CMU to help board directors on cybersecurity
Joins effort with Tom Ridge on risk management
Carnegie Mellon University’s Software Engineering Institute is teaming up with former Pennsylvania Gov. Tom Ridge’s consulting firm and a professional organization to help boards of directors manage their cybersecurity risk responsibilities.
The three organizations will start offering a 20-hour, online cyber-risk oversight course for directors Dec. 1. Directors can take the course — which includes four hours of simulated response to a cybersecurity breach as well as a 40-50 question test — at their own pace, given their demanding schedules.
The course was developed after the National Association of Corporate Directors surveyed its members and found only 14 percent felt their boards had a high level of understanding regarding cybersecurity risks.
“We think this is a full board issue,” said Peter Gleason, president of the association, which provides professional development programs for directors.
“There’s basically a need in the marketplace,” he said. “It [cybersecurity breaches] seems to be happening with more regularity and in more areas.”
Mr. Ridge, who is a director at the Hershey Co. and other firms, said boards occasionally have one or two directors who are familiar with cybersecurity issues, but said that is not enough.
“Everybody should have knowledge of the kinds of risks that exist and the seriousness of a risk that is dynamic and permanent,” said Mr. Ridge, whose Washington, D.C., firm counsels companies on assessing and managing risk.
The growing list of high-profile cybersecurity breaches include the U.S. Office of Personnel Management, where hackers accessed personal information on as many as 25 million federal workers, and
Anthem, where the personal information of up to 80 million of the health insurer’s patients and employees was compromised. On the local front, five Chinese nationals were indicted in 2014 for hacking into the computer systems of U.S. Steel, Alcoa, Allegheny Technologies, Westinghouse Electric and the United Steelworkers union.
“From a business point of view — whether you’re a big company or a small one, publicly traded or not — it is not just a problem. It is a huge, permanent business risk,” Mr. Ridge said.
NACD said more than 70 people have expressed an interest in the course. The organization declined to reveal the cost of the program, saying that will vary depending on several factors, including NACD membership.
The CERT division of CMU’s Software Engineering Institute is developing the curriculum for the course in conjunction with the director’s group, Mr. Gleason said.
Summer Fowler, CERT’s technical director for risk and resilience, said the course will cover an overview of cybersecurity risks, how to manage them, the responsibilities of directors, and what questions to ask personnel responsible for managing the security of information technology systems.
The curriculum will not focus on the technology involved as much as the responsibilities of directors in preventing and responsing to cybersecurity events.
“For the most part, the audience is beginners in cybersecurity,” Ms. Fowler said.
After completing the program, directors will receive a certificate in cybersecurity oversight from CMU. Given the school’s reputation as a cybersecurity expert, “That’s a pretty big deal,” Mr. Ridge said.