As we speak to executives in businesses that are now restarting, an area of concern that comes up frequently is information security as a result of remote working. With the majority of workers continuing to work from home on laptops and computers there are worries over increased vulnerability to cybersecurity attacks or a significant data breach.
It’s important that the executive team understands that security in an organisation is not about technology, policing or locking down systems or simply implementing the latest security software. A good Chief Information Security Officer (CISO) is concerned with risk and specifically materialising the risk appetite of the business through education, processes and the appropriate technology to best support it. Understanding these risks and the planning to mitigate against them is the responsibility of the whole executive team and not just the CISO and their cyber security team.
Conversations around cyber security can appear technical however at an executive level they needn’t be. Your CISO should be able to explain in simple terms what and why they are recommending what they have implemented already and what they are planning to implement in the future. Failing to have an appropriate understanding on this topic across the whole executive team can cause damage to the brand, revenue and reputation of the organisation and held up to the court of public opinion and referred to for years afterwards.
With that in mind we spoke to a number of leading CISOs about the questions the executive team should be asking of their in-house Cyber Security experts.
What should business leaders be concerned about regarding security at the moment?
- Do I know the key security risks affecting my organisation at present so that I can prioritise spend, effort and resources accordingly?
- Do I understand what our “crown jewels” are? Where are they? What would happen if they came under threat? Are they safe? How do I know they are safe?
Security by nature is an invisible process, and the only time organisations know that it is there, or not there is when something goes wrong. The issue is that when something goes wrong it is detrimental, highly visible and often past the point at which mitigation can have any real success.
The reality is that not every risk needs to be mitigated, but every risk should be identified, documented and managed. The executive team needs to work collaboratively to identify potential, actual and residual risks and to provide the ability to explain the impact on the business. Whether to mitigate, accept or manage risks is then a discussion around spend, resources and effort. This advantage of this process is that it also helps to identify and derive cost efficiencies.
Executives should aim “not to have a false sense of security but to be able to sleep soundly having knowledge of the organisation’s security position at any point in time.”
What are the biggest mistakes that business leaders make regarding security?
- Don’t regard security as a side arm of technology and make it the sole responsibility of the CIO/CTO.
- Don’t place security under the purview of the CIO/CTO as it reduces the effectiveness of the role and the ability of the CISO to understand and consider the risk not solely from an IT perspective but with an enterprise wide lens.
It is now considered old school thinking for security to be categorised as an arm of technology. Nor is it considered prudent to throw technological solutions at the problem of cybersecurity simply because the executive team aren’t confident in discussing it.
If the right place for security to sit is under the CIO or CTO, it begs the question why there is a continued upward trend in the number of security breaches globally if there are so many tech solutions available and being implemented.
CIOs already have a huge agenda delivering innovation, technology modernisations and the boarder tech strategy as well as trying to reduce cost AND create new products or services that will create revenue. There is a reason why building regs inspectors don’t erect buildings and gas and electricity inspectors don’t install gas and electricity. One body implements and the other body provides assurance.
There are further risks on the horizon as organisations begin bringing people back from furlough while looking at temporary cost reductions to survive. With security and technology budgets folded together there is a risk that investment in security will be reduced as part of broader cost cutting measures. Cyber criminals will be waiting for this to happen and there will be a greater chance of a serious breach happening.
What three questions should you be asking your CISO that you probably aren’t? And what answers should you be expecting to hear back?
1. Do we know where our assets are? Where our data is, who has access to it, and who is sharing it?
CISOs must provide assurance that asset management is being implemented to be able to quickly identify where the organisations most vulnerable assets are. Across the organisation, teams must be able to build and maintain their asset registers, identifying asset owners, and ensuring there are appropriate levels of security management for all data from its creation to its destruction. They should have started to implement classification and handling of information to ensure everyone understands what they need to do to protect it. They should also be agreeing a new data sharing policy, data security standards and controls, which can allow you to manage data security and to ensure that the organisation is able to meet its compliance and regulatory obligations. Finally, via an awareness and training program, they should be highlighting management of areas such as phishing attacks and sharing the outcomes and measurement to evidence the embedding of training into your ways of working.
2. What top security risks (top 5 risks) are currently over 4 weeks open and or pending? What is the biggest impact to the business at this time?
Some top risks will be the lack of asset management, patch management execution, low levels of supply chain risk management and incident response and management. Also there should be reporting on the assigning of appropriate risk owners (mostly likely an executive) for the mitigation of the risk.
3. How can we illustrate and or evidence confidence in our cyber defences?
Cyber security is most effective when supported by all pillars of security, namely information, technology, physical and personnel. Your organisation should have created a framework to provide proactive as opposed to reactive defences. The framework should bring together the best technologies in security incident event management (SIEM) and have brought on board strong analytical and incident response management capabilities. This coupled with security risk management activities and a strong focus on managing supply chain risk will heighten confidence in this area at this time.
As a member of the executive team, being able to ask these questions of your CISO helps generate the discussion needed to protect the business and ensure cyber security efforts are focused on the right areas. There will never be a utopian state of 100% security, however 100% best effort against these areas will provide high levels of security while ensuring that the CISO has the access they need to the executive team to be most effective in their role.