Today’s cybersecurity landscape goes well beyond the realm of IT and instead requires the devoted attention of the C-suite and boardroom, since they are responsible for driving the risk profile of their organization. This change in approach to who owns security also includes more than simply implementing technology each time a new issue arises. Remaining in that outdated mindset will leave an organization’s critical assets at risk, as well as hinder its ability to quickly recover from a breach – bottom-line outcomes that no business desires.
Managing risk by making the business case for cybersecurity was the topic of a panel discussion at the recent Cybersecurity Conference in Nashville, hosted by the Tennessee Chamber of Commerce & Industry, in partnership with the U.S. Chamber of Commerce. The panel offered five critical reasons that cybersecurity should be viewed and addressed as an enterprise risk and business issue.
Top-Level Responsibility Now a Requirement. Ensuring that senior executives and board members understand the costs associated with a breach is essential to productive risk management, as is being able to communicate the resources required for effective security. But rather than leaving security and risk management to staff members, the C-suite and boardroom – those responsible for the well-being of their organization – must understand that today, “cybersecurity is a leadership issue,” says Chris Furlow, President of Ridge Global. Choosing to leave risk mitigation and post-incident recovery to the IT department or to risk managers means choosing to leave your organization vulnerable to attack from gaps not understood and filled. Plus, there is the threat of reputation, customer, and revenue loss. If that isn’t enough to compel attention, numerous regulators have issued guidance requiring board and executive sign-off on cyber risk strategies. Cybersecurity must be treated as an organization-wide issue – with its leaders heading the charge – instead of as merely a departmental concern, says Furlow.
Cyber Expertise in Leadership Group Informs Decisions. The fast-changing world of cybersecurity is a complicated one, especially for those without a background or experience in the industry. An organization’s senior executives need to understand exactly what it is they are making vital decisions about, hence the need for a cyber “expert” to sit on the board, according to Mark Fulford, a Shareholder of LBMC Information Security. He suggests that having an individual who can educate fellow board members doesn’t necessarily require bringing in someone new with existing knowledge of cybersecurity. Fulford points out there are numerous certifications and training opportunities on cyber-related topics that are available to board members.
Legal Guidance Most Valuable Up Front. Your organization may not have been breached, but that doesn’t mean you don’t need legal guidance on cybersecurity issues. Not only are laws and regulations constantly evolving and difficult to keep up with, but “negotiating attorney client privilege in response to an event is too late,” says Alisa L. Chestler, a Shareholder at Baker Donelson. It is crucial to minimize the amount of time that passes after a breach prior to recovery, and any time that is spent discussing the working relationship between your organization and a law firm is precious time wasted. Determining this in advance will help limit potential damage caused by an attack, notes Chestler.
Third-Party Risk Affects Bottom Line. As the digital ecosystem of an organization grows, so do the associated cyber risks. You cannot assume the vendors or companies you have a third-party relationship with have top-notch security in place. “Ensure that at a minimum your suppliers are meeting the same standards as your own,” suggests Natalie Lehr, Co-Founder and Vice President of Analytics at Secure Halo. “Hackers often look for the path of least resistance, and shoring up vulnerabilities within your supply chain will help prevent easy access to your network.” She recommends companies begin by assessing the resources third parties have in place. “If they aren’t designed for prevention and to accelerate the recovery process, then they are putting your organization at risk and are wasting money.” Also, ensure third parties have strategies and tools to prevent a breach, to notify those affected if a breach does occur, to correct and recover, and to maintain business continuity. This balanced approach is superior to a single focus on data security.
Focus on Resilience Pays Off. Organizations should determine how resilient they are in advance of a breach so they aren’t left flat-footed after the fact, says Cindy Donaldson, President of the Global Resilience Federation. They should begin by asking how they can prevent an attack, how they can withstand it, and how to respond. Part of this process includes understanding what your specific risks and threats are and from there, making a business decision on what actions your organization is comfortable taking. Performing simulated threat exercises is an intelligent way to road-test strategies and give leadership and management teams experience that will speed recovery in a real crisis. Donaldson also recommends sharing threat information with other organizations, despite the initial desire to keep it private, which can help prevent known risks and provide valuable intel.
Like any risks to the business, cybersecurity threats have a bottom line impact. Leaving security to the IT department and attempting to solve cyber issues with only technology doesn’t cover the myriad ways that cyber risks enter the business, such as through insider threats and third-party relationships. An engaged, proactive, and informed board and C-suite with a clear understanding of both their role and the organization’s security roadmap is necessary to mitigate risk and combat today’s cyber threats.
See this and related cybersecurity articles originally published on the US Chamber of Commerce “Above the Fold” blog.