Why Boards Should Focus on Building Up Cyber Defenses & Cyberattack Responses
Nicholas Joseph Price
Early and growth stage data-driven marketing leader helping businesses achieve revenue goals
The rising star of the corporate world is the chief information security officer (CISO), who is quickly becoming one of the most notable executives in the corporate world. The CISO and their IT departments work diligently to prevent, identify and respond to malware attacks and invasive viruses. Often, they are blocking or enabling multiple threats at the same time. Thus, they need to be on constant alert for small changes in system or user behavior that could indicate the onset of a cyber threat.
In light of the recent rash of corporate cyber breaches, board directors are looking to CISOs to bolster their prevention efforts so board directors won’t have to face the heat of the media if a hacker breaks through their security efforts. Meanwhile, IT experts are trying to convince board directors that it’s impossible to bulletproof any system and that directors and managers need to be better prepared for remediation and response.
The Bar Is Set High for Cybersecurity Experts
The reports of corporate cyber breaches are coming more frequently and with larger consequences. The number of attacks is increasing, and the number of people being victimized is going up. Cloud storage hasn’t been hit as hard by cyber breaches as other systems, but it is not exempt from problems either. None of these issues are a reflection of poor cybersecurity measures. Cybersecurity experts are facing increasing challenges in trying to protect their corporation’s data.
Attempting to lock out malware attacks and stop them in their tracks takes more time than there is in a day, and more IT professionals than corporations can afford.
One challenge is that corporations are routinely using remote workers or allowing employees to work remotely. This means that employees are using multiple electronic devices at multiple geographical locations. Cybersecurity professionals have to keep track of all of them and make sure those systems, and others they connect to, remain free of attacks.
If that’s not difficult enough on its face, hackers are using increasingly sophisticated methods of extracting sensitive information from corporations’ systems. IT continually monitors their methods to keep ahead of the game.
In addition to protecting systems, cybersecurity experts need to educate and inform board directors about the best strategies for protecting networks. The biggest disconnect between board directors and IT departments is how to prioritize cybersecurity efforts.
Board directors have given so much priority to prevention that they haven’t focused heavily enough on remediation and response, leaving those issues for cybersecurity experts to control. About 78% of IT experts are focusing on prevention rather than on post-attack response.
Linking Board Expectations with IT Responsibilities
In many boardrooms, communication with the CISO is lacking. As a result, board directors are focusing their discussions more on cybersecurity prevention strategies while IT experts favor an approach that gives equal weight to threat prevention and response. Boards often expect IT experts to handle the details of the response to a breach, leaving IT experts left holding the bag.
Board directors need a better understanding of how cybersecurity experts operate because cybersecurity isn’t a one-size-fits-all issue. Corporations need a customized approach. Communication between board directors and IT departments could help board directors find a better balance when setting priorities for defense, detection and response.
In light of recent, major cyber breaches like the 2017 Equifax breach that affected 143 million consumers, boards are starting to allocate more funds to cybersecurity.
Prioritizing Cybersecurity Interventions Begins with Board Director Education
Board directors need to know that cybersecurity experts are doing their best, and that they’re learning new strategies all the time. While that’s true in most cases, there isn’t a cybersecurity system anywhere that is completely foolproof.
IT experts are increasingly using artificial intelligence to machine monitor and respond to behavior. Their hope is to be able to predict potential attacks before they happen.
In a presentation at the Gartner Security & Risk Management Summit in 2017, Research Vice President Earl Perkins told attendees that they couldn’t expect IT to fix everything or to make assets fully secure. In addition, they can’t know for certain how secure systems are or how secure their partners are.
For these reasons, experts are encouraging board directors to give response and remediation efforts the same priority as prevention efforts.
Cybersecurity departments want board directors to understand how they use simulations, scans and penetration tests as practice for a potential breach. They also want board directors to be aware of security measures that ensure network segmentation and desktop security. From a threat-detection perspective, IT departments need an adequate budget to ensure 24/7 crisis processes, central monitoring and logging of security incidents, and clear procedures for incident follow-up. To bring cybersecurity measures full circle, cybersecurity personnel will need the budget and staffing ability for post-attack activities such as using forensic analysis skills and deactivating or discontinuing active threats. To that end, they need board director help and cooperation.
Board members should require regular meetings of multiple departments to establish plans for response and remediation after a post-attack response. At a minimum, meetings should involve finance, internal audit and compliance, human resources, IT, risk management and legal teams.
IT Is a Fast-paced Industry
Trends in the IT industry are moving at such a fast pace that the industry currently enjoys a zero unemployment rate. Corporations will be generating more data than ever before, which will require IT personnel to be smart, intuitive and adaptive. Developments in implementing artificial intelligence are making that a highly skilled area of expertise.
The industry is likely to see a stronger conjoining between development, operations and security as they relate to business objectives, moving toward the future.
Moving Toward a Balanced Approach to Cybersecurity
IT departments already know that corporations will be best served by making a shift to balancing the scales between prevention and response. Boards will need to move more quickly from having discussions in the boardroom about cybersecurity to providing the funding and infrastructure for their cybersecurity departments to protect their data and their reputation from the front to the back end. The best way to move forward on that is to have a willingness to listen and understand more about the activities of cybersecurity staff and to heed their recommendations. Finally, board directors would do well to see cybersecurity systems as long-term ventures that require regular education and advancement in the industry, rather than hit-or-miss, random monitoring or managing post-attack debacles.