Tips for Executives and Board Members
Cybersecurity – protecting against attacks such as phishing or ransomware – ranks as a top challenge for most companies. And while the topic of managing information security has breached the boardroom doors (virtual as they may be these days), detailed discussions about the process of safeguarding organization data from security risks are often left to the information security or IT team. Or, your CISO.
Like hospital administrators who aren’t comfortable stepping through the doors of the surgical wing to learn how to improve surgical outcomes (and, therefore, financial results), stepping into the world of information security management can seem foreign and overwhelming to many executives.
Your Chief Information Security Officer (CISO), if you have one, has a large-scale, essential job that is imperative to your business’ success. The CISO, however, serves only as the conductor of the security orchestra. Safeguarding data requires involvement from every chair across the enterprise.
In fact, the entire board of directors and executive team have a corporate duty to provide due diligence and due care to safeguard a company’s information assets. Without an understanding of security fundamentals as they pertain to your business and having frequent involvement in the process, you risk making uninformed decisions and not fulfilling your duty which could have legal implications.
To be successful and protect both you and the entire organization, CISOs need you to be aware, engaged and committed. To start, here are seven things your CISO wishes you knew.
1. Information security is actually in conflict with the IT mission
When most executives think about information security, they consider it a function of the IT team. In reality, these two jobs require very different skillsets and mindsets.
The IT team’s mission is to develop and deploy the tools (hardware, software, data access) necessary to support the business as expeditiously, productively, and efficiently as possible. On the other hand, the InfoSec team’s mission is to protect information by implementing appropriate safeguards. These safeguards can be administrative (policy, training), technical (software, hardware), and physical (gates, guards). Their purpose is to create a defense in depth by implementing layers of security to protect access to information. These safeguards generally slow down the rollout of technology solutions by the IT team. Hence, the conflict.
Executives should understand this conflict and guide the entire organization in finding the balance between information security and business productivity. Positioning infosec accountability at the C-suite level is the first step. Then, aligning the two areas – IT and Information Security – as independent entities enables the organization to flourish while protecting against risks.
2. Safeguarding information is everyone’s responsibility – especially yours.
When it comes to securing information, people are the weakest link. As humans, we are prone to making mistakes, and it is in our nature to trust others. Cybercriminals take full advantage of these weaknesses. According to a survey from Blackhat and Thycotic, some type of human error causes 80% of all data breaches. By enhancing awareness of security threats and reducing those errors, you can significantly reduce your cyber risk.
Creating a strong culture of security awareness starts at the top, with upper management. Executives are accountable for information security controls in your organization. A sound security program requires you to both “talk the talk” and “walk the walk.” That means including security expectations in job descriptions to set the expectation from day one, speaking about security policies in your team meetings, providing a budget for training and security talent, and sharing stats and examples of your successes. The more you do, the more advocates and evangelists you create throughout the company.
3. Threats are growing and evolving faster than you think.
- Nearly 90% of organizations experienced business email compromise (BEC) and email account compromise (EAC) attacks in 2019.
- Based on top cybersecurity stats from CSO online, 94% of malware is delivered via email.
- Phishing attacks account for more than 80% of reported corporate security breaches.
- Ransomware attacks doubled year over year from 2019 to 2020.
- Breach severity increased by a factor of 10 in 2020.
- The total number of records compromised in 2020 exceeded 37 billion, a 141% increase compared to 2019.
To stay ahead of cybercriminals, security programs must continually evolve.
4. Our data is extremely valuable to hackers.
A single verified Stripe payment account and gateway fetches $1000 on the Dark Web these days. Can you imagine the value of the confidential client data your organization holds and manages today? Not only are criminals collecting personal information like your bank account credentials, your child’s medical records, and your social security number, but they also sell ransomware, confidential business data, and access to systems like yours as a service.
For almost every business, information is your most valuable asset. One major breach that exposes a company’s poor security practices, like the one Sony experienced in 2014, can forever ruin its reputation. You may never recover your intellectual property, financial data, or client and employee data. When clients stop trusting and employees leave, business falters. Also, there can be significant legal and financial consequences after a security breach.
The first step in understanding your information’s value is to ensure you have a complete inventory of the assets that support your organization. As the saying goes, you can’t protect what you don’t know you have. Besides a security incident itself, the worst scenario is finding out about an information asset’s existence as a result of a breach. CISOs know how to create order out of the chaos that often surrounds an organization’s technology stack, systems, and processes as it grows and evolves.
5. Our defense is good, but it can be better.
Cybercriminals act based on ROI. They look for environments that require the least effort and amount of time to hack for the greatest return.
A strategy to avoiding problems is to add layers of security. My neighbor and I may both lock our doors and have security lights around our homes to provide reasonable security. If I add an alarm service with visible signage and get a loud German Shephard for protection, which house is a burglar more likely to attempt to rob? As you add more controls to an information security program, you make it harder and less desirable for hackers to target your organization.
How do you decide just how far to take your security controls? Talk with your CISO about the current state of your security program vs. the ideal state. Consider how it supports your organization’s mission, business model, legal and statutory requirements, and growth goals. Understand the value of all company assets and the impact it would have on your business – catastrophic, serious, or minimal — if they are compromised. Then you can determine the right level of security that’s justified for the value of each asset. While your costume jewelry is fine stashed in your bathroom drawer, the value of your diamond ring and earrings may justify the purchase of a safe.
6. A good security posture can be a competitive advantage. But, soon, companies will not have a choice.
The strength of your defense against cyberattacks and human errors can be a differentiator over competitors with lesser capabilities. To demonstrate your security program’s value, a certifiable framework such as the ISO 27001 standard gives your company an internationally recognized “seal of approval.”
However, establishing a solid information security system may not be a choice for much longer. Regulated industries already require compliance with a variety of frameworks and certifications. The government is ramping up security requirements for its contractors and subcontractors through the Cybersecurity Maturity Model Certification (CMMC). Plus, every state privacy law requires an organization to demonstrate some level of information security. And if a data breach includes personally identifiable information (PII), stiff penalties are levied.
Just as important, clients and partners now ask probing questions about the quality of security programs and choose only vendors that prove they take adequate steps to safeguard information. For example, companies are looking at their outside counsel law firm panel and taking the time to evaluate their security posture fully. These law firms must meet the standards imposed by their corporate client or risk losing their panel status and the associated revenue.
You may think that cyber insurance, a policy that protects businesses against liabilities related to security incidents, will help in the event of a security program gap. Realistically, cyber insurance only pays if your business practices good cyber hygiene. If you don’t, you can expect limited, if any, coverage.
7. We know cybersecurity can be confusing and overwhelming. A CISO can make it understandable.
The chosen infosec standard or framework provides a playbook for creating and managing a solid program. While the information security team focuses on the inner workings of policies, controls, processes, and risk assessment, your CISO can help you focus on aspects of the program that are more meaningful to the leadership team.
Dashboard reporting tools – or scorecards – based on your security goals provide meaningful insights to the leadership team. Choose the metrics that make the most sense for your organization. Not sure where to start? Try these KPIs:
Training Completion Rates and Scores
Effective, frequent training is the foundation of any security program. Without demonstrating complete training records, auditors can strip you of a security certification. Has everyone completed training? What were the scores? How did their fare on the phishing test? Are certain groups scoring lower than others?
Existing Risks and Countermeasures
What are your known risks, and what controls have been proposed to mitigate those risks? How are they designed to meet the organization’s risk appetite? Are they aligned with the business and its budget?
Risk Improvements and Accomplishments
Review previous risk concerns and mitigation plans. How has a particular risk changed since implementing a control? Measure the effectiveness of your infosec decisions. For example, when measuring email compromise risk, your security team may run regular phishing campaign tests. When you see that 15 employees engaged in sample phishing emails last month and only one engaged with a phishing email this month, you know you are making progress. Compliance management platforms store all program data in one repository, from training records and risk assessments to risk treatment plans and audit results, simplifying this kind of reporting.
Suppliers Evaluation
Ensure that suppliers are evaluated on their security posture at pre-defined intervals, not just at vendor onboarding. Addressing cybersecurity from the top can help your organization better defend against cybercrime. That protection begins with the entire C-suite and the Board engaging to foster a culture of security throughout the business. Making information security part of the organization’s governance, a common conversation topic at all levels, and measuring security performance metrics at the Board level can dramatically improve an organization’s security preparedness.
Don’t be afraid to ask the tough questions, be prepared to discuss the metrics, and roll up your sleeves to help set the tone for everyone on the team. You will be glad you did.
Contact EXTEND Resources to learn more about our Virtual CISO services and legacy of information security expertise. We’ve helped organizations like yours secure their assets, create a robust security program, become certified for information security compliance, and continually improve their program to protect against evolving threats.
Steve Henn
shenn@extendresources.com
203.803.2127