Ask your business, IT, and security managers the following questions to see where your enterprise stands:
Do we know what is connected to our systems and networks?
Do we know what’s running (or trying to run) on our systems and networks?
Are we limiting and managing the number of people who have the administrative privileges to change, bypass, or override the security settings on our systems and networks?
Do we have in place continuous processes backed by security technologies that would allow us to prevent most breaches, rapidly detect all that do succeed and minimise damage to our business and our customers?
Can you demonstrate all this to me, to our Board, and to our shareholders and customers today?
If they can’t say yes to all these questions, you may still be compliant with regulations, but your company’s data and customers are not safe. If you don’t ask these questions, your customers and shareholders will – or will ask soon!
Jane Holl Lute (Board of Directors of the Center for Internet Security)
We are currently seeing a lot of disconnect between the Executive Board (of companies) and Cybersecurity professionals who work for them. Although there has been a significant increase in Board Cybersecurity awareness, we believe they are still not sufficiently knowledgeable about Cybersecurity issues.
There is a further issue in that Cybersecurity professionals are struggling to articulate the problems in a language that the Board understand. Our view is supported by a recent survey by Harvey Nash, the recruitment firm, who found that of C-Level execs, 30% or less CEOs and COOs are well informed on Cybersecurity issues, and 20% or less CFOs and CMOs are well informed.
In a series of blogs, we will aim to address these issues, starting with the first part of the problem – raising Board level awareness on Cybersecurity which will
provide Executive Level awareness on what the Boards of companies need to be thinking about around Cybersecurity.
speak the language of the board
be a short and easily digestible paper, which will allow Executives to build up their Cybersecurity knowledge bit by bit.
educate Executives the key things they need to know so they can ask the right questions of their Information Security Teams.
drawing on real life examples and case studies.
The four areas we will cover are:
1. Cybersecurity 101. What are the key things, as an Executive, you need to know. We will cover Risk Management basics; what are the different threats to your organisation – and how to mitigate them; what are the most common attacks; what does the attack surface of your organisation look like, and what are the most common vulnerabilities. We will also provide a go-to glossary of common cybersecurity terms and jargon.
2. Making your organisation more robust. What are the main areas you should be asking your Information Security or IT team about. Here we will break down the different areas of best practice Cybersecurity defence, which will allow you to ask the right questions of your IS team, and also allow you to dig below the surface to ensure you are satisfied that you are on top of what is going on. We will cover the following topics (amongst others):
Patching
Home and Mobile Working
User Education and Awareness
Incident Management
Information Risk Management Regime
Managing User Privileges
Removable Media Controls
Monitoring
Secure Configuration
Malware Protection and Anti-Virus
Network Security
Third Party Supplier Management
3. Cybersecurity Macro Trends. Once you understand the basics and have ensured your Information Security team have a robust plan, you then need to think about the future. There is a lot of change currently happening within the Cybersecurity industry and it is important that you (a) have a strategy; and (b) this strategy is aligned with your overall business strategy. You therefore need to be aware of some of the trends that are underway, to ensure your cyber strategy is incorporating these macro trends, and it is relevant. As part of this section, we will look at the following trends:
Shortage of talent
The possibility of a future Cyber fatality
Increased regulation (GDPR) and compliance overload
Industrialisation of the most common attacks
Expansion of the attack surface
The Internet of Things
Breaches – Not if, but when
Possible cybersecurity scenarios
4. The future. Linked to the previous section, we will look even further into the future and discuss what the future holds for the cybersecurity industry. We will look at some of the technology advancements underway, including Artificial Intelligence, and what impact they will have on Cybersecurity defences and attackers. We will discuss the potential cyber arms race between governments and corporations, and the hacking community, and how you can take advantage of the advances in technology to improve your Cybersecurity defences and to save money.
We hope you have enjoyed reading this and look forward to our next blog in the Cybersecurity for Busy Executives series.