The two-way cybersecurity conversation
With cyberattacks featuring regularly in mainstream news, it's good to see that boards and CEOs are becoming more cybersecurity conscious.
However, the question is, how prepared are CISOs to deal with their questions and concerns, and what are they key things CISOs need them to understand about cyber security?
Sean Duffy, Digital Business Solutions Security Practice lead at Dimension Data, poses 10 questions that CISOs should be able answer:
1. What is the current level of cyber risk?
Additional things to consider: What are the threats, risks and vulnerabilities to a business? How well as it positioned to address them under the current cybersecurity posture?
2. How much of the cyber risk is internal versus external?
Additional things to consider: Does the organisation have to worry about insider threats (malicious or not)? Is it further exposed or at risk by partners, suppliers and vendors?
3. How well is the organisation positioned to deal with cyber attacks and risks?
Additional things to consider: Does the organisation have the right cyber security technology, tools, capabilities, skills and expertise to deal with the risks? How sound is the cyber security posture in the context of the global threat/industry/the business threat landscape?
4. What is the incident response and disaster recovery plan?
Additional things to consider: Will it be able to react quickly in the event of a cyber attack? How well are staff members integrated with the legal and communication teams should there be an issue?
5. Is data secure?
Additional things to consider: How to secure data when it is in-motion, in-use and at-rest? Are compliance obligations being met? What happens if there is a data breach?
6. How can employees be educated and enabled on cyber security?
Additional things to consider: What is needed to ensure employees aren't putting the organisation at risk? How can employees be protected so that they are not being a targeted?
7. What would be the cost to the business in an event of a successful attack?
Additional things to consider: What are some examples of successful attacks and what has been the damage in terms of financial losses, brand and reputational damage, legal exposure and market competitiveness (in the case of IP theft)?
8. Does the organisation need cyber security insurance?
Additional things to consider: What is cyber security insurance? What's covered? What's excluded? What is needed in order to fulfil the organisations insurance obligations and be covered if something does occur? For example, what's in the fine print? And what's the cost involved?
9. Where does the organisation rank compared to other organisations in terms of cyber security preparedness?
Additional things to consider: What are peers and competitors doing? What can be learnt from other industries? Are we doing more or less than we should? What should we be doing differently?
10. What role does management need to play in effective cyber security management?
Additional things to consider: What roles do senior leaders and the board play in managing and overseeing the cyber incident response? Building a security mindset into our corporate culture?
Duffy also offers five key things that a CEO needs to understand about the changing role of cyber security, and some key talking points:
1. Organisations need to be secure by design
Cyber security can no longer be an afterthought as we build, manage and rollout digital transformation strategies and initiatives that deliver business outcomes; we must now be secure by design.
Secure by design is two-pronged:
It starts with a cyber security mindset into the overall corporate and digital strategies, and it requires the development of a SecDevOps culture, so that as we build and deploy the actual technologies and services we'll use as a business, we've considered security from the get-go, rather than incurring additional costs and time to redesign and add it in later.
2. Organisations need an enterprise risk-profile that align IT/security plans
What is our direction, and what are our goals and objectives as a business? Are we steady-state, in which case, fewer innovations are perhaps needed, or are we truly trying to transform the way we do things, in which case there will be many changes across the business?
What are our legal obligations? In other words, where can we make no exceptions and take zero cyber security risks - such as data and privacy regulations, ensuring we meet our compliance requirements.
Where are we not willing to take risks? For example, protecting intellectual property.
What types of risks are we willing to accept? Bring-your-own-device or application, because the productivity and usability outweighs the potential known risks to our business?
3. Our digital footprint is growing, whether IT knows about it or not
A digital footprint is more than infrastructure we sanction to deploy (network, data centre).
It's also whatever we share with our customers, suppliers and partners; or the BYOD/IOT devices connecting to our network; the app built for a one-time marketing event; its official and fake social media accounts, Web sites and applications that represent our employees and our business; and, it's the decentralised technologies business units deploy without checking with IT or security teams first.
We need to ensure we have the capabilities to manage this growing footprint - its growing exponentially.
4. More money doesn't mean fewer problems - we need to invest smartly
Spending more money doesn't necessarily make us more secure or reduce our risk.
We need to make sure that money is spent in the right way for our organisation.
What informs how we spend effectively is our risk-profile and our cybersecurity posture.
5. We need to be more intelligent and predictive with cyber security.
One key area that we need to invest in is predictive intelligence.
We can get cyber security right 99% of the time, but attackers only need to exploit the 1% in order to do tremendous damage to our business.
Predictive intelligence helps us to stay one step ahead of cybercriminals because we understand where and when the plan to act next.
For Duffy this creates a dynamic, rather than a static cyber security posture, and helps to ensure businesses have the flexibility and agility to tackle the changing threat landscape and risks to businesses.