Cybersecurity coverage is a critical concern for every modern business. Whether you're a growing company or an established multinational business, your IT infrastructure needs to be secured against a growing range of threats.
An effective cybersecurity program needs to be both robust and capable of change. All possible threats and risk tolerance levels must be clearly defined and managed from the outset. Active participation by all stakeholders is required to ensure the best possible outcomes.
From setting the direction of the program to making operational decisions and providing oversight, the board of directors and all C-suite executives need to understand, engage with, and take ownership of the program.
Let's look at eight big questions you need to answer to give your board full confidence in your cybersecurity coverage.
1) What attributes define a complete cybersecurity strategy?
A comprehensive cybersecurity program needs to protect relevant corporate information and systems, both now and in the future. Cybersecurity is all about managing cyber risk. To properly manage cyber risk, it is critical to have a basic understanding of the key components of a comprehensive and mature cybersecurity program. By comprehensive and mature we mean broad and deep. Broad – including all of the key components, and deep – ensuring that each key component is addressed to the degree that mitigates the cyber risk to the level that is acceptable to the Board and C-Suite.
Before you can protect the data that defines your organization, it's important to evaluate your current systems based on their structural integrity and ability to adapt.
- Maturity and consistency - Maturity is based on consistency over an extended period. This doesn't happen by accident, with effective security solutions adapted carefully to meet the specific needs of an organization. Your security architecture needs to be defined, your documentation needs to be thorough, and your working practices need to align with your security goals.
- Flexibility and agility - Modern computer systems are changing all the time, and effective security solutions need to adapt to the wider world. Agility and flexibility are critical as security breaches often take place immediately after an update. If maturity is defined by the structural integrity of your security framework, then agility is defined as your ability to respond effectively at any given moment.
2) Have we got adequate review and training initiatives?
Effective cybersecurity solutions demand continual reviews, updates, and training initiatives. Whether it's buying new computers, updating network protocols, or training staff, security risk assessment is an ongoing process that helps to identify risk and ensure compliance at every turn.
Your cybersecurity program needs to be reviewed periodically by an independent and objective third party to ensure the relevance of hardware tools, systems and services, and human beings. Updates are not enough in isolation, with alignment between hardware and software, and software and staff also needed.
Security risk assessments, ongoing testing, and awareness training are all required to mitigate risk and ensure safety. Employee training initiatives have a particularly vital role to play, with security breaches often the result of poorly trained staff or incomplete training methods that fail to align with technology updates.
3) How do we ensure compliance?
Compliance is a critical element of IT security. Regulations put in place across industry sectors help to define appropriate levels of risk and protect information. Whether it's the CSF framework defined by the NIST, the HITECH Act legislation for health providers, or the HIPAA legislation to promote data privacy and security, your organization needs to ensure compliance at every level.
Active participation by all stakeholders is an essential part of the compliance process as well. To meet your obligations, you need to be aware of them first. From there, you can put appropriate measures in place to ensure your security and operational coverage.
Compliance is about more than ticking boxes. It is an effective strategy and an essential part of your wider security stance.
Below are a few of the most important compliance standards:
- NIST and CSF - The National Institute of Standards and Technology (NIST) promotes a Cyber Security Framework (CSF) to help organizations better manage and reduce their cybersecurity risk. This framework is used to create consistent standards and guidelines across industry sectors. It is also used to augment specific industry regulations like HIPAA.
- HITECH and HIPAA - While HITECH and HIPAA are separate laws, they often reinforce each other and both apply to the health industry. The HITECH Act was created in 2009 to support the secure adoption of electronic health records, with HIPAA adopted in 1996 to protect the security and privacy of patient health data.
4) How do we establish an acceptable risk tolerance level?
While protecting your organization demands diligence at every turn, a no-compromise attitude is rarely effective. Zero risk is impossible as a realistic protection objective, with each organization needing to decide how much loss they can tolerate before a threshold of damage is breached.
Defining an appropriate level of acceptance or tolerance to risk is one of the most important discussions you can have. To quantify these risks, you must identify likely threats and their potential financial impacts. Security breaches can be significant because they influence both productivity losses and the cost of cleanup.
Before you can set up a robust and effective cybersecurity program, it's important to establish an acceptable risk tolerance level. What value are you trying to protect? And what price are you willing to pay to protect it properly? The NIST Risk Management Framework (RMF) is one important framework used to measure risk tolerance.
5) Are we aware of our existing vulnerabilities?
Professional vulnerability assessment is needed to measure risk and allocate resources effectively. To align the potential impact of each security incident with an acceptable level of risk, it's important to carry out a professional vulnerability assessment. By breaking down your current security infrastructure, you can find existing vulnerabilities and create solutions that protect your organization.
6) What is our incident response plan?
Incident response and management is an important part of every cybersecurity strategy. While proactive measures are critical, it's just as important to have a response plan in place if something does go wrong. A comprehensive cyber incident management plan involves dedicated recovery measures for specific breaches. This multi-pronged reactive process must begin immediately following an intrusion and be able to adapt to changing circumstances.
7) Have we thought of third-party risk management and insurance?
Cybersecurity is an essential part of every vendor relationship, with malware and other forms of malicious code often hidden in supply chain entry points. A vendor may include a cloud service provider, an IT consultant, a data processor, or even an accounting firm.
Vendor policy management and insurance need to be built into every relationship you have, with effective management programs helping to mitigate risk, and insurance providing protection if something does go wrong. You need to understand risk and ensure best practice at every turn and strengthen vendor indemnities by ensuring that all key risk categories are addressed.
Along with mechanisms for vulnerability assessment and incident response, it's also important to consider the contractual language and documentation used to define the vendor relationship. When it comes to insurance, you need to be protected against internal and vendor-based threats. It's important to mandate your company as an additional insured on all third-party insurance policies.
8) What is the roadmap towards comprehensive coverage?
Robust and effective cybersecurity demands resources and funding, with an ongoing review of your current security program a great place to start. There is a roadmap involved with achieving comprehensive coverage, from the initial security assessment through to ongoing testing procedures, incident response plans, equipment updates, and employee training.
While asking questions is a great place to start, proactive measures, professional solutions, and insurance are needed to ensure comprehensive coverage in the months and years ahead.
Effective security measures demand diligence and constant engagement. From your technology and software systems to the people who use them every day, safety and compliance demand your full attention.
Cybersecurity and compliance is a team initiative that demands engagement at every level. From the board and C-suite executives who make the decisions to the people who work with the technology, security is everyone's responsibility.