Cyber Impacts ‘All Other Risks In The Org.’: Importance Of Communication
Experts Discuss Comm., Beginning With The Board
It is clear that as cyber security controls strengthen, and teams focus on their respective “postures,” security principles will begin to be ingrained in the wider business model. In fact, they have to.
Yet reaching that mark seems like a climb. So, how has strategic communication around information security fared of late? Today, we investigate.
As we’ve mentioned here at the Cyber Security Hub, communicating cyber principles both “upward” and “outward” is now a critical business function. This comes as municipal (and large city) governments combat ransomware, malware strains propagate and hackers automate their intended attacks. The assumption is that now, a breach can/will occur (versus denying the inevitable). But does the board know crucial figures on cyber posture? Does the employee base know about CISO efforts to combat phishing and limit privileges where necessary?
Various enterprises are taking strides at the latter, but there is a long way to go. Privileged accounts and sophisticated phishing scams remain top concerns for today’s enterprise, be it small/midsize (SMB), or large. Time- and resource-constrained CISOs must allocate their time accordingly – fortifying network defense while also communicating technical information and ensuring employees are not glaring weak spots.
As we move through 2018, and push toward 2019, it seems this topic will continue to dominate the cyber space. Regardless of industry – banking, financial services and insurance (BFSI), healthcare, retail, government, etc. – the security teams need to press cyber principles, instilling best practices for everyone in the chain, from vendors, to partners, to other third parties, to employees and upper management.
To get their take on the state of this indispensable and strategic communication, we spoke with John Chambers, President, JCC Executive Partners, and Shelley Westman, Ernst & Young’s (EY) Southeast Region Cyber Security Leader.
A Cyber Standard
Chambers told the Cyber Security Hub that, “Considering the zeitgeist in politics, in industry and in academia, it would be difficult to find any executives or boards who aren’t on ‘cyber risk, full alert’ today. But for many of them, it’s not their expertise. They want to know more, but are still presented with technical solutions and engineering jargon instead of structured, business-oriented understanding.”
Chambers added that classical cyber-risk layers (network, endpoints, apps, data, cloud and awareness) can be understood easily if they are illustrated and contextualized according to environment. That means relevant professionals will understand these domains and risks from a business-process perspective.
“These folks are smart leaders, so don’t hesitate to orient them around some basic architectural principles,” he added. “But orient this understanding to the inner and extra workings of the corporate environment – suppliers, customers, shareholders.”
The JCC Executive Partners president suggested that if security practitioners expect investment in cyber-risk defense, then they must be prepared to contextualize that threat and communicate it through the aforementioned business-process lens.
“Cyber risk impacts all other risks in the corporation – reputation, financial, supplier, customer, operational,” he said. “A standing cyber risk review should be mandated for the board quarterly, and with the executive staff on at least a bi-monthly basis.”
In the case of a breach, it’s important to demonstrate that the C-Suite has been actively focused on resilience, foresight and collaboration. He said numerous parties – from customers, to shareholders to the board – will be expecting it.
Westman spoke about the paramount importance of an informed board.
“Open communication between the two groups is very valuable. Boards can no longer afford to leave cyber security to the technical functions,” she said. “Management and the board should work together to identify what risks to avoid, accept and mitigate or transfer through insurance.”
The EY cyber expert called risk management a “primary responsibility” of the cyber operations team. Meanwhile, the board must focus its attention on risk oversight.
Will that dialogue continue, or improve, in the short term?
“Boards are having more proactive conversations about their cyber security risks and plans of action,” Westman urged. “Although many directors recognize they have responsibility for cyber security risk oversight, some feel unsure about what they should be doing and how well they are doing it. In the future, directors will need to gain more education on cyber and may look to restructure their committees and develop new charters to adequately oversee cyber security risk management.”
The outlook is positive for cyber communication, especially as the data-breach threat lingers – potentially crippling revenue and disrupting operations. As long as the potential for extreme consequence exists, cyber security will continue to ramp up. In order to do so, CISOs and cyber teams must further this dialogue. And that starts with upper management, but certainly finds its way to all lines of business. (And various initiatives will emerge from there, with some departments contributing valuable insight on their cyber hygiene.)
Be Sure To Check Out: Five Ways To Get Started With DevSecOps