The active participation in the recent Management Association of the Philippines Forum on “Cyber Resilience: A New Boardroom Priority” shows that cyber security awareness is growing as more organizations, whether government or private, learn that their networks are vulnerable to an attack.
The emerging agreement is that the Information and Communications Technology (ICT) department alone cannot handle security; every employee, with the leadership of C-level executives, have a part to play. It has become a new board room priority: Cyber Resilience.
Any organization must prepare and bounce back quickly from inevitable cyber attacks.
Several questions have been raised in the forum: Why would senior executives be more proactive about cyber security—before, during and after an attack—and how can they institute and maintain a strong cyber security posture?
Who is responsible for cyber risk? How vulnerable is an organization to a cyber attack? What attacks are most likely to succeed, and what kinds of data are at risk?
In other words, how extensive do you want your cyber security program to be?
Who is the executive responsible to monitor and assess the program? What are the critical assets to protect and what are the cyber threats that are intolerable?
In fact in many US states and foreign countries, laws dictate security requirements for personally identifiable information (PII), including notification requirements when PII may be compromised.
As the C-Executive, usually a Chief Privacy Officer or CPO, responsible to develop and implement policies designed to protect employee and customer data from unauthorized access, he works hand-in-hand with other C-Executives, such as the Chief Information Security Officer (CISO), Chief Customer Officer (CCO), Chief Operations Officer (COO), Chief Finance Officer (CFO), Chief Human Resource Officer (CHRO) and the Chief Executive Officer (CEO).
It is recognized that each C-Executive has specific security needs, but organizational security is only as strong as its weakest link.
The ability to implement a strong security posture across the entire organization is directly correlated with how competently they collaborate and coordinate their processes before, during and after a cyber attack.
If your board, or whichever is the highest governing body of your organization, doesn’t still have a committee devoted to cyber security, consider forming one.
Sometimes, this committee is also responsible for data privacy issues and other cyber risks.
In other words, this committee is expected to evaluate how extensive does it want its cyber security program to be.
It should also determine how they intend to consistently monitor and assess the said program in the organization.
While for the organization’s cyber attack incident response team, they are members of various departments: Marketing (for public communications), legal (compliance with breach notification regulations and general risk management), ICT (impact on computerized systems), HR (internal communications), and executive management.
Other highlights in the forum include: How to prepare for a breach; several cyber security assessments can determine how an organization can most effectively prepare for and respond to inevitable attacks.
A compromise assessment can apply extensive threat intelligence and security expertise to determine whether you have been breached in the past, or are currently under attack.
This assessment includes recommendations for further investigation, containment, and long-term security improvements.
Proactive objective-based tests evaluate your security measures against the tools, tactics and procedures used by attackers who typically target your industry.
Penetration testing, red team operations and other objective-based tests can detail risk, probability of exploitation and potential business impact, and provide actionable recommendations.
Security program assessments can also review your security organization, practices and procedures against the latest industry standards in 10 critical security domains.
This assessment provides a security program roadmap with prioritized recommendations to close gaps based on vulnerabilities, attack trends, and any likely malicious activity in your systems. It can be very comprehensive.
Response readiness assessments can review the capabilities of your security operations and incident response for detecting and responding to cyber attacks.
Being prepared for a Breach means the C-Executives must practice ongoing cyber risk management, which means continuously monitoring the risk environment as well as reviewing IT budgets, new technologies and services, security spending, incident reports and company policies that have security implications.
Not only is it critical to be prepared for a breach, but your organization’s incident response team must be quick into action when they identify a breach.
The team needs to determine where the attackers are, what they seem to be after, how far they have advanced and how long they have been in your systems.
C-Executives also have a role to play in the response.
As they work with the CISO, there are cyber security experts who can be sought to advise organizations on incident response.
These experts may be aware of newer and evolving security threats and have the knowledge, technology and skill to defend against those attacks.
And equally important in responding to the attack is deciding how to disclose the incident to the outside world.
Keeping the breach quiet may no longer be an option, given legal disclosure requirements and the likelihood that news of the event will become public.
Of course, the bigger concern during a breach is to gain control of the situation, so that attackers can be removed from your network and bounce back to normal operations as quickly as possible. Yes, that is cyber resilience.
One more important question C-Executives should ask themselves is “Could this happen again?”
It is important that a framework is developed to continuously identify gaps and to determine which areas to improve.
Don’t forget to work with your legal counsel as well as your public relations partners to determine not only how to engage with your stakeholders like your customers, suppliers, employees, and the public, but also to determine what’s required of you under existing laws.
The next M.A.P. Forum on “Data Privacy and Data Sharing” will be held on May 12, Friday, from 1:30 p.m. to 5:00 p.m. of The Conservatory, The Peninsula Manila. If you are interested, please contact the MAP Secretariat via <map@map.org.ph >, or 751-1149 to 52.