Know Your Systems: Cyber Security Tips For Board-Level Execs
A recent report from the Center for Audit Quality (affiliated with the American Institute of CPAs) offers practical cyber security tips for those at the board level.
As many enterprises now know – or are certainly learning – cyber security practices/protocols affect the entire corporate chain. More and more CISOs are getting “a seat at the (executive) table,” and both board members and the employee base must be familiar with risk management principles, as well as trending news at it affects IT infrastructure.
However, cyber security has traditionally been siloed to the IT units, far from the “jurisdiction” of upper management or the board. But in the age of the mega-breach, can that gap be narrowed? It’s a necessity in an era when threat actors (through many vectors) can tamper with highly sensitive or financial information.
In the report entitled “Cyber Security Risk Management Oversight: A Tool for Board Members,” the Center for Audit Quality groups four key areas for board-level cyber security/oversight.
These points include: “Understanding how the financial statement auditor considers cyber security risk; understanding the role of management and responsibilities of the financial statement auditor related to cyber security disclosures; understanding management’s approach to cyber security risk management; and understanding how…firms can assist boards of directors in their oversight of cyber security risk management.”
Chiefly among those tips lies risk management – ever important when a nation-state actor or black hat can funnel a malware strain into a computer system that, once entrenched, can demand untold quantities of cryptocurrency for encryption keys.
With that in mind, the Cyber Security Hub also offers the following (overarching) tips for board members whose attention has increasingly turned toward all things "cyber."
- Ensure that the business communicates its threat protection protocols across departments
- To that point, CISOs, CIOs, C-Suite members, etc. should be familiar with the organization’s security posture – to see where improvements can be made or vulnerabilities can be eliminated
- Board members should have a detailed, agreed-upon business continuity plan in place
- In the event of a cyber-attack, reliance on this BC Plan can ensure the continued function of the business
- The BC Plan should pay close attention to various risks existent on the current network – along with ways to shore up/mitigate that risk
- Budgetary components of cyber should be both comprehensive and fluid
- Should a cyber-incident unfold, the C-Suite, and board, should be familiar with financial steps to remediate
- Incorporated within the BC Plan could be the cyber security incident response plan (CSIRP)
- C-Suite members, along with the board, should explore/pursue/define cyber insurance policies
- The BC Plan can include crisis management tips (including public relations and brand management)
- To the larger point of “business culture,” it should be understood that cyber security is not stagnant; there is constant movement and activity, much of which requires oversight and tracking on behalf of the CISO and security team. Because of the importance of cyber security in today’s business landscape, the board should also be familiar with how the security unit operates
- In a recent episode of “Task Force 7 Radio,” hosted by information security executive George Rettas, distinguished guest Gary McGraw, the Vice President of Security Technology for Synopsys, outlined the four “CISO tribes.” They ranged from Security as a Cost Center (Tribe Four), which involves poor security posture, to Business Enablers (Tribe One), which means the business is far past compliance and security is baked into various operations.
- To that point, board members should understand the maturity of their security operation, and advocate change as needed
Stay tuned to the Cyber Security Hub for additional “Best Practices.” Also, be sure to check out this month’s Market Report, which tackles Identity and Access Management (IAM) at the enterprise level, and offers “Best Practices” and projections for the road ahead!
Be Sure To Check Out: Preparation & Response Chain: CISO Talks Enterprise Readiness