One of the key findings from PwC’s 2018 Global State of Information Security Survey is that when it comes to managing cybersecurity risk and building cyber resilience, senior leaders driving the business must take ownership. In fact, they found that Board confidence in security measures is actually tied to their participation in the company’s overall security strategy.
As cybercrime continues to soar, it’s time for the Board of Directors to take responsibility. Cybersecurity should be a regular agenda item at Board meetings because directors need to gain an understanding of the cyber risks they are facing as an organization, and stay informed on a continual basis. After all, they will be held responsible should a breach occur.
So as a Board member, what should you be asking of your Chief Information Security Officer (CISO) to gain this knowledge? Here’s a list of ten questions you need answered, and why, in order to take on your cybersecurity roles and responsibilities.
#1. Do we fully understand cybersecurity threats and risks as they relate to our organization / institution and industry sector?
Cyberattacks are constantly evolving. Most experts agree that this trend will continue, with attacks getting more frequent and sophisticated all the time. It’s important that you stay up-to-date on the current threat environment and attack vectors. You need to know whether your organization or industry is being targeted, and how you would be impacted if an attack was successfully perpetrated.
#2. Do we base our cybersecurity program upon a widely accepted security framework?
When you’re writing your policies and developing your program, having a framework to base it on is very helpful. There’s no need to reinvent the wheel. There are a number of excellent frameworks out there, including the ISO/IEC 27000 family of standards for information security management, the NIST Framework for Improving Critical Infrastructure, and the COBIT Framework for IT Governance and Control.
Frameworks guide you to effectively implement the processes your organization needs to be engaged in. Then from your perspective, you can determine what the risks are and what level of control that you need to exercise over your information, your infrastructure, your relationship with third-parties, your training, etc. Frameworks help you take advantage of the masters of the industry. A tested framework relieves an organization of the worry associated with figuring out what to do, so it can spend its time thinking about exactly how to do it!
#3. Who on the Board or in Executive Management has cybersecurity expertise?
More and more we’re seeing Boards with people that have either a technological or security background. This expertise can significantly elevate a Board's awareness. And more awareness is how we win against cybercriminals.
#4. Have we aligned our business and cybersecurity strategies?
It’s important that your organization has a “baked-in” cybersecurity strategy versus a “bolt-on” one. This means that security is part of the conversation from the very beginning when formulating your strategic initiatives. Unfortunately, most of the resistance to security comes from the perception that it’s a barrier to completing goals. Security is perceived as an imposition, a road block, a “no” that stops you from doing what you want to do and interrupts business. But this only happens because security functions are not integrated from the start, at the strategic and project levels, as part of core business activities. The later in a process security is considered, the more disruptive it can be.
You also want to make sure that a risk appetite statement is guiding your decision making. A risk appetite statement determines different types of risks that your organization engages in and decides how hungry you are for risk in that category. You may be very willing to take risks in innovation to increase revenue, like a new product or service, or through acquisitions. That makes sense, but you don’t really want to have that same appetite for cybersecurity risk. When realized, cyber risk can disrupt your business completely. But that appetite statement can guide your decision making to ensure practices align with strategy.
#5. Are we appropriately allocating resources, roles, and responsibilities?
Many IT professionals have had to assume security responsibilities over time. So, they have an operational role, and then are required to take on a security role as well. It’s difficult to fulfill both responsibilities. As the need increases, security teams have to grow, and responsibilities need to be allocated so that possible internal fraud proclivity is avoided. You need segregation of duties, independent review of activity around security functions, and dual controls when there’s a very sensitive function.
#6. What is our level of participation in information sharing forums?
Where do you get your information about new and emerging threats? Are you getting the actionable intelligence, you need in order to avoid a compromise on any given day? Careful planning, alignment with the organization’s strategic objectives, and well-managed execution of the threat intelligence sharing function will make any organization better able to predict and avoid danger, respond to emerging threats, and thereby, improve overall resilience.
#7. How do our threat intelligence activities inform our risk management decision making?
If you’re acting and tracking your actions based on threat intelligence coming in, then it will inform your risk-management decision making process. It will help you think about your strategic plans in terms of risk from a cybersecurity perspective, not just a financial one.
#8. How are we able to detect a cyber-attack?
It’s important to keep in mind there isn’t one, single tool for this. And there’s no such thing as 100% protected. You need to determine which systems you are utilizing and how they integrate and interact with each other. Do they have the capability to aggregate data across systems to get a better understanding?
#9. Are we prepared to respond to a cyber-attack?
It’s important that you have the expertise, skill set, and knowledge that’s required to manage an incident end to end. There are cross-functional skills that are needed. Move away from incident response and into incident management. Preparation is imperative, which requires time, dollars, and people.
#10. How are we training / preparing our employees to play their cybersecurity role?
Everyone has a role to play in keeping the organization secure. Every employee needs to be aware of the risk picture, especially where technology is concerned. One of the best defenses you can build as a company is a workforce that understands the fundamentals of cybersecurity, so that they can make everyday choices to promote it.
These questions can also serve as a guide to CISOs when giving their presentations to the Board. If they’re not asking for this information, be sure that you’re providing it to them. They’ll thank you for it.
Get more tips for building a foundation of cybersecurity knowledge for your Board in, How to Make Your Board of Directors Cyber Smart.
THE SAGE ADVICE GUIDE TO CYBER THREAT HUNTING
As cyberattacks continue to soar, it's time to get proactive when protecting your network. You can’t simply sit back and wait for an automated alert to let you know you’ve been breached. You need to actively seek out potentially malicious behavior on your network. That’s why we’re seeing a shift to a more proactive approach... Cyber Threat Hunting. Learn how to defend your network. Learn more in the Sage Advice Guide to Cyber Threat Hunting.