Ask your business, IT, and security managers the following questions to see where your enterprise stands:
- Do we know what is connected to our systems and networks?
- Do we know what’s running (or trying to run) on our systems and networks?
- Are we limiting and managing the number of people who have the administrative privileges to change, bypass, or override the security settings on our systems and networks?
- Do we have in place continuous processes backed by security technologies that would allow us to prevent most breaches, rapidly detect all that do succeed and minimise damage to our business and our customers?
- Can you demonstrate all this to me, to our Board, and to our shareholders and customers today?
If they can’t say yes to all these questions, you may still be compliant with regulations, but your company’s data and customers are not safe. If you don’t ask these questions, your customers and shareholders will – or will ask soon!
Jane Holl Lute (Board of Directors of the Center for Internet Security)
We are currently seeing a lot of disconnect between the Executive Board (of companies) and Cybersecurity professionals who work for them. Although there has been a significant increase in Board Cybersecurity awareness, we believe they are still not sufficiently knowledgeable about Cybersecurity issues.
There is a further issue in that Cybersecurity professionals are struggling to articulate the problems in a language that the Board understand. Our view is supported by a recent survey by Harvey Nash, the recruitment firm, who found that of C-Level execs, 30% or less CEOs and COOs are well informed on Cybersecurity issues, and 20% or less CFOs and CMOs are well informed.
In a series of blogs, we will aim to address these issues, starting with the first part of the problem - raising Board level awareness on Cybersecurity which will
- provide Executive Level awareness on what the Boards of companies need to be thinking about around Cybersecurity.
- speak the language of the board
- be a short and easily digestible paper, which will allow Executives to build up their Cybersecurity knowledge bit by bit.
- educate Executives the key things they need to know so they can ask the right questions of their Information Security Teams.
- drawing on real life examples and case studies.
The four areas we will cover are:
1. Cybersecurity 101. What are the key things, as an Executive, you need to know. We will cover Risk Management basics; what are the different threats to your organisation – and how to mitigate them; what are the most common attacks; what does the attack surface of your organisation look like, and what are the most common vulnerabilities. We will also provide a go-to glossary of common cybersecurity terms and jargon.
2. Making your organisation more robust. What are the main areas you should be asking your Information Security or IT team about. Here we will break down the different areas of best practice Cybersecurity defence, which will allow you to ask the right questions of your IS team, and also allow you to dig below the surface to ensure you are satisfied that you are on top of what is going on. We will cover the following topics (amongst others):
- Home and Mobile Working
- User Education and Awareness
- Incident Management
- Information Risk Management Regime
- Managing User Privileges
- Removable Media Controls
- Secure Configuration
- Malware Protection and Anti-Virus
- Network Security
- Third Party Supplier Management
3. Cybersecurity Macro Trends. Once you understand the basics and have ensured your Information Security team have a robust plan, you then need to think about the future. There is a lot of change currently happening within the Cybersecurity industry and it is important that you (a) have a strategy; and (b) this strategy is aligned with your overall business strategy. You therefore need to be aware of some of the trends that are underway, to ensure your cyber strategy is incorporating these macro trends, and it is relevant. As part of this section, we will look at the following trends:
- Shortage of talent
- The possibility of a future Cyber fatality
- Increased regulation (GDPR) and compliance overload
- Industrialisation of the most common attacks
- Expansion of the attack surface
- The Internet of Things
- Breaches - Not if, but when
- Possible cybersecurity scenarios
4. The future. Linked to the previous section, we will look even further into the future and discuss what the future holds for the cybersecurity industry. We will look at some of the technology advancements underway, including Artificial Intelligence, and what impact they will have on Cybersecurity defences and attackers. We will discuss the potential cyber arms race between governments and corporations, and the hacking community, and how you can take advantage of the advances in technology to improve your Cybersecurity defences and to save money.
We hope you have enjoyed reading this and look forward to our next blog in the Cybersecurity for Busy Executives series.