How did you create your oganisational cybersecurity road map? Is it aimed to comply with mandatory regulations or was it tailored to our IT architecture?
While existing frameworks- such as NIST, ISO, GDPR and others- help improve an organisation’s cybersecurity, they are not enough. The Board of Directors needs to embrace a fact-based, data driven and mathematical approach. They need to understand the risks posed to the organisation, the probability of those risks being exploited and the potential business impact if an attack were to be executed. Armed with data, numbers and facts, the board will be able to grasp the dollar value of each threat, the business impact of a possible cyber breach and where their resources need to be invested for the most cost-effective solution.
Once the road map is in place, how do you measure the efficiency and relevancy of the security controls that are already in place?
With attack surfaces increasing exponentially and the rapid pace of changes in the internal and external threat landscapes, cybersecurity assessments must be conducted on a continuous, ongoing basis. The board needs to ensure that the organisation is validating it’s security controls, based on real attack behaviors rather than simulations. They must ask whether their cybersecurity investment can withstand new and emerging threat scenarios and attack vectors and whether management has made strategic updates based on recent incidents at other companies.
How do you react to constantly changing threats in the market?
Having a robust cybersecurity road map is crucial, but the ability to pivot quickly, based on the external threat landscape, is equally important. Organisations must ensure that their short-term plans are agile enough to enable them to react to new and emerging threats and changes in the market. Every time an organisation does an assessment, they should be gaining complete visibility into internal and external threats, while adjusting their mitigation plans and recommendations accordingly.
In the case of a breach, do we have a war plan for D-Day?
On cyber breach occurs, it is too late to develop a mitigation plan. How organisations react to a cyber breach is a key aspect in determining its impact.
When managing an incident, they must consider:
- Crisis management. The strategic plan that requires working with management, PR, legal and customer management in order to communicate and manage decisions.
- Incident response. The technical plan, including digital forensics, that ensures effective mitigation of incidents with minimal damage to business operations or the company’s bottom line.
The board needs to ensure that there is an incident response team that is addressing both business and security aspects of a crisis by mitigating the attack and conducting a thorough and timely investigation.
How do you quantify the risk?
Organisations need to compare the potential dollar value loss to the cost to mitigate the risks. All businesses want to optimize their cybersecurity investments. The first step in doing so is by quantifying business risks- not only technical ones.
Like other business-related issues discussed at the board level- such as go-to-market, manpower and cash flow- the board must also make it a priority to discuss cybersecurity advice, as they often do with other crucial business issues. If the board continues to ask the right questions, not inly will their cyber literacy improve, their partnership and dialogue between IT and the board will improve as well.