Topics: Compliance,Cybersecurity,Risk Management,Technology
Topics: Compliance,Cybersecurity,Risk Management,Technology
January 16, 2018
January 16, 2018
As a society, we must address cyber-risks from every angle: every technology or Internet user must be educated so they can better secure themselves. As business leaders, we bear this responsibility not only for ourselves, but also for our teams, colleagues, and organizations.
To help get you started, here are some questions I recommend you ask your head of security. I also highly recommend that, regardless of your role on the board, you get to know your security team. Help them understand how board-level oversight of risks works, and meet them with an open, inquisitive mind so they can educate you on security concerns and implications.
1. Does the security team have a full, well-informed view of the organization’s security posture?
One of the most fundamental challenges organizations face when it comes to security is getting full visibility of the technology assets being used across the organization and their associated risks.
You can’t defend something if you don’t know that you have it. Finding that one key weakness that provides the perfect opportunity for an attacker can be like finding a needle in a haystack.
It can also be challenging for security professionals to cut through the noise in the security industry to focus on the most relevant core threats. Doing so will enable them to focus their time, resources, and investments in areas that will have maximum impact for your organization.
Here are some additional questions you can ask:
2. Is our organization resilient to attack?
Companies are under attack daily, either from automated, internet-wide attacks, or from more targeted and determined attacks. It is important to ask your security team questions about the security measures they have in place to reduce the likelihood and impact of a breach. There is no such thing as a silver bullet or impenetrable force field that will perfectly protect your organization. The key is to ensure your organization is taking a multi-faceted, layered approach that leverages technology, people, processes, and policies together for maximum effect. Your security team should be focusing their limited resources on actions that most reduce the risk associated with the greatest threats to your organization.
Take this opportunity to have your head of security explain why they made the trade-offs they did, and how those decisions could impact the business. Make sure they are aligning their decision making with overall organizational goals, compliance requirements, and real technical risks.
3. Is the security team confident it can detect and respond quickly to security incidents?
According to the 2017 M-Trends report, it takes an average of 99 days for organizations to discover attackers in their networks. The longer an attack goes undiscovered, the greater the likely harm will be, so it is critical that your organization is able to detect and respond to security incidents quickly. Full visibility across all technical assets, properly stored and analyzed logs, and sufficient manpower to investigate alerts in a timely manner are all essential ingredients for quickly detecting security incidents.
A properly coordinated response will likely involve representatives across the business, so it is important that your board and security team understand what roles each department plays in a response.
Some relevant questions include:
Does the company have an incident response plan in place, with roles clearly defined and understood across the organization (including legal, finance, communications, IT, customer support/engagement etc.)? When was the last time the company ran an exercise to test its preparedness and response? Who is responsible for driving this initiative in the organization?
4. How do you measure the effectiveness of our cybersecurity program and initiatives?
Testing and verifying the effectiveness of your security program and initiatives is part of many industry cybersecurity compliance requirements. It also a pragmatic measure that helps your organization understand where it needs to make investments, and how resilient it really is to attack. A key part of this review is engaging security professionals to penetrate the company’s infrastructure to test for vulnerabilities. This will help you understand the efficacy of your defenses, hopefully uncover the opportunities attackers may spot, and investigate the potential outcomes of an attack.
Some questions to ask your security team include:
5. Do political or financial considerations impact your ability to protect the organization effectively?
It’s the reality of every business that budgets and other resources are not limitless. Investment must be proportionate to the business growth and context. However, it is also worryingly easy to overlook financial or political constraints that can hamstring your security program. You do not want to become aware of fixable limits on the security program at the point that you are reeling from a security incident.
The challenges of internal politics may also hold your security program back and expose your business to unnecessary risk. Investigate the structure of your security organization, its reporting line, and its standing with key partner departments in the business such as IT, engineering, and legal.
Investigate any barriers that are limiting the effectiveness of the security program now, discuss them in an open environment with the organization’s leadership, and make informed decisions on how to move forward based on a realistic view of your organization’s risk tolerance and budget.
Security is complex, constantly evolving, and often unfortunately viewed as a drain on the business. Yet the benefit and necessity should be clear: having an effective and well-managed security program is key to minimizing risk and building resilience for your organization. Every part of the organization must play a role in this, and must understand the security priorities for the organization—and that responsibility extends to the boardroom.
Corey Thomas is CEO, president, and a member of the board of Rapid7.
I really like the way you’ve laid this out. It starts out parallel to the NIST Cybersecurity Framework, where your first point is their “Identify”, your second point is their “Protect”, and your third point wraps together their “Detect” and “Respond”. You don’t explicitly mention their “Recover”, but recovery from cyber events has to be at least part of how we measure the effectiveness of a cybersecurity program.
I really like your last point, which provides a question I think most Boards and many executives are afraid to ask, probably because they are still in shock from the funding they just had to allocate to dealing with some cyber intrusion or event, and don’t want to hear about how that was just the tip of the iceberg. After years of systematically under-funding IT and Information Security, it catches up, and the accumulated technology debt has to be paid.
I’ve also recently seen some organizations and regulations adding “Reporting” as a 6th item on the list, where reporting cyber events to government agencies is required. For example, New York’s DFS 500 Cybersecurity Regulation requires notifications within 72 hours of discovery of the breach, and most organizations are poorly prepared to report that quickly.
Boards providing interest in Cyber Security, invariably foster more executive attention to Cyber Security too, and sometimes it is long overdue.