Getting comfortable with your company’s cyber-security program is not just a matter of being able to answer questions like: “Does our organization have the right governance structure?” “Is our company adequately staffed with the right people to address key risks?”
Rather, it’s being able to answer questions like: ”Are we thinking about security the right way and where is all this going? Then even further, “How do I know we are doing OK in terms of cyber-security and what should I be seeing that will make me reasonably comfortable that we’re in good shape?”
The human immune system provides an apt analogy: When a germ breaches the body’s natural barriers, the immune system mounts a three-step defense: Sound the alarm, solve the problem, then recover and remember.
The first defenders on the scene are white blood cells, which are constantly circulating throughout the body like police on patrol. Next, specialized white blood cells called lymphocytes engage in a two-pronged attack – one directed at infected cells and the other at hostile microbes roaming through the blood. Finally, once the invading germs as well as compromised cells have been destroyed, the immune system’s soldiers return to their bases – leaving a small number of seasoned veterans on the scene, just in case the bacterial invader returns.
The effectiveness of a cybersecurity defense, like that of the immune system, depends on each component efficiently fulfilling its role. Similarly, a corporate body’s health and safety depends on its ability to do three things:
Sound the alarm: In any security system, when firm boundaries are breached an alarm goes off. The problem with cyber security is that most companies do not know their high value assets are, whats connected and communicating with them and how some one would access them. It is important to first understand the environment you are trying to protect to actually make detection and response better.
Similar to an attack on your personal computer, the first signs of a problem are generally slow connections often the result of denial of service ( DoS) attacks which target systems with an onslaught of data requests that quickly overload servers and networks. In those companies that are specifically targeted for attack, emails are sent to staff that spoof the sender’s name to make the email look as if it is coming from a trusted source. These emails have malware attached that an unsuspecting user could download on to their computer or attempt to capture personal or sensitive information.
Constant surveillance is critical, with early warning indicators and multiple layers of defense. The company should already have developed – and be monitoring internal measures of cyber security ratings and external metrics such as: training effectiveness, staff sophistication levels, negative cyber security publicity,
There should also be an effective, constructive, challenge function – with no single individual having sole responsibility, leaving them vulnerable to missing something and mortally damaging the corporation.
Even further, many companies now choose to outsource aspects of their IT infrastructure and many IT teams believe their technology service provider(s) bear the responsibility for data control. If this is the case you know you have a problem because when it comes to security, whether on-premises or in the Cloud, your organizations responsible for all your data and not the third-party service providers you use.
Senior management should require an independent cybersecurity review processes on an annual basis, much as you would seek an annual physical exam from an expert physician. (This year I would also check to see if the organization can cope with the new European GDPR data protection regulations and whether investments are being made in data management to harness the benefits of artificial intelligence )
Solve the problem: Corporations need to manage cybersecurity at the enterprise level and must continuously improve the ability of each element — line management, operations, internal audit, risk, and compliance — to fulfill individual and organizational functions. Check to see that everyone is pulling in the same direction, sharing the same priorities, and making appropriate trade-offs.
Discussions about cyber security management with the accountable corporate officer should be allotted regular and adequate time at Board meetings. Management should define “what is appropriate behavior” as well as recognize and reward it.
Recover and Remember: An effective cyber risk management program includes careful planning, smart delegation, and a system for monitoring compliance — all of which directors, executives, and middle managers should own. When things go wrong, whether in a major or minor way, the ability to identify and respond to a problem quickly will determine the company’s ultimate recovery. Your organization’s cyber resilience program should bring the areas of information security, business continuity, and organizational resilience together.
Remember and learning from events is the final critical piece of cybersecurity. Check to see that post mortems are conducted for each and every incident, then facilitate discussion of lessons learned and cultivation of best practices.
Directors and senior management should have their noses – not their fingers – on cyber-security. They should feel comfortable with the answers they hear to the following questions:
Are we thinking about security the right way?”
-What assets are most valuable?
-Do we have the right strategy regarding security?
-Do we have the right leadership?
-Where are we relative to ‘best practices”?
Where is this all going?
-What are the companies’ future risks/challenges?
-What externalities should we be monitoring?
-Do we have the priorities right so that we are we building the talent and making the right investments/tradeoffs to meet the challenges?
How do I know we are OK?
-Do we have clarity /consistency across the organization?
-Are we measuring the right things the right way?
-Are we building the right culture?
-Do we have any holes in our immune system?
Most senior executives – especially those with nontechnical backgrounds – may never feel entirely comfortable with cybersecurity. And maybe that’s a good thing – perhaps it will stimulate additional due diligence, ultimately leading to further safeguards.
However, as long as the organization has a strong cyber-immune system, you can feel reasonable comfortable that your company is thinking about cybersecurity in the right way and taking appropriate steps to protect the enterprise.