Is your Board Cyber Ready?

Over the last few years the topic of cyber security has gone mainstream. It’s now being actively discussed in boardrooms. The years 2012-2014 will go down in history as a period when many major corporations were breached, with the Sony Pictures hack becoming a landmark moment—nation-state actors got involved and executive orders authorising political sanctions were issued.

On another front, insider threat and the leakage of information from privileged users is now a discussion point in the wake of Edward Snowden's 2013 revelations. US spying on the EU could put the Safe Harbor agreement in jeopardy with huge implications for companies like Google, Facebook and Twitter, who use Safe Harbor to process EU citizen data in the U.S.

What further information Snowden could release in the next few years is also anyone’s guess, but it does demonstrate that the threat to an organisations’ short-term revenue, long-term stability, viability and shareholder confidence—not to mention its corporate social responsibility index–has cyber security woven through it.

It is a fundamental requirement that boards and senior executives understand the risk posture of their organisation and are aware of corresponding cyber threat vectors. They need to have a clear cut strategy for detecting, preventing and responding to cyber events in a manner similar to political, legal, economic and financial risks.

Given the awareness of cyber issues and rapidly enhancing legislation, board obligations for cyber are to recognize the risk, proactively understand the current state of cyber preparedness and ensure an effective plan is in place for rapid response when the event transpires.

Is your board cyber-ready?

Board and or executive management should consider the following five-point plan to ascertain if they ready or not:

1. Board expertise: Do board members have expertise in technology and do they understand how the rapidly evolving ecosystems of cloud, cyber, data protection, internet of things and privacy overlap with the board’s role in corporate governance and risk management?

2. Environmental knowledge: Is there an adequate understanding of the organisation’s technology environment? In the case of a cyber-event, is there clear understanding about whether the systems targeted are managed internally, externally or sourced from the cloud? Can the threat be responded to rapidly? Can management implement the required risk management protocols to reduce the mean time to exposure?

3. Understanding the business: Essentially, boards or their sub-committees are required to undertake key oversight activities related to cyber-risks across critical business process and systems. They should understand the budgets allocated to cyber-security programs and understand key responsibilities across the enterprise for security and privacy data. They should also understand the potential exposure of known blind spots with limited or no detection against cyber-attacks.

4. Response readiness: A cyber threat management framework needs to be documented and regularly tested against the “Cyber Kill Chain Approach”, a phase-based model used to describe the stages of a cyber-attack, which in turn helps construct response plans ready for when the organisation is attacked.

Service management agreements should be in place with external third party suppliers for technology and subject matter expertise that can be tapped into and mobilised in the event of an attack.

5. Media management: The board should understand how your organisation responds and communicates following a cyber-attack or breach where systems have been compromised and data stolen will have material impact on its reputation.

The cyber threat management framework requires a unique communication plan in the event of an attack. The communication plan should consider the speed of notification to impacted parties, how it outlines known damage, and provision of information on actions planned and underway. It should explain why a full disclosure of the event may impede response progress; but that any information that provides maximum benefit to impacted parties will be shared.

Above all, the board should ensure a cross-functional multi-disciplinary communications team exists as part of its response strategy which provides adequate coverage across IT, security, legal, law enforcement, HR and other functions.

Cyber threats, when compared to other traditional threats, are unique in that the speed at which the organisation is required to respond gives a very limited window to either fail or succeed. Preparation is key.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cyber Readybig brotherEnvironmental knowledgeMedia managementSony Pictureseconomiccyber securityCSO AustraliapoliticalUS spyingcyber threatsfinancial risksmobilisedEdward Snowdenlegal

More about CSOEnex TestLabEUFacebookGoogleSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Puneet Kukreja

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts