Getting started with cybersecurity governance
Board directors and executive management are focusing more time on cybersecurity threats and how to mitigate such risks. Cybersecurity governance is a trending topic, given that there are almost daily headlines on cybersecurity breaches, fines being levied related to unauthorized customer data leakage, financial losses and even ransomware events.
Information security, cybersecurity and data privacy are complex and ever-evolving topics, requiring organizations to constantly assess and update their defenses and incident response procedures. Bad actors try to find you (known as an organization’s “attack surface”), compromise your users and their devices, and once inside, try to find other vulnerable users and devices or servers. They even attack you through your supply chain.
Cybersecurity governance
But what exactly does “cybersecurity governance” mean for board directors? And how can an organization make sure that they have the right elements to mitigate cybersecurity risks? I can offer some advice given my experience as a telecom executive that included overseeing the information security and data privacy team. And as a board director, I can suggest some important questions the board needs to ask and suggest what organizations must implement:
Has the organization adopted a globally accepted cybersecurity framework? Frameworks, such as that of US National Institute of Standards and Technology, are helpful in ensuring the completeness and robustness of risk mitigation. And with the rise of hybrid work, has the organization adopted the concept of “zero trust”?
Has the organization evaluated or determined what are its most important proprietary commercial or customer assets? Manufacturing, retail, telecom, energy, health care and financial services organizations will have different assets critical to their operations, compliance and reputation. Continuing cybersecurity investments need to be directed toward protecting the most critical assets.
Does the organization perform regular vulnerability assessments? These assessments often involve engaging third parties to assess weaknesses from outside the organization (mainly through the internet), but also to assess vulnerabilities created internally (such as poor software development practices, information technology infrastructure configuration or employee behavior). And when starting out on this cybersecurity journey, has the organization performed a compromise assessment? This involves a deep scan of technology assets, including links with partners, to determine if there are indications that bad actors have already penetrated the organization.
Does the organization prioritize its cybersecurity investments in software, platforms, procedures and talent upskilling by matching its vulnerability assessment with its view of the most critical assets to protect? Many organizations soon realize that investments will never be enough, and therefore must ensure that they meet minimum safeguards, that they are prioritized, and that such investments have to be made over several years.
Priorities may also be adjusted regularly as new threats and vulnerabilities arise. “Dwell time,” which measures the time from discovery going back to when an issue started, needs to continually decrease. (In Mandiant’s M-Trends Report 2023, Asia-Pacific median dwell time worsened to 33 days.)
Does the organization track investments, action plans, procedure changes and talent regularly, to ensure continued progress in mitigating cybersecurity risks? Often, risk mitigation happens over several years and is constantly reevaluated as new threats arise, or new capabilities are acquired. Of particular concern is the global war for talent in cybersecurity, and organizations need to make difficult choices about talent hiring, upskilling and complementing with third parties and modern technologies, such as artificial intelligence-driven security software.
Addressing vulnerabilities
Does the organization have access to early warnings if there are newly discovered vulnerabilities, or if its defenses have been breached, or if its supply chain has been compromised? Usually provided by third parties, such “threat intelligence” is an important part of an organization’s toolkit.
Does the organization have a “push button ready” response team and procedures involving internal or external parties, in case cybersecurity breaches do occur? Are these tested regularly to ensure rapid response? “Contain time,” which measures the time from discovery to remedy, should constantly decrease.
In cybersecurity, they say that an organization needs to be lucky all the time, while an attacker needs to be lucky just once. There is no technology, software, platform, vendor, framework or response team that can guarantee that no breaches occur. But board directors and executive management can limit the impact to an organization, which is the essence of sound risk management. Or as they say, hope for the best but prepare for the worst. INQ
