practices against industry peers, and using
that data to hold your organization accountable. The challenge in cyber is that
this is a dynamic benchmark to meet: adversaries are continuously evolving
approaches, IT infrastructure changes, and defenders constantly work to implement
new security approaches and practices to reduce risk. Executives should embrace
the fact that cyber is a dynamic risk and adopt approaches and programs that
recognize this dynamism rather than ignore it.
must begin by taking a comprehensive look at the security performance of
sectors and industries as a whole – and this starts with access to the right
data. Today, organizations have access to data and observations we can make
about security performance around the globe. Executives can embrace these
observations and create performance requirements around those observations.
order to meet the demands of the constantly evolving cybersecurity landscape,
organizations should not only be prepared to continuously monitor and analyze
internal and external data, but they should also be able to respond to changes
in real time. Measuring data sets against the industry baseline helps
executives and business leaders triangulate precisely where their company
stands within the broader industry’s cyber performance
executives better understand their company’s performance against their peer
group – and thereby, the industry standard – they can then begin
developing goals that are aligned with the state of their industry. When
creating these goals, executives should examine and react to the key areas that
comprise their cybersecurity practices, such as:
practices: Hiring IT talent to manage cybersecurity is no longer enough. How
can your organization hire and retain the best cybersecurity talent?
of talent: Once you have your security team, is their time being used wisely?
How can you better distribute security resources?
culture: Security should be top of mind across your entire organization. Does
your company culture emphasize the importance of cyber vigilance from the top
down? Are employees properly trained to identify potential phishing attacks or
effectiveness: Why is my organization performing in the manner that it is? Do
we have the right technology in place? Personnel? Resources? How should we
change any of these elements to achieve a more optimal outcome?
- Tools and
data: Cybersecurity technology is constantly evolving. Is your team equipped
with the latest tools and real-time continuous monitoring data to match the
increasing sophistication of cyber attacks?
these goals are in place, senior executives should work with the board of
directors to identify and execute on a strategy that helps the organization
meet – and maintain – alignment with the broader industry standard of care.
Rather than conduct an annual review of cybersecurity measures, the
organization should regularly assess and quantify progress against baseline
goals, as well as highlight any significant threats and events the company
identified during the period.
Approach to Oversight
who embrace the dynamic, ever-changing nature of cyber risk – and fashion
oversight programs around peer benchmarking and understanding the industry
standard of care – will place their organizations in better legal and
a legal perspective, being able to articulate your organization’s alignment
with adequate security performance may help establish a strong defense during a
breach incident. Perhaps more importantly, demonstrating strong cybersecurity
performance compared to peers and competitors can be seen as an important point
of differentiation in the market. As more organizations ask their customers to
show best practices in cybersecurity, those that can independently demonstrate
performance and exceed the efforts of peers and competitors may be in a better
position to win business and achieve long-term success.
Executives can begin today – by asking CIOs and CISOs the hard questions: How are we doing? How do we compare? And how do we measure it?
Tom Turner, CEO, BitSight