Cybersecurity and the Board of Directors are two topics that, historically, have been unrelated; however, they are rapidly becoming highly relevant to each other. The Boards of Directors must take an active role in cybersecurity measures to ensure their organizations are prepared. In this blog, I will share five steps that Boards of Directors should take to reduce risks from cybersecurity incidents.
Traditional security paradigms and approaches have focused entirely on attempting to prevent security breaches, but this strategy is failing. The complexity of IT, increasing threat surfaces, and the growing sophistication of bad actors have led us to a reality where security breaches are inevitable. It is no longer a question of whether organizations will experience security-related incidents; it is a matter of when they will occur, how bad they will be, and how much negative effect they will have on the brand. The current landscape requires a transition of people, process, and technology focused on incident response. For this fundamental shift to happen quickly and effect real change, the Board must intervene and provide specific direction. There are five steps that will need to be taken for this to be effective.
Cybersecurity and the Board of Directors – 5 steps every board should be taking
1. Become More Knowledgeable
Traditionally, Boards of Directors have been comprised of business and finance leaders who act on behalf of the shareholders to shape and drive the company’s North Star strategy. Their efforts have focused primarily within the realm of business operations, go-to-market, financial investments, ethics, and corporate governance. Now, the board needs to become more knowledgeable about cybersecurity. Every board should consider either adding a member with first-hand security knowledge or begin to have regular security briefings from the Chief Information Security Officer (CISO).
2. Drive the Conversation
The board should now drive the conversation of security. Directors must begin to ask tough questions regarding preparedness for security breaches. Requiring regular cybersecurity updates and briefings from the CISO demonstrates the criticality of the topic and impact that it can have on shareholder value. To achieve desired risk reduction, security can no longer simply fall under the domain of IT.
3. Define Expectations
The board leads the way for driving the strategic agenda of the business, and Directors should be holding the business accountable for having an incident response framework. Executive leadership focuses time, energy, and budget allocation in alignment with the North Star strategy. When the board includes cybersecurity preparedness within its list of strategic initiatives, it will receive the attention it needs in today’s threat climate.
4. Allocate Resources and Budget
The question of whether to add new resources and allocate additional budget is always weighed in relation to the expected business outcome. Questions like, “what is the incremental cost?” and “what does the business gain from the investment?” must be considered. Relative to security, it has traditionally been difficult to quantify the value that the team has brought to the business. One area, which the board can help define, is whether the security strategy should be built around in-house resources, or if the business would prefer to leverage outsourced services from managed security providers. In addition to outsourced prevention and monitoring services, there is a growing trend in the industry toward incident response retainer services. Once the board has taken the time to understand the challenges better, demonstrated the strategic importance of cybersecurity, and allocated budget, executive leadership can operationalize the plan and deliver regular updates on progress.
5. Require an Audit of Incident Response Preparedness
Once resources have been allocated in the name of improved cybersecurity, the board needs to require third-party audits of the company’s incident response preparedness. In the same manner that regulatory compliance audits (such as HIPAA, SOX, GLB, etc.) measure an organization against its peers, and are held accountable against a benchmark of what a “reasonable organization” should have in place, every organization should be held accountable to having a defined incident response process.
Incident Response Preparedness
Incident response preparedness is a combination of people, process, and technology.
- People will always play a central role, and every organization must allocate resources with the specific responsibility of responding to security incidents.
- Process is the definition of what should happen and when. The process defines who is involved, who must be notified, how information should be escalated, which departments must be engaged and which technology tools are available to the team.
- Technology delivers the historical forensic data required to identify what happened and quickly return to normal.
Network Traffic Analytics
Scrutinizer from Plixer is a Network Traffic Analytics platform, which can be easily integrated into any organization’s network. It gathers flows and metadata from the existing infrastructure, collecting and storing details about every conversation on the network. When security incidents arise, Scrutinizer is the primary dashboard for incident response team members to quickly identify root-cause, remediate the problem, identify what information may have been accessed and return the business to normal.
If you haven’t tried Scrutinizer yet, you can download an evaluation copy to see how it will better prepare your organization for inevitable security breaches.