October 23, 2018
October 23, 2018
How well do you understand the cybersecurity risks of the company you govern? Liability questions loom large for corporate executives and directors alike, especially when reports of a new high-profile vulnerability or breach start popping up in the media. Yet, many corporate directors struggle with understanding how the technical aspects of cybersecurity translate to business outcomes.
Spend time with a company’s chief information security officer (CISO) or chief information office (CIO) and you’ll probably get a laundry list of technical factors with specific metrics like the number of vulnerabilities present in the organization, how many unpatched systems exist, and how these numbers compare in different regions where the company operates.
While this information is useful, unless you understand the technology it will raise more questions than answers for you as a director. And, this kind of accounting doesn’t really answer the number one question every corporate director needs to ask about cybersecurity: Where are we exposed?
Why is this question so important? Because only by understanding the full scope of a company’s attack surface can you possibly help guide the business decisions that need to be made in the wake of an incident. So, how can you get the right answer to this question without having to wade through technical jargon?
Let’s look at two typical responses you may receive when you ask about where the company is exposed, and why these responses aren’t helpful to you in your role:
Security teams must truly look everywhere to ferret out all the vulnerabilities that exist. To accomplish this, they’ll need new tools specifically designed to sniff out new vulnerabilities as they appear in real time. This requires a strategic shift from deploying piecemeal security systems to embracing a holistic approach to discovery, reporting, and risk mitigation. By coming to terms with where your exposures are—or are likely to be—you reveal the larger picture of where the organization is most at risk, and what work needs to be done.
Only when a holistic cybersecurity strategy is in place can the organization’s security team give you the answer you need:“We have the ability to see our entire attack surface, including containers, web applications, servers and our industrial control systems. We are exposed to this vulnerability on 12% of our infrastructure. Our average time to address an issue of this magnitude is 18 days.”
The only way your security team can answer with this level of accuracy is to close the gaps in your security coverage and increase visibility. Every hidden corner of the company’s IT infrastructure must be illuminated and secured against threats. Only then can your security team produce reports which itemize specific vulnerabilities in cloud services and cloud environments, on-premises data centers, private and cloud environments, containers, industrial control systems, points of sale, HVAC, devices connected to the Internet from aquariums to smart TVs in break rooms, and anything else not typically handled by the IT and security operations teams.
Your CISO should use that list to provide you with a high-level overview of the systems and users which are most at risk, so you can urge management to plan the company’s next steps accordingly. Anything less will leave your security teams trying to mitigate risk in the dark. And that’s simply too big a risk for any company.
Want to learn more about key cybersecurity risk indicators, and what they mean to your business? Read our report, “Managing Cyber Risk: The New Mandate from the Corner Office.”