Cybersecurity for Busy Executives – Increasing Boardroom Awareness
Ask your business, IT, and security managers the following questions to see where your enterprise stands:
- Do we know what is connected to our systems and networks?
- Do we know what’s running (or trying to run) on our systems and networks?
- Are we limiting and managing the number of people who have the administrative privileges to change, bypass, or override the security settings on our systems and networks?
- Do we have in place continuous processes backed by security technologies that would allow us to prevent most breaches, rapidly detect all that do succeed and minimise damage to our business and our customers?
- Can you demonstrate all this to me, to our Board, and to our shareholders and customers today?
If they can’t say yes to all these questions, you may still be compliant with regulations, but your company’s data and customers are not safe. If you don’t ask these questions, your customers and shareholders will – or will ask soon!
Jane Holl Lute (Board of Directors of the Center for Internet Security)
We are currently seeing a lot of disconnect between the Executive Board (of companies) and Cybersecurity professionals who work for them. Although there has been a significant increase in Board Cybersecurity awareness, we believe they are still not sufficiently knowledgeable about Cybersecurity issues.
There is a further issue in that Cybersecurity professionals are struggling to articulate the problems in a language that the Board understand. Our view is supported by a recent survey by Harvey Nash, the recruitment firm, who found that of C-Level execs, 30% or less CEOs and COOs are well informed on Cybersecurity issues, and 20% or less CFOs and CMOs are well informed.
In a series of blogs, we will aim to address these issues, starting with the first part of the problem – raising Board level awareness on Cybersecurity which will
- provide Executive Level awareness on what the Boards of companies need to be thinking about around Cybersecurity.
- speak the language of the board
- be a short and easily digestible paper, which will allow Executives to build up their Cybersecurity knowledge bit by bit.
- educate Executives the key things they need to know so they can ask the right questions of their Information Security Teams.
- drawing on real life examples and case studies.
The four areas we will cover are:
1. Cybersecurity 101. What are the key things, as an Executive, you need to know. We will cover Risk Management basics; what are the different threats to your organisation – and how to mitigate them; what are the most common attacks; what does the attack surface of your organisation look like, and what are the most common vulnerabilities. We will also provide a go-to glossary of common cybersecurity terms and jargon.
2. Making your organisation more robust. What are the main areas you should be asking your Information Security or IT team about. Here we will break down the different areas of best practice Cybersecurity defence, which will allow you to ask the right questions of your IS team, and also allow you to dig below the surface to ensure you are satisfied that you are on top of what is going on. We will cover the following topics (amongst others):
- Home and Mobile Working
- User Education and Awareness
- Incident Management
- Information Risk Management Regime
- Managing User Privileges
- Removable Media Controls
- Secure Configuration
- Malware Protection and Anti-Virus
- Network Security
- Third Party Supplier Management
3. Cybersecurity Macro Trends. Once you understand the basics and have ensured your Information Security team have a robust plan, you then need to think about the future. There is a lot of change currently happening within the Cybersecurity industry and it is important that you (a) have a strategy; and (b) this strategy is aligned with your overall business strategy. You therefore need to be aware of some of the trends that are underway, to ensure your cyber strategy is incorporating these macro trends, and it is relevant. As part of this section, we will look at the following trends:
- Shortage of talent
- The possibility of a future Cyber fatality
- Increased regulation (GDPR) and compliance overload
- Industrialisation of the most common attacks
- Expansion of the attack surface
- The Internet of Things
- Breaches – Not if, but when
- Possible cybersecurity scenarios
4. The future. Linked to the previous section, we will look even further into the future and discuss what the future holds for the cybersecurity industry. We will look at some of the technology advancements underway, including Artificial Intelligence, and what impact they will have on Cybersecurity defences and attackers. We will discuss the potential cyber arms race between governments and corporations, and the hacking community, and how you can take advantage of the advances in technology to improve your Cybersecurity defences and to save money.
We hope you have enjoyed reading this and look forward to our next blog in the Cybersecurity for Busy Executives series.
Download this article in PDF
“Cyber security, computer security or IT security is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.
Cyber security includes controlling physical access to the hardware, as well as protecting against harm that may come via network access, data and code injection. Also, due to malpractice by operators, whether intentional or accidental, IT security is susceptible to being tricked into deviating from secure procedures through various methods.
The field is of growing importance due to the increasing reliance on computer systems and the Internet, wireless networks such as Bluetooth and Wi-Fi, the growth of “smart” devices, including smartphones, televisions and tiny devices as part of the Internet of Things.”
Ok, so here we are with the second blog in your Executive (Cyber) education. Firstly, I need to make an apology. I made some grand statements in the last blog about providing practical advice. That will come, but before we get to that, it is important to understand some basic Cybersecurity terms, as these underpin everything else. Cybersecurity practitioners are a precise bunch – who can blame them, they have to be – so although practitioners need to be able to speak the same language as the board, Executives can meet them half way by understanding some of the key concepts and terms.
People are key to protecting your organisation, and they need to have the right level of understanding for them to be effective. The next few blogs will help raise your level of understanding.
It is not just about Technology…….
We will start with some context and basic explanations on what cybersecurity really is. It is a common misconception that Cybersecurity is only about the technology that protects an organisation’s IT infrastructure, network, applications and devices (I will shorten these to IT Estate for ease) – and the data and information that they contain. Yes, that is a very important part of it. Cybersecurity, however, is a much wider concept. It is also about empowering the people who have access to an organisation’s IT Estate and data; the culture of an organisation; policies and processes/procedures; the governance of the organisation; and lastly physically protecting the organisation itself.
Let us delve a bit deeper into each one:
Cybersecurity can seem like a scary concept to non-practitioners, as it is assumed that it involves complicated technology that only expert developers and cyber professionals can understand. Whilst that is not entirely untrue, good Cybersecurity is no different to the smooth running of any other part of an organisation. There are complicated elements to it, as there are in a Finance Department, Strategy Department or on the production line of a car manufacturer, for example. However, like all parts of an organisation, there is a need for clear understanding and communications at the interface between general management and Cybersecurity practitioners, and effective governance (with underlying policies) should seek to do just this. Cybersecurity practitioners need to empower the people as well as enabling the Executive.
One of the reasons for a disconnect between the board, Executives and cybersecurity practitioners, is that practitioners can struggle to articulate cybersecurity in a language the management understands, and its applicability, i.e. in the context of the wider business. This is to be expected. Cybersecurity is a relatively new concept – the definition of cybersecurity only appeared on Wikipedia recently, and there is no seat on the board for the Chief Information Security Officer – but as it starts to establish itself even more, I would expect this to change.
To make the whole concept easier for you to understand, we have built a diagram below which shows a highly simplified example of what your organisation’s IT estate might look like, and how Cybersecurity applies to that. As we go through this blog series, this will form the basis of how we describe the different concepts. We will be using a fictional company XYZ Ltd. The larger and more diversely technical an organisation, the more complicated this diagram can become, but it forms a good building block on which to explain the key concepts.
Most people’s understanding of cybersecurity is focussed on protecting the organisation itself and its customers’ interests, and people mistakenly believe good cybersecurity defence is simply building a wall around the organisation. When you consider that the diagram above is a simplistic representation of an organisation and reality is that organisations could have over 2,000 third party suppliers and possibly 100 offices, organisations have multiple areas that hackers could target. The image above does help to give us a starting point and we will add to this as we develop your knowledge.
So now, it is hopefully clearer that Cybersecurity is a much broader topic than people realise, and you now understand a little bit more about the different areas that are part of it. Next week, we will move onto talking about the different type of attackers who could be targeting your organisation. Until next time.
Download this article in PDF