Managing the cybersecurity challenge - Boards must be able to hack it!

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.bus-ex.com/article/managing-cybersecurity-challenge-boards-must-be-able-hack-it

The increasing occurrence of cybersecurity breaches – such as the recent
case at eBay when it is believed more than 145 million user accounts were
infiltrated – is causing executives around the globe to seek ever more
sophisticated  solutions to prevent future violations . As they review
their procedures, tighten their operational environment and add additional
levels of security, finding the optimum formula is still proving elusive.

Advances in security architecture and cyber-defence tactics have helped
address some risks, but they are inefficient and unsustainable when faced
with the more adaptive, embedded and interconnected capability of the
current threat. Strengthening network resilience is important but
management responses seem overwhelmingly reactive. The criminal cyber
threat is nimble and intensely focused and, thanks to its financial success
to date, has the wherewithal to invest in innovation and scale, often
leaving corporate security trailing in its wake.

Given that the cost of cybercrime to the UK is currently estimated to be
between £18 billion and £27 billion, it is essential that boards play a
more proactive role.  At an operational level, working on the basis that
they will be faced with a cyber-attack at some point, leadership teams need
to anticipate the business risk and develop counter-measures and business
continuity plans which will minimise the disruption.

But how do they do this and who should be in charge of driving the
corporate agenda on cybersecurity?

As boards acknowledge that technology on its own is not enough, companies
need the addition of strong, well-organised management with a broad range
of technical and non-technical capabilities.

In many instances, the responsibility for cybersecurity falls on the CIO.
This is perfectly understandable but IT risk and information security have
now become business issues and not simply technical ones. Additionally,
there is no department that is immune to a cyberattack, or that shouldn’t
consider that certain activities undertaken within that department may give
rise to a security breach, generated either internally or externally. The
challenge here is to oversee the organisation’s enterprise-wide risk
management in an effective way that balances managing risks while adding
value to the organisation.

In an increasing number of companies, we are starting to see the creation
of a new senior role on the leadership team, that of the Chief Security
Officer (CSO). Whilst the position of Head of Security is not new, the role
has changed considerably in scope of responsibility. Some organisations are
also distinguishing between the Head of Physical Security and the Head of
Data Security.

Working alongside the CIO, the CFO and others, one of the CSO’s
responsibilities is to advise the board and senior executive team on
existing risk management procedures. He/she must be able to demonstrate the
effectiveness of these procedures in identifying, assessing, and managing
the organisation’s most significant enterprise-wide risk exposures. As
boards consider these risks, they must decide whether their current risk
oversight and governance processes enable them fully to understand the
potential impact on corporate strategy.

The CSO’s position must interface with other business areas such as IT,
Legal, Human Resources, operations and corporate communications. Therefore,
even though heads of IT possibly could take on this role, suitable
candidates must have a strong commercial ethos as well, with a global view
on the impact of the cyber threat and a solid understanding of the changing
threat landscape.

The scope of this level of awareness needs to encompass a range of assets,
systems and activities, including some perhaps not previously considered as
‘at risk’.  These will include assets held by external organisations – such
as suppliers – since attacks frequently come indirectly through these third
parties. Earlier this year, Target, the USA’s second largest discount
retailer reported that the personal information of as many as 110 million
customers was compromised after hackers reportedly installed malware onto
the retailer’s point-of-sale machines through one of its suppliers.

Given the need to establish a balance between creating and sustaining a
secure environment, whilst also enabling end-users to work unhindered, an
experienced CSO should also be a strong team player capable of embracing
and managing change and collaborating with others through information and
intelligence sharing. Finding someone with the right credentials for the
role is a challenge. Growing demand is already outstripping supply of the
most qualified people, so CEOs may need to consider executives who have
some – but maybe not all – the skills required, and provide the time and
facilities for that person to develop accordingly.

How the board views and responds to the cyber threat is equally important.
As with many aspects of the board’s role, this is as much about knowing
what questions to ask – and being satisfied as to the quality of the
answers – as it is about expert or technical knowledge. Indeed, discussing
the technical minutiae is almost certainly not the best use of the board’s
time. Rather, and this will become increasingly an issue to be reviewed in
annual reports and regulatory processes, the board will need to demonstrate
to stakeholders – investors, customers, employees and regulators where
relevant – that they are fulfilling their responsibility of assurance:
setting the strategic framework and holding management to account.

In the final analysis, the cyber threat is a question of ‘when’ rather than
‘if’, and organisations need to prepare accordingly, even though the nature
and target of the threat are constantly changing . What hasn’t changed,
however, is the responsibility of security specialists, management teams
and boards to provide technical capability, business resilience and
strategic oversight respectively.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!