Good morning,
Like the SEC, Steve Schmidt, chief security officer at Amazon, doesn’t think that all corporate boards need to have a director with deep cyber expertise.
The former FBI section chief, who also spent 15 years at AWS, believes that rather than understanding how a security plan works on a technical level the way a CISO does, it’s more important that leaders know how to examine the thinking that went into it.
“The world of espionage has changed from an implementation perspective over time, but the goals have remained the same since the Middle Ages,” Schmidt explains. That means that even though board members may not have tech chops, they can still be “asking the right questions.”
Does a company’s plan demonstrate that security leaders are trying to predict their adversary’s next move—not just today, but several years out? Does it show an understanding of a bad actor’s psychology, their tolerance for risk, and how their comfort level might change over time or in response to world events?
“One of the reasons that [Amazon is] as good as we are at security is because security reports to the CEO and reports to the board regularly,” he says. Amazon’s board also has its own committee dedicated to security.
For leaders to think about how robust their cybersecurity preparation is, Schmidt suggests that boards ask CISOs these questions:
Who owns security? The correct answer, in Schmidt’s view, is business line and division leaders who report to the CEO. If they aren’t invested in the safety of their department’s data, their staff won't see security as their top responsibility.
What kind of visibility do we have over all of our property? Adversaries are always looking for entry points into corporate systems, yet many companies do not have a catalog of their entire collection of data and hardware, including employee devices, servers, and software. Without that information, they can’t see where doors have been left unlocked and won’t know what to do when a breach occurs.
Boards also ought to ask how often said catalog is updated and how the security team is alerted when something has changed. “It’s often those little changes that occur over time that give adversaries opportunities,” Schmidt warns.
Who has access to what data? Why do they need it and for how long? Cyberattacks usually begin with someone stealing an employee’s identity, bribing an employee, or tricking them into handing over a password. Having legitimate credentials makes crimes easy to commit and difficult to detect, says Schmidt, so companies need to minimize each employee’s reach. He suggests boards ask their CISOs who can see what, why, and for how long, across the entire company. Also ask: How often are these parameters updated? At Amazon, the rule is that “you have access to no data,” says Schmidt, “unless it's required to do your job at that particular point in time.”
How do we rank our assets, such as client data or trade secrets, by importance? The answer doesn’t matter as much as the fact that companies do the evaluation. Ask: “What are the things that I really care about? Where are they located? How are they protected?”
How many layers of protection do we have? No single layer of defense is 100% dependable, says Schmidt. Boards need to ask their CISOs: “Do you have a secondary line of protection, and can you respond quickly to that failure? Are we testing all the layers? What are the results?”
How will we respond to an attack? Using simulation exercises, boards and management teams should design—and test—post-breach contingency plans tailored to each precious asset. “Plans which aren't tested decay over time,” says Schmidt. “The world changes around us and businesses evolve.”
Lila MacLellan
lila.maclellan@fortune.com
@lilamaclellan