October is Cybersecurity Awareness Month, which provides a time for us and all organisations to examine current security practices. Monica Landen, Chief Information Security Officer at Diligent, shares a few considerations for cybersecurity in your organisation.
As cyber threats continue to evolve, it is crucial for organisations to strengthen their cyber programs and ensure that the board of directors is well-informed about the state of their cybersecurity posture.
Whether you’re a new or small company that wants to grow quickly or a global enterprise with a solid cybersecurity program in place, no organisation is immune to cyberattacks. One of the key responsibilities of leaders and the board is to stay updated on the latest trends and threats in the cyber landscape. This includes understanding the potential impact of cyberattacks on the organisation’s overall operations, not to mention its financial stability and reputation.
Here are a few considerations.
Focus On The Basics And Foundational Practices
It’s easy to get distracted by the latest shiny technology that promises to solve all problems. In reality, foundational practices significantly reduce cyber risk.
Keeping software up to date, implementing multifactor authentication and maintaining strong password policies make it harder for cybercriminals to gain access to sensitive information. To bolster security, routinely educate employees on best practices for identifying and resisting social engineering and emerging threats, such as deep fakes. AI empowers attackers to continuously refine and expedite their methods, making employee training a critical and ongoing necessity.
By neglecting these fundamental practices, organisations leave themselves vulnerable to otherwise preventable attacks. This can’t be a one-and-done exercise; cyber threats are always evolving. Regularly reviewing and strengthening these basic practices is important for maintaining a solid defence.
Consider Your Talent Needs
Does your organisation have the right talent to do the minimum baseline of security practices? Globally, there is a shortage of cybersecurity talent to address current challenges. According to a recent White House article, there are half a million open cybersecurity jobs in the U.S. alone.
The CISO has had to evolve from a technical controls expert into a business-centric leader who can effectively communicate risk management and business impact to executives and the board.
And cybersecurity expertise needs to extend to the board itself. Only a board well-versed in today’s threats is equipped to set an appropriate risk appetite, align cybersecurity to strategic initiatives and fully understand and challenge what their CISO and risk officers tell them.
Assess your current talent pool, both within your organisation and on your board, and identify any gaps in cybersecurity knowledge and skills. Consider investing in training and development programs, like the one offered by Diligent Institute, to improve the cybersecurity literacy of your leaders and board members. This will help protect your organisation and demonstrate a commitment to cybersecurity to your stakeholders. You may also find you need to partner with external resources, such as cybersecurity firms or consultants, to supplement your talent.
Create Better Alignment Between the Board and CISO
Even with upskilling, most boards are not comprised of cybersecurity experts, so CISOs must avoid using technical jargon and focus on the business impact when conveying information.
“It’s difficult for even the most seasoned cyber practitioners to understand it all, so it’s going to be hard for the board to understand it,” said Derek Vadala, Chief Risk Officer at BitSight Technologies, at Diligent’s recent user conference.
Board members are most interested in how cybersecurity risks can directly affect the organisation’s goals and day-to-day operations. Ultimately, they want a clear answer to the question: “How secure are we?”
One effective way to communicate this is by quantifying the risks. By tying outcomes to numbers, the board can better understand the potential consequences and prioritise areas for improvement. Additionally, reporting on other key performance indicators (KPIs) or metrics, such as the number of incidents, response times, and compliance rates, can provide a clear picture of your organisation’s cybersecurity posture.
“People tend to go into the boardroom with metrics and stats and elaborate slides about what’s going on in the organisation. And I think you have to really synthesise that into the mindset of the board and the context of risk management,” Vadala said. “The board really wants to understand, ‘What should they be worried about? What are you doing about it? How are we doing in that program?’ It’s hard to get to that conversation, which is key to establishing trust because we start with bringing a lot of data and not showing what to focus on. There tends to be a crush of data before establishing guardrails about what to be worried about.”
Build Your Resiliency
A lot of effort is put into responsible preparedness, bringing the right people into the conversation, and having the right metrics to track. What is often not at the forefront is what happens after an attack. A crisis plan — one that has been rehearsed before it’s activated — is a must-have.
Consider holding tabletop or simulation exercises to ensure you are prepared and know how the organisation will respond. The exercise may include defining who does what during an incident, from leadership to IT to communications. Assign specific roles such as incident commander, communications lead, and technical lead. Don’t be afraid to uncover gaps, discuss areas of improvement and rerun the exercise as necessary.
Security Is Everyone’s Job
It’s important to create a security culture and for the board and executive leadership to lead by example. This means not only knowing the risks and possible effects but also demonstrating a commitment to cybersecurity by actively participating in and supporting cybersecurity projects. The rest of the organisation will follow suit by setting a tone of prioritisation and accountability from the top.
An easy win is by having a forum to talk about cybersecurity awareness. While October is a great month to do this, it’s essential that you prioritise this conversation all year round. This also includes regular training and awareness programs for employees at all levels, as they are often the first line of defence against cyber threats.
While October champions the critical work done by cybersecurity professionals and cyber-literate organisations everywhere, remember that cybersecurity should be a focus not just this month but all year long.
