TOP TO BOTTOM ASSURANCE

Taken from the original article by SC Magazine, Karen Epper Hoffman, June 01, 2016

https://www.scmagazine.com/top-to-bottom-assurance/article/495976/

A company usually takes its cues from leaders at the top: What the top executives emphasize will become the organization's imperatives, and what they ignore will typically fall by the wayside. 

It is the same with IT security. If corporate leadership is not embracing and underscoring the need to follow the rules of good cybersecurity – or almost as bad, if they promote them for everyone else but don't follow those guidelines themselves – the results can be devastating. 

“Leading by example comes from the very top,” says Darren Argyle, CISO and managing director for Markit, a financial services and information company based in London. Hence, Argyle says that at the very start of Markit's security awareness campaign, his team recorded a video of the CEO informing all employees that he takes security seriously and that it is everyone's responsibility. 

Argyle believes a good plan for managing such concerns and potential risks is to first “acknowledge that cyber attacks are inevitable.” He adds that preparation for such events is really the best way to manage the fallout, no matter what the executives are permitted to do.

“The attention of the board and executives will quickly turn to being ready to react when the time comes,” Argyle says. “Boardroom tabletop and cyber attack simulations exercise give some perspective and appreciation of the potential impact.” 

As the most targeted employees in the company, he says that the top executives require special attention when it comes to security. Agree with them about what the crown jewels are and give them a clear understanding of the risk, Argyle says. “Then provide the appropriate security tools and deliver regular tailored education.”

In Argyle's experience, the only way to ensure senior executives follow good practices and company policy is to have them directly involved in the cultural change of the organization.

He underscores the importance for an organization to assess and understand its digital footprint and develop a “risk score.” Then, he says, the CISO and their team should follow up with regular ongoing monitoring to show trending in the risk profile and take course correction where it is needed. “Follow on awareness and education should not stop with employees,” Argyle says, And this focus, he explains, needs to be tailored to those at most risk: the board and the executive teams.

Board speak: Five principles

The National Association of Corporate Directors, in conjunction with the American International Group and the Internet Security Alliance, published a report outlining the five principles that corporate boards should consider “as they seek to enhance their oversight of cyber risks.” The five principles are:

1. Directors need to approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.
2. Directors should understand the legal implications of cyber risks as they relate to their company's specific circumstances.
3. Boards should have access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the agenda.
4. Directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget.
5. Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate or transfer through insurance, as well as specific plans associated with each approach.