"Boards are demanding more oversight of cybersecurity," says EY, a consultancy, in a report on how boards can help the companies they govern be better prepared to prevent cyber attacks. After surveying "411 CEOs, chief information officers (CIOs) and other cybersecurity decision-makers about their companies' use of information security solutions," the report reveals "that simple actions taken now can reap substantial rewards later." The report adds that "[t]hese lessons," which are outlined below, "have emerged from those who have experienced major breaches."
- Focus on "zero trust." "Zero trust security is not a single technology, but a holistic approach to security, incorporating different cyber principles across people, process and technology. The basis of the concept is the assumption that there are threat actors within and outside of organizations, so no users or machines should be trusted. All users and devices (both inside and outside of the organization) are authenticated, authorized and continuously validated for security configurations and context before accessing applications and data."
- Educate and involve your board now. "Not surprisingly, boards of directors are increasingly interested in preventing data breaches and determining how to prioritize cybersecurity needs. Executives that have experienced a data breach say the experience has taught them to involve many more stakeholders in cybersecurity decisions, including boards. Companies should proactively create a board-level executive dashboard, while simultaneously briefing the board about cybersecurity issues at least once per year."
- Reinforce the role of the CISO as a strategic partner to the business. "During the pandemic, every organization had to adapt to a new way of working. However, the speed of change came with a price. Seventy-five percent of companies saw increases in the number of disruptive attacks during the pandemic. In this sense, many companies were forced to adapt to a different cyber risk profile just like an organization has to do after experiencing a breach. CISOs had and still have an opportunity to reinforce their value proposition with the business. With the onset of the pandemic, 55% of cybersecurity leaders believed this gave them an opportunity to position themselves as strategic partners to the business. Dave Burg, EY Americas Cybersecurity Leader, noted that 'I know of many security officers who were viewed as superstars, and we want those superstars to be brought to the front of innovation.'"
- Assess usage of managed security service providers. Keeping up with the latest security technologies and evaluating threats are the most challenging pain points for today's CISOs. Companies that have recently experienced a breach are more likely to outsource cybersecurity responsibilities after the breach. By starting the time-consuming process of reviewing outsourcing options and vendor capabilities prior to a breach, companies can develop the best security architecture and posture."
- Spend now, save later. "According to the survey, companies that have recently experienced a breach expect to spend more across all security domains, with vulnerability assessments and access controls expected to see the largest budget increases. To protect themselves from today's sophisticated attacks, companies must bolster their cybersecurity capabilities or outsource them to external vendors. Many executives make decisions to bolster capabilities to not only prevent attacks, but also to mitigate the damage and shorten the recovery time."
The report importantly notes that "In today's environment, corporate boards are increasingly held accountable for cybersecurity and resiliency. Boards may want to focus on the governance of their enterprise-wide cyber programs, while the highly technical CISO focuses on the risk management aspects." Moreover, "To help facilitate productive discussions, EY US has developed the following key questions about effective cybersecurity oversight that boards can refer to during an intrusion."
1. Was the organization affected by this intrusion?
- If yes, how is the organization mitigating and responding to the vulnerabilities identified?
- If not, what proactive measures were deployed to prevent a similar intrusion?
- Which areas of the network, including data assets, were compromised?
- What is the total risk exposure, including financial, regulatory, reputational and operational impacts?
- Has an independent third party assessed the network to analyze the extent of the impact?
3. How effective was the response plan?
- What gaps were identified in the investigation, containment, eradication and recovery processes?
- Does the company have appropriate insurance coverage? Has the insurance provider been engaged?
- What lessons were learned?
4. Are third-party and supplier ecosystems secure?
- Have any of the company’s third parties and fourth parties been compromised?
- Do any of those parties have access to the network?
5. Is the company focused on preventing and responding to future compromises?
- What is the efficacy of the company’s current cyber risk management efforts? Should the company’s risk appetite be re-evaluated?
- How does the company become more resilient to future incidents?
- Where should the next cybersecurity dollars be invested based on the evolving threat landscape?
- Has the company built cyber diligence into its acquisition and integration plans?
Based on regular discussions I have with cybersecurity professionals about how their role of keeping their organization's IT systems secure is an arduous battle that goes on each and every day throughout the year, I appreciate the report's conclusion:
Unlike many corporate functions, cybersecurity departments don't have an off season or a period of reduced activity and demand. For cybersecurity professionals, every day is a race against time and resources, and a balance of competing priorities. Corporate cybersecurity executives are faced with a choice — take simple steps now to lessen the impact of future breaches or continue operating in a reactive mode and responding to daily demands and possibly facing the fallout from inevitable breaches.
As an article by The Economist points out that: "Corporate boards need to have a stronger grasp of the threat levels. As one former cyber-spook says, they need not just gender and racial diversity but technological diversity, too, in order to grill the company's techies on cyber-defenses. Furthermore, they need to recognize cyber-war as one of the growing number of geopolitical risks that firms face."
Do you agree with the findings of EY's survey? What questions should boards ask to guide cybersecurity preparedness?