Cybergovernance and the Role of the Board: An Interview with Kaiser Permanente’s George DeCesare

Cybersecurity in a Fractured World

This is the third in a series of articles and interviews on the subject of improving cyberresilience—the ability of companies, organizations, and institutions to prepare for, respond to, and recover from cyberattacks. The series grows out of The Boston Consulting Group’s work with the World Economic Forum on this topic. We spoke with George DeCesare, senior vice president and chief technology risk officer of Kaiser Permanente, to discuss the roles of boards of directors (as well as top management) in cybersecurity and cybergovernance. DeCesare was part of the World Economic Forum working group that developed a set of  cyber principles and tools  expressly for boards of directors.

About George DeCesare

What are the biggest challenges in trying to get a board to adopt the kind of cybergovernance principles and tools that you helped the World Economic Forum develop in 2016?

The first challenge is encouraging a board to think comprehensively about risk modeling, appetite, and tolerance. Cyberrisk should be established as an important category within that framework. Lots of organizations talk about risk tolerance or appetite from the perspective of more common business risks, such as strategic or financial risk; however, risks introduced through technology are typically more difficult to incorporate into traditional risk frameworks. Companies should broaden the discussion—and use a common language when they talk about all types of risk.

The second challenge is identifying accountability. Who’s accountable for managing cyberrisk? It’s still a relatively new phenomenon, so accountability is not clear in a lot of organizations. Typically, if you have somebody who’s already an accountable officer, it’s the CIO. But it could be someone else. Then the question becomes: How do you segment more specific accountability—who’s responsible for which aspects of cyberrisk?

Talk about how you convey that first point—the common language. What are the metrics that board members can assess? What constitutes progress when it comes to security posture?

It’s a journey and, like many company journeys, it starts with evaluating your capabilities. A reasonable first step is to adopt a common security framework. Within that framework, you assess your current state, build your capabilities, and measure your maturity level and progress. Then, using a common risk language, you discuss your organization’s risk areas, including cyber, and what the organization is willing to do about these risks. Which risks is an organization willing to address through investment and action, which risks make sense to accept, and finally, what residual risk remains and what is the organization going to do about it? What level of risk are you willing to maintain as part of your ongoing risk profile and management? The goal is a target maturity level that you’re comfortable with and that is right for the organization. Once all this is done, the organization should set clear and measurable goals that get you to the level of maturity that you determine is appropriate.

How do you measure risk in your organization? Is it based on self-assessment?

It can be measured in a couple of ways. The first involves a continuous self-assessment of where you stand, based on what you’re building and what your capabilities are as you progress in maturing your capabilities. You need to make certain you’re doing the right things, and, of course, you need to adjust course if you’re not. Managing cyberrisk is a dynamic process.

You should also have an independent party assess the company’s current capabilities—that’s the second part. So, using a common framework such as ISO [International Organization for Standardization], NIST [National Institute of Standards and Technology], or HiTrust, which is more specific to the health care industry, you have a third party come in and determine where you currently stand when it comes to cyberrisk. Then you can look at whether your self-assessment matches the third party’s assessment, always in the context of what level of risk management maturity you need to reach.

This process of risk reduction is an important topic for a board from an oversight perspective. One good cadence of cyberrisk reporting to a board is as follows. At the beginning of the year, you tell the board, here’s where we’re at, here’s what we’re planning on doing, and here’s where we want to get to on our maturity scale. This, of course, is dependent on having determined what level of risk the organization is willing to accept. At the end of the year, using both the self-assessment and the third-party evaluation, you report on what you did, what you accomplished, and how far you actually moved the bar.

Within this context of establishing—and moving toward—a risk maturity profile, how do you position cyber? Is it one of many risks, or do you position cyber as a unique or distinct risk?

I think it’s the former, which is to say that it’s part of a portfolio of high-priority business risks, and it should be treated as a business risk, not a separate type of concern. You are trying to instill that common language of risk through all the various aspects of risk management. Cyberrisk is like any other significant business risk—it could impact your strategy, it could impact your finances, it could impact many of the same things that other types of risk impact. It can be much easier to translate cyberrisk into the more traditional risk discussion than attempt to establish a distinct and separate language for it.

How do you find that common language you have been talking about? How do you make cyber a comfortable topic, especially when the CISO probably has a technical background and board members’ backgrounds are nontechnical?

From my perspective, you talk about business risk. Not the technical controls, solutions, and so forth. Those are integral parts of it, but the discussion is really about business risk mitigation—where we stand, what we’re doing about it—because that’s really what the board members are most interested in. You don’t talk about server space or what we need to do for a particular application. Those are keep-the-lights-on things—purely operational. You keep the conversation at a level that ties into the overall risk portfolio of the organization, which is what’s important for corporate oversight.

It’s great to have boards onboard, but there’s also basic hygiene for organizations when it comes to cyberawareness. Where and how do you begin to assess cyberawareness organizationally?

There are a couple of recommended practices. Creating a cyberawareness program is the start. Such a program should not only educate the workforce on appropriate cyberhygiene practices, policies, and the like, it should also communicate cyberrisk management maturity. I have seen many instances where organizations invest heavily in cybersecurity protections, and the workforce knows nothing about it.

I can’t emphasize the importance of educational programs enough. Most health care organizations go through compliance training. They should include cybersecurity and cyberprivacy components in their compliance training, as well as some training focused on other cyberrisk areas, such as phishing, because those areas pose significant risks to organizations. Constant education and constant reminders are important. Being very clear about what an employee should do in those types of circumstances is key to modifying risky behaviors.  

The second practice is testing. A good example of this is conducting internal phishing campaigns. But keep in mind that the devil is in the details of those test results. Behaviors don’t necessarily change because training content has been provided. Therefore, the data from the results of such tests becomes very valuable in changing risky behavior. Human risk—both accidental and malicious—is one of the biggest risk categories when it comes to cybersecurity. Are your employees aware of what is the right thing to do in various circumstances, such as what to do with that phishing email? Another good practice is conducting surveys, which can be very helpful assessment tools.

Let’s talk about the interaction between business risk and cyberrisk, especially in the context of your company’s integrated-care—payer and provider—model. Is the technology risk different because of the integrated-care model?

In terms of patients—for example, the security of their data or the security of communication between health care facilities and the devices they might wear or carry—the integrated model is a positive because we are their carrier and provider; one company behind one firewall. But still, across health care, all organizations have some need to share secure data. What all health care organizations need to keep in mind is that it’s not just what you do within your own company to protect against cyberrisk; you also need to hold any outside organizations with which you share data to high security standards.

I recently had the opportunity to participate in the US Department of Health and Human Services Cybersecurity Task Force. In that task force meeting, there was a lengthy discussion about a “cybersecurity poverty line” and the fact that 75% of the health care industry is believed to be below that poverty line when it comes to investing in cyberprotection. That’s where managing third-party risksuch as suppliers, contractors, and trading partnersbecomes key.

So one of the difficulties, and this goes back to risk, is having a conversation about cybersecurity and cybertechnology budgets in a way that’s informed. For organizations that are trying to get above this poverty line, trying to increase their budgets, how do you frame the conversation?

The first thing is, don’t frame the conversation around security capabilities. Security capabilities are usually top of mind only when there’s been a recent big breach in the news. Like we’ve been talking about, it’s really an issue of risk reduction. Executives understand the value of risk, they understand the impact on the organization, and they understand that there’s a likelihood that things can happen because they’ve seen them happen elsewhere. How do we mitigate certain risks that we know we have in our environment? That requires a clear understanding of the risks—and determining the right processes and technologies is an outcome. And yes, there is a cost to reaching those outcomes and mitigating those identified risks in accordance with the organization’s risk posture, but not addressing those risks has its own financial impact.