Cybersecurity threats have increased in severity, randomness, number and frequency over the past few years. To withstand these ever-increasing global threats, boards and executives must remain focused on the fundamentals of cybersecurity, leading from the top, to build a stronger security culture.
Lethal combinations of cyber and physical attacks compromise satellite and GPS systems. Weaponised IoT devices threaten to shake the global foundations of connectivity, industrial control systems and information security. All of which will impact public trust and international relations. To effectively address these threats and mitigate the risk to business, government, and public life, IT infrastructure must be fundamentally sound, adaptable and designed to protect the people, processes, data, and technology systems that rely on it.
Nevertheless, securing IT infrastructure is not enough. In order to absorb the impact of attacks, security culture, strategic priorities and best practices must become woven into the very fabric of the organisation. This requires diligence, leadership and contextual threat intelligence – and it starts in the boardroom.
Building in cyber and risk resilience
The rapid evolution of technology has led to an increase in opportunity for cyber criminals that is currently outpacing traditional risk management strategies.
To survive and stay competitive, boards must recognise the urgency of preparing for unpredictable threats and consequences, including emerging risks on what’s become known as the “threat horizon”. Boards and executives are responsible for extending risk management to include cyber and risk resilience, and ensuring that the security programme and priorities lines up with their business objectives. They must ensure it protects their most critical assets and addresses threats specific to their industry, customer base, business model, location or offerings.
This is a tall order and it’s no wonder boards and executives often get distracted by daily business demands and fall behind in the battle. But as cyber threats mount in number and intensity, we’ve reached a turning point where active leadership and follow-through are more imperative than ever.
The following are the four major areas of responsibility that boards and executives should focus on as they ramp up their cyber and risk resilience.
1) Leading the company in cybersecurity best practice
Boards and executives understand risk holistically and see the big picture most clearly, so they need to determine a course of action for the entire organisation. Rely on trusted resources and recommended frameworks to guide, shape and assess your strategies and tactics. The “Standard of
Good Practice for Information Security 2018” is an excellent place to start, before ensuring the following:
- Lead by example – Make sure business and security leaders communicate regularly to everyone in the company the importance of following security policies and best practices. In the event of a breach, these pronounced efforts should mitigate reputational harm.
- Stay current – Make sure you have relevant threat intelligence to anticipate threats and be proactive, especially if you’re in a targeted industry. Provide tailored training for the board and executive suite. Share intelligence and follow cybersecurity events in your industry.
- Be strategic – Ensure that cybersecurity measures match the organisation’s threat profile. Start with your most valued data assets, with special attention to information systems that, if breached, would cause the most damage to operations, reputation, and customers. Protecting an organisation’s “Crown Jewels” helps leaders identify, inventory and secure these assets.
- Set clear expectations and follow through – Keep your eye on KPIs and push for consistent performance improvements. Make sure you understand the reports so you know that you’re getting results.
2) Be prepared to invest
Security teams must have the time, talent and resources to plan ahead, recruit specialists, and get help when needed. Invest in the basics – patch management, access control, awareness training – not just the latest “silver bullet” solutions. You’ll also need budget items for cross-functional incident response planning, expert advisors, and external assessments. Keep the future in mind — build systems, design products, and develop processes and policies with security at the forefront.
3) Plan a cyber-resilience strategy for breach incidents
Make choices about which systems, operations, and processes are critical and must be recovered. Rehearse incident response plans: determine who is responsible for legal, PR, media, notifications, customer relations and crisis management. Cultivate collaborative relationships with law enforcement and regulators. Think about your most critical assets and how to make them resilient.
4) Work on your workforce
Build strong teams of defenders and security champions through hiring, training, monitoring, and recognition. If you want to make security cultural as well as structural, you have to engage your people. Invest in automation so that your talent can focus on emergent and complex threats. Don’t forget to keep an eye on your extended workforce – vendors, contractors, and suppliers. Closely manage insider risk with advanced access control and limit access to mission-critical assets.
Preparing for disaster is the key to success
It’s not alarmist to say that every individual, government, business and public entity is vulnerable to cyber attacks. In fact, to sustain and protect the internet, we must all believe in and understand this modern reality. Companies that prioritise well-equipped security programmes and widespread security awareness are more prepared to survive breaches and be ready for growth opportunities. Board members must be prepared for the next, unexpected security crisis and have to remain consistently engaged with their cybersecurity senior executives – weekly, not annually – in order to make better decisions about aligning business and security objectives, managing risk, protecting brand reputation and responding effectively to incidents.
In the digital era, it’s imperative to develop and maintain a thorough understanding of specific weak points, mission-critical information assets and industry-specific threat vectors. Business and security leaders must see themselves as first responders on the front line, leading a strong defence against hackers, rogue nation-states, crypto thieves and malicious insiders. They must be seen as exemplars of good cyber practice and champions of security-by-design.