The benefits of AI are evident as growing cybersecurity risks and regulations put pressure on boards, CIOs, and CISOs to monitor the landscape and stay ahead of change.
What trends and risks are top of mind? What can organisations do to keep themselves cyber-ready?
Explore the benefits of AI in navigating the complex cyber landscape with insights from a recent webinar featuring Google Cloud CISO Phil Venables, Diligent board member Betsy Atkins, Mandiant CEO Kevin Mandia, and Diligent CEO Brian Stafford.
How boards can stay ahead of emerging risks and regulations with the benefits of AI
1. Give cyber risks and regulations dedicated attention at the committee level
The benefits of AI make cybersecurity a critical focus. Today, it’s too important to reserve for periodic board meetings. Similar to finance, compensation, and audit, it warrants committee attention throughout the year.
“Taking cyber and putting it in a dedicated location with focus is really important,” said Atkins. “If you look at the Fortune 500 companies, 12% have a tech committee now.”
If your board isn’t open to forming a new committee, solutions can be found in its existing structure. “Look at the governance committee,” Atkins advised. “The workload and the remit are light, and they have capacity.”
2. Strengthen your board’s cyber expertise
How well does your board understand cybersecurity standards like the NIST framework and the policies and procedures behind them? Are they conversant with and ready for the new SEC rule on cybersecurity disclosures?
“We can only expect a lot more scrutiny. So, it’s going to be important that you’re actually doing cyber briefings to the board and engaging in this,” Atkins said. “You need to have at least two cyber-certified board members.”
One way to strengthen your board’s expertise is by making IT and InfoSec leadership part of the board.
“As a board, you have to seriously take a look at and say, ‘Do I need to add a CIO or a CISO?’” Stafford said.
Whatever the case, Atkins explained, “When you get a core of people who really understand cyber, then they’re able to do better oversight, they’re better able to understand risks a little more in-depth.”
Likewise, Venables urged leaders not to be intimated by the technological aspects of cybersecurity.
“Treat this as a first-class business risk, and do not get frightened by the technical complexities because we all deal with many other complex business risks,” he said.
Additionally, board members and executives looking to enhance their cybersecurity knowledge and skills can enrol in the Diligent Cyber Risk & Strategy Certification course. The course leverages exclusive interactive eLearning content and tabletop exercises to help directors improve their oversight of enterprise-wide cyber risks.
3. Actively engage with the internal security team
Leveraging the benefits of AI, boards can collaborate with the CISO and the IT team, offering the oversight necessary to safeguard the organisation.
The panellists encouraged such active engagement. Stafford believes that with their internal security team standing in front of the board, giving them a lay of the land and a snapshot of risk and security, “Board members will feel better as they deepen their understanding of what the next order of questions are.”
“That degree of engagement from the board is vital, just like you see on other crucial risks,” added Venables.
4. Make risk and readiness central to cyber discussions
How good are we at security? How resilient are we? What is our risk?
According to Mandia, these are the top three questions boards in any industry should be asking themselves about cyber risk.
Red team and purple team exercises can help answer these questions. “Emulate the threats, shoot the bullets at your network and see how you do,” he advised. “You just want to be able to do it in a safe way so it doesn’t disrupt business.”
Take a look at resilience as well. “Can you operate your business off the internet? I’ve seen a lot of businesses fail to some extent during a cyber breach because they couldn’t operate the old-fashioned way — manually,” Mandia said.
Leverage the benefits of AI by conducting tabletop exercises, real-world simulations of potential events, at least once a year. When presenting to the board, InfoSec leaders should use a risk-based framework that covers:
- Which threats the team is worried about
- What’s being done to mitigate those threats
- How you’re testing to see if those threats can become a reality
5. Include mergers, acquisitions and the supply chain in risk oversight
“Pretty much every organisation now is dependent ever more on their physical and digital supply chain,” Venables said. “I see a lot of boards not connecting the risks between their third-party and sometimes even fourth- and fifth-party risk assessments with their procurement team, risk team, and security team.”
“The supply chain is one of the most vulnerable areas,” Atkins noted, adding that it isn’t the only vulnerability. “About 40% of breaches come through the supply chain. M&A is another area. You buy a small company, and they haven’t got the right level of cyber protection.” Probe and ask questions, she advised.
6. Keep an eye on cyber basics
Effective cyber oversight also includes taking a good look at the organisation’s practices and processes:
- Does relevant, up-to-date cyber training exist for all company employees?
- Is this training getting administered and tracked in a timely fashion?
- How well are cyber teams and the board implementing and adopting cutting-edge tools for cyber protection?
“Staying ahead of things really comes down to you as a board member knowing the right questions to ask,” Stafford said.
7. Make third-party support business as usual
A third-party cyber firm, such as a managed services provider, can provide valuable support for your internal CISO team, panelists concluded. One who tells you about the attacks and backs up your own CISO organisation is a net positive.
Sometimes familiarity is a good thing, but ultimately, you want to simulate different adversaries in exercises like tabletop scenarios.
Once brought in, evaluate these resources regularly. Stafford advised boards to consider: “Are you using the right external cyber penetration vendors, and do you have the right experts to come in to the board and actually go and kick the tires?”
That being said, “Do not abdicate your decision-making to the outside experts,” Atkins emphasised. “You’re there as a director. It’s up to you to make the business judgment and make that call.”