Topics:   Audit and Risk,Cybersecurity,Strategy,Technology

Topics:   Audit and Risk,Cybersecurity,Strategy,Technology

September 25, 2018

Four Critical Questions on Cybersecurity for 2019 Planning

September 25, 2018

Believe it or not, it’s almost 2019—and that means it’s time to develop strategy and processes for the coming year. As your board begins this important process, how are your plans incorporating cybersecurity, including existing and emerging cyber-risks?

As your board begins planning and budgeting for 2019, how are you incorporating these third-party risks? Four important questions can provide a valuable roadmap for cyber risk oversight: 

1. What is our current internal security performance? Security ratings provide key performance indicators on a company’s security operations, thus providing board members transparency and visibility into an organization’s security posture. To effectively understand the impact of security programs and communicate changes to key decision-makers, companies need tools that provide a quantified, comparative view of cybersecurity performance over time. A clear picture of a company’s security posture helps boards assess the effectiveness of the internal security and risk programs already in place.

2. How does our security performance compare to industry peers? While other corporate functions have embraced benchmarking as a way to compare performance, risk and security teams are often left in the dark. Traditional tools for network security are unable to compare security performance against industry averages and peers. By looking at a company’s cybersecurity performance in relation to peers and actionable high-level security performance metrics, organizations have been able to clearly demonstrate program improvements and advocate for increased cybersecurity resources. Security ratings serve as an actionable metric that allows your organization to communicate security progress and key indicators more effectively.

3. How are we managing third-party risk? It’s important for boards to prioritize third-party, or vendor, risk within their organization. Given that last year 56 percent of companies were affected by a third-party data breach, this is becoming absolutely critical. Businesses can partner with hundreds or even thousands of vendors that they engage with almost daily. If those companies possess sensitive information, it’s critical that their networks are readied for potential attacks as well. This is because hackers are now attacking larger organizations through these smaller vendors. They know that other, smaller organizations may not have the bandwidth to guard against these bad actors.

This trend truly highlights the importance of continuously monitoring your vendors. Tools such as my company’s Security Ratings help organizations do just this every single day, assisting them in building and adjusting their vendor risk management program at the speed and growth of their business. Overall, understanding third-party risk in a real, quantifiable way helps organizations keep their network safe. Boards should expect to receive regular updates from security teams about the security performance of their critical vendors.

4. How effective is our security spending? As the year comes to a close, board members should thoughtfully consider budgeting for security in the year ahead. While it’s great to end the last quarter of the business year on a strong note, it’s even more critical for businesses to set internal teams up for success when returning to work in January. One of the best ways to accomplish this is to be strategic about the extra budget the organization possesses in Q4, asking: How can my organization be mindful about spending extra funds to benefit our security program going forward?

Security and risk professionals must identify, quantify, and mitigate risk across their organization and ecosystem. A primary way to do this is with security ratings, which support their security program and their vendor risk program by helping assess both internal and third-party security performance, as mentioned above.

Your board is more involved in cybersecurity strategy and planning than ever before. Ensure that your company is setting off on the best footing for 2019 by applying these principles to your next board meeting and feeling greater peace of mind that your company can weather whatever comes in the year ahead.