C-level Cyber security conversations
Today, Cyber security and threats are in the fore thinking of every major organisation. The threats and risks of a Cyberattack happening has increased with the growth of connectivity of devices. Attack surfaces are increasing every day with the adoption of new devices by organisation. Every new connectivity becomes an attack vector point (attack path) increasing the risk of a cyberattack.
The consequences of a breach in security can pose an existential threat to organisations, especially those without the financial strength to absorb sanctions and damage to reputation that can significantly affect revenues. This has made Cyber security an important topic at the executive and strategic level. The average cost of a data security breach claim in the US is 3.2 million USD.
The challenge directors sometimes have is that, not all are knowledgeable on this topic.
Five board level questions can provide some level of diligence and care. Our research has shown that these questions focus the organisation to mission priorities, risk appetite and budgets.
Framing the security question adopts the categories listed in the is based on the NIST handbook (Framework for improving critical infrastructure cybersecurity)
Do we sufficiently understand the business context, the resources that support the organisations critical functions and the related risks?
This question will enable the organisation identify risks, focus and prioritize efforts expended within the context of the risks and business needs. One should be confident that this line of questioning would drive out an appreciation of Critical infrastructure, known threats, and vulnerability of organisation to cyberattacks and provide a basis for safeguarding.
Have we developed and are implementing safeguards to identified threats and vulnerabilities?
This should prompt responses that indicates efforts planned or implemented to limit or contain any potential cybersecurity event. In responses, one would look for answers that provide for acquisition of detection technologies, implementation of data security procedures and practices to protect information confidentiality, integrity and availability.
Do we have the capability to detect in a timely way the occurrence of a cybersecurity event?
Responses and comments that indicates planned or implemented capability to detect anomalies, events, continuous monitoring and detection processes planned or in place. A good application in this space is the Cyberark
In an event of a successful breach of the organisation’s security perimeter, do you have incident response procedures and processes to contain the breach?
The absence of an incident response plan will imply a chaotic response to a security breach and may destroy admissibility of disclosures. The current case of Uber not notifying authorities and impacted parties of a breach implied a lack a fully thought through incident response plan. A standing plan of what to do in case of a breach should be a minimum.
Recovery & Retaliation
Do you have, or are you planning to develop appropriate activities to maintain plans for resilience and restore any capabilities degraded because of a security event in a timely manner?
Organisations must be able to recover from a security breach in a timely manner. Recovery plans are critical to the organisations continued existence to fulfil its mission. This is a very important question, and the extent of preparation indicates the perceived risk of the occurrence of this threat.
There is currently a proposed bill in the US congress on retaliatory hacking. At the time of writing, this bill has not been passed the by US congress. It is not required that organisations have retaliatory plans. Governments however do reserve the right to initiate covert retaliatory actions were appropriate.
It is worth mentioning that the appropriate training of people and commitment to open communications should underpin all Cyber security mitigating actions
The organisation’s breadth of risks and a focus on these risks together with a clear line of accountability encouraging an effective risk framework. It improves the organisation’s overall security posture
‘Yemi Oluleye B.Sc., ACIB, MBA, CISSP, Certified TOGAF
CISSP Digital badge https://www.youracclaim.com/go/r5XbdY9NVqbSCM9DGaFwZw
Consulting and Research Director at Y-Digital Technologies