Security leaders are often tasked with reporting to the board on their efforts, and as much as we’d like to think those board members pore over all the nuanced details of the reports, the more realistic scenario is they are waiting for us to explain things in terms they understand. There are many ways to help build that relationship, but if there is one language that boards understand, it’s the language of managing organizational risk.
This is good for us as security leaders. Cybersecurity is inherently about managing risk, and with the right approach we can take a lot of the mystery out of what we do and help boards see cybersecurity as something to incorporate into their regular risk discussions, just as they would build out plans for a market or supply chain disruption.
So how can you best frame that discussion to help boards make the right decisions when it comes to cybersecurity? These three questions can help board members think about cyber risk and how to build a better cyber resiliency program.
- What could our organization lose if hit by a cyberattack?
- If we are hit by a cyberattack, what is our business continuity plan?
- What are we investing in today to avoid a breach?
Question 1: What could our organization lose if hit by a cyberattack?
The most obvious answer to this question is money. If you are hit by a ransomware attack and locked out of your systems, what will the cost of recovery be? If you’re in an industry such as manufacturing, how much revenue would be lost because of down time? There is also the potential for lawsuits or fines if data is breached. Once you start adding up incident response, down time and legal fees, the cost of a breach escalates quickly, creating a clear financial risk for any organization.
Less tangible than financial loss but just as devastating is the reputational loss that can follow a breach. If your customers’ data is stolen, how would your organization quantify the loss in trust that happens as a result? What would be the cost to rebuild that trust? Lost data can create a lot of headaches and cause turmoil that can lead to the loss of customers.
Next steps for further discussion: What is your most valuable data? Where is it stored? Who has access to it? In order to properly know your risk and address vulnerabilities, you first need to know what you have for data and where it is located and how likely is it to be exploited. A good risk program will have these answers and multiple ways data is protected from multi-factor authentication to reducing the number of people who can access critical systems.
Question 2: If we are hit by a cyberattack, what is our business continuity plan?
There is no 100% foolproof way to prevent a breach. Every organization must approach a breach as matter of “when,” not “if.” That means it is critical to have a business continuity plan in place that lays out the steps to minimize the disruption to operations. What are the specific boundaries for your organization? How long can you operate offline? How are you going to communicate what happened to key stakeholders both internally and externally? A solid communications plan will help you control the narrative and avoid the speculation that can occur in an information vacuum.
A cyber breach definitely falls under the “worst day possible” scenarios that a board should be aware of and understand how prepped your organization is to handle when managing risk. A business continuity plan will help stem panic and indecision by outlining clear steps for your teams so they can hit the ground running and come out the other side of one of those worst days.
Next steps for further discussion: Just as critical to creating a business continuity plan is to revisit it regularly. Your plan needs to be checked on a regular basis to ensure it is up to date with your current system and contact information for key stakeholders, and you need to test it to know you can execute the steps properly. Practice for your “worst day” by running exercises that not only test your security and IT teams but executive teams: Who are your contacts for the legal team? Who is deciding what information is being shared with customers and when? What is your external communication plan? The worst time to be trying out a business continuity plan for the first time is in the middle of a breach.
Question 3: What are we investing in today to avoid a breach?
What this question is really meant to spark is an ongoing conversation about how your organization can create a robust, end-to-end cybersecurity plan that fits your situation and goals. If proper planning is about getting in the mindset of “when, not if,” then you need a cybersecurity plan that is constantly evolving to meet new and emerging threats. What cybersecurity solution do you have in place to prevent, detect, and respond to threats? You want to be sure you are working with a security partner who brings both the latest in technology and the latest in threat intelligence to the table. How are you training employees to be vigilante and not fall for social engineering attacks?
The goal with your cybersecurity plan is to always be operating from a defensible position. By taking in the threat landscape and continually evolving your response plans, you will put your organization in the best place to reduce its cybersecurity risk.
Next steps for further discussion: When was the last time your organization took a close look at its vulnerability management program? Sometimes we get so caught up trying to identify sophisticated threats that we forget threat actors are always looking for the easiest route into your systems. Staying on top of patches and other vulnerabilities measures is a key component of containing cyber risk.
Define Your Risk Aperture
How much risk you and your board are willing to accept will depend on a lot of factors—size, industry, budget, etc.—so cybersecurity will look different for every organization. Our job as security leaders is to make sure our boards understand what the most important cybersecurity issues are at our respective organizations, and how that fits into the overall context of reducing overall risk. When boards understand this, you are on your way to addressing the concerns in the above questions and boosting your organization’s cyber resilience.
If you are interested in speaking to a security expert to learn more and how Secureworks® could assist in building your incident response plan, please reach out to speak to a security expert today.