Who’s leading your organisation’s fight against security risk?
Many of you might point to your Chief Information Security Officer (CISO) whilst some might point to their Head of IT – if so, you need to call me immediately! For many organisations the person who is is tasked with the overall responsibility to lead the charge (also known as the-most-senior-person-this-usually-gets-dumped-on) is the Chief Financial Officer, which is why an article on cybersecurity by someone with such extensive experience of executive leadership, as well as having deep insight and understanding of cyber having led two of the most significant cyber security brands in history, provides significant insight on the challenges that boards face and pivotal guidance on stewardship and the board’s responsibilities around cyber risk.
In an article carried by AmericanSecurityToday.com, Fortinet’s blog, as well as other news outlets, Drew Del Matto (CFO at Fortinet) writes about how today’s CFO and board, as stewards of their organisation, ‘have a responsibility to their customers, their intellectual property, and their shareholders to ensure the safety and security of their data and systems’.
Security should be a central pillar
Drawing upon recent examples of security breaches experienced by large organisations to illustrate the potential for disaster, Drew points towards better forward planning as key to mitigate the trauma of a disaster, and how executive leadership in cybersecurity is central to this. “Stewardship is about the protection of company assets, like data, meaning that security should be a central pillar of that stewardship” said Drew.
Cybercrime is now recognised at board-level and by the C-suite as a highly targeted and incredibly sophisticated ‘services for hire’ industry. This has partly been brought about by the escalating number of well-known brands hitting the headlines for suffering breaches in recent years. From Target to TalkTalk, the media attention and the consequent brand damage that security breaches cause are pushing companies to act.
With directors losing their jobs as a result of security breaches, the fallout for improperly managing corporate cyber risks has gripped the boardroom. Shareholders have filed derivative suits with varying degrees of success whilst regulators have made clear that they can and will enforce laws that punish companies, and their top management, for failing to adequately protect against cyber risks.
Fully tested and operationally ready
Established to support and guide boards and senior executive leaders, CyberPlus (an Infosec Partners Group enterprise) provides boards with confidential services aimed at evaluating the integrity of their organisations’ Cyber Strategy; enabling boards to cut through the jargon making it easier to understand, translate and align the challenges and opportunities of Cyber Security with their ongoing oversight responsibilities.
Speaking after delivering a keynote at this year’s 361° Security Forum by Fortinet in Monaco, CyberPlus’ Chris Parker MBE highlighted that “the audience were generous and receptive to my address on Risk & Crisis Management. What was interesting afterwards was seeing the interest in one aspect of our new 4D Security package: operational cyber rehearsals.”
CyberPlus’ 4D Security ensures organisation, staff and system readiness for incidents when they happen. Through his previous executive leadership roles in the corporate sector as well as his unique experiences as a Lieutenant Colonel in the British Army, Chris understands more than most about the importance of security plans and systems being fully tested and made operationally ready against real threats and complex attacks. “Common themes includes why basic data security does not become top class security. ” Chris said. “We often hear cries of ‘not enough time’ and ‘we are just too busy to get staff to focus on cyber even if it is important’. So it was encouraging to have so many of the audience thank me for demonstrating how only <0.5% of the working year invested in our 4D enhancement may well ensure business, reputational and security protection for the years ahead.”
We Can Never Eliminate Risk
With the future of their organsations on their shoulders, as well as the risk to brands, jobs and share prices that cyber risk adds, CFOs and boards have a heavy burden to bear. Unfortunately the security industry, including vendors and channel, can often add to the problem. The dearth of available security expertise is frequently exploited by vendors purporting to have a magic bullet solution that will suddenly enable IT administrators into turn into security gurus when the truth is the typical vendor only provides one or two of the pieces needed to complete the cyber security jigsaw.
The difficulty and cost to recruit or suitably skill up their internal IT departments to provide the cybersecurity expertise they need has led many organisations to look outside. Unfortunately some only look towards the lowest priced ‘management services’ that their reseller or outsourced IT services provider offers to go with the next generation firewall they are sold. When providing security auditing and assessments for new clients, we have seen many instances of corners being cut in managed security provision. From poor configuration (usually a vanilla configuration and not aligned with the company’s needs or with features incorrectly configured not used at all), to insufficient integration with security appliances by other vendors, we often see ‘managed security services’ offered that has little idea of the overall cyber risk the company faces or suitable plan to mitigate it.
“There are more than a few naysayers who claim that the cost of adequate security is more than the cost of recovering from a breach.” Drew continues. “This is not, however, a sustainable or responsible approach. Breaches will become more frequent, attacks will become more persistent and sophisticated, and the costs of reacting to these breaches will continue to increase.”
Information and cyber security are fundamentally risk management functions which is why it is critical to establish a thorough understanding of the risks facing an organisation first. By outsourcing their IT or cyber security, say to a managed security services provider, boards cannot simply shirk their responsibilities of thorough risk management and it is to them that regulators, investors and shareholders will look to first in the event of breach. There is some investment required yes, but the alternative is much more costly.
With the low cost for cyber criminals to generate a data breach, the difficulty in locating and prosecuting them, and the lucrative reward of a successful breach, it’s safe to say there will always be attacks and attempts at data theft. Risk is inherent in everything we do and whilst no organisation, whether government or large enterprise, has unlimited funds to spend eliminate it entirely, risk certainly can be managed.
Perspective, skills, knowledge
Drew points out that “when it comes to security, the traditional stewards of the organization are not always equipped with the necessary perspective, skills, or knowledge.”
It’s important that your approach to cyber security is full spectrum. Look for a partner to provide strategic guidance and support at board level, whist also having the expertise to work in tandem with your internal teams for prevention and protection as well as incident response and preparedness in the event of a crisis. Management of cyber risk can be a heavy burden to bear for CFOs and boards, but choosing the right partners for security will ensure that you have that central pillar you need to support your organisation and withstand threats for years to come.
For more about CyberPlus’ 4D protection and Infosec Partners’ full spectrum security including effective managed security services, please complete the adjacent form or contact us today on +44 (0)1256 893662.