“Media reports of security incidents have become as commonplace as the weather forecast.” – PWC Global State of Info Security Survey, 2015
Over the past 12 months, nearly every industry has experienced some sort of cyber threat, and the future looks to hold more of the same. Sophisticated threat actors are finding their way past even the best defenses with frightening regularity.
Part of the problem may be how companies measure or assess their security posture. This is not an IT issue; it is a Board-level one. The costs of cyber incidents have increased and in breach after breach, we can clearly see the substantial impacts cyber attacks can have on shareholder value. Beyond the money spent to recover from an attack, enterprises face falling profits and untold costs in lawsuits in the wake of a security incident not to mention the reputational impacts to their brand.
With economic stakes like that, the pressure for Boards and executives to be proactive is apparent in a way it hasn’t been before. In many organizations, the Board doesn’t participate in key initiatives including security strategy, budget and risk review. Would it surprise you to know that 58% of Boards are not involved in security strategy? What about the fact that 75% don’t review security and privacy risk? Those are pretty staggering statistics, and CISOs have to find ways to raise the level of engagement among the key stakeholders. In fact, it’s up to CISOs to provide answers to the questions those stakeholders should be asking – even if they haven’t yet asked. But even when they are engaged, they’re not always satisfied with what is being provided – which puts more pressure on the CISO to get Board members and C-suite executives more actively involved in understanding both the risks and remediation strategies.
How Good Do You Want to Be?
As a CISO, you need to arm yourself with information to be able to present to your Board. Be prepared to answer these questions:
- What’s going on out there?
- Who is after us?
- Are we being targeted?
- How and where are they aiming?
- What are they after?
- Have we (already) been compromised?
- How fastcan we detect, respond, recover?
- Can we prevent bad things from happening?
- Where should we focus (and not focus)?
- How much is enough?
- How can I not impede my business productivity?
- How do I continue to managethese risks?
With those answers, you’ll need to convince your Board the focus needs to be on moving your enterprise beyond a “good enough” security posture. You’ll first need to understand where your company currently is, and then focus on improvements. Does your company take a minimalist approach to cyber security? Or maybe reactive? Best if your security posture could be considered advanced.
What does that look like? Let’s take speed as an example. Convince your Board that it’s not enough to have periodic alerts. Move to real-time alerts, so you know immediately if something requires attention on your network. When it comes to automation, disparate technology can’t cut it. You need interconnected machines to effectively identify and respond to a breach.
If you don’t already have an executive security steering committee, build one. And while you’re at it, develop a sub-committee that meets more frequently and serves up current problems and viable solutions to the executive level. This group of cross-functional representatives from across your enterprise can work together to guide your program and enable the Board to make well-informed, critical decisions. This way when breaches threaten, your executives are prepared to act quickly and decisively with buy-in from all members. Because the breaches will happen. It’s up to you to have a plan that helps minimize your exposure and maximize your chances of quick identification and response.
Authored By: Julie Cullivan, Senior VP and CIO, FirEye