Increasing security concerns in the organisation are among the factors that still keep executive directors and board members on alert. Tomorrow's challenges and risks are very different from those of today's, and it is crucial to not only ask the right questions, but also to be able to provide the correct answers. And have a solid, actionable plan ready in case of unfortunate events that might affect the entire security of your company.
More and more executive directors, board members and security information officers are starting to work together in order to develop and implement coherent plans with respect to security and protection of data and information. This requires, in return, framing more concise steps to take in order to shift from a reactive to a proactive management of cybersecurity strategy. A strong foundation is needed as to develop and implement a solid plan, and for this purpose, it's important to have the answer to some essential questions.
In this article, we distinguish four practices to support your organisation's cybersecurity strategy.
A. Assessment of cybersecurity issues
Cybersecurity is not an information technology (IT) issue, it is a business issue — and should be considered a vitally important part of the company's strategy. The risks related to cybersecurity grow in numbers each year, adding to the challenge of assessing them and keeping the company safe not only by IT and security departments, but also by management and employees within a company. For these risks to be kept to a minimum, executive directors and boards need to ask themselves 'how can my company understand and assess security and cyber risks better?' and 'does it have the necessary technical defenses to prevent attacks?' Only then, you can start a proper assessment of cybersecurity planning and strategy.
B. Monitoring of possible risks and cyber risks
Companies might have the means necessary to control some of the risks today, but these can easily threatened them again in the future. As risks turn to be more complex and sophisticated, preventing them means monitoring potential risks and cyber risks even more closely. Executive directors and boards, together with the company's security experts, the CISO (chief information security officer), need to implement a proper monitoring plan as to minimise the risks and maximise the sustainable growth and stability of the company. By asking yourself questions like 'what should my company do to ensure a proper monitoring of potential security and cyber risks?', 'what are the policies and procedures we need to follow in case of a threat and/or attack?' and 'do we have an actionable plan, that has been rehearsed?' you are taking the first measures to prevent rather than repair damages.
C. Reaction and responsibility within the company
The CISO of a company has an important role, and that is to ensure a proper implementation of the security and cybersecurity efforts. Thus, he must understand the company's priorities from both a technical and a business point of view, for his contribution to have a positive impact on the organisation and its future goals. One person cannot, however, make sure that all cybersecurity efforts are effective. This requires the combination of people, processes and technology. So, if the question 'who from my company is responsible for taking the necessary measures in case of a breach in security?' already has an answer, there are many more that still need one. Executive directors and upper management levels need to know 'what do they need to do in case of a breach in security?', 'who do they inform?', 'what tools do they use?' and 'are employees - of all levels of the organisations - informed of these risks and how to react to them?'
D. Management of risks coming from third parties
While it's necessary to oversee threats coming at the company, it is equally important to perceive possible risks directed at other businesses, partners that interact with your company. Similar to other organisations, your company makes use of external vendors for different services and requirements, exposing itself to additional risks. For example, acquiring a SaaS solution (Software-as-a-Service) from an organisation implies having to depend on your provider's abilities to overcome risks that might threaten their business, as well as, indirectly yours. By understanding the exact nature of the service and the supplier's business values - especially in terms of security and cybersecurity - will enable your company to limit potential risks through appropriate auditing and control of their security infrastructure, and additional contractual points. At this stage, a few relevant questions need an answer still: 'with which stakeholders does my company interact?', 'how many vendors are we in contact with?', and 'are these vendors completely reliable in terms of security and the protection of information?'
After all, staying on top of your organisation's cybersecurity can be possible only by understanding what needs to be done, who are the people involved, what are the technologies that you use, and - above all - taking the necessary steps in the right direction today.
1. Curry, Sam, 'Boards Should Take Responsibility for Cybersecurity. Here’s How to Do It', Harvard Business Review. November 2017.
2. Cohan, Peter S., 'Why (& How) CISOs Should Talk to Company Boards', Dark Reading, April 2017.
3. MacKinnon, Marc et. al. 'Take the lead on cyber risk. How to move from now to next-level security', Deloitte, June 2017.