CISOs, CIOs, and other security professionals are taking on huge roles of some of the largest organizations in the world to provide details on better data protection and security. They win business, which translates into profitability for the firm. In fact, security professionals who report to the board are becoming competitive differentiators.
This is a radical departure from the way these roles has been viewed in the past. Previously, information security officers were considered back-office IT. Compensation for CISOs was much lower, and they were rarely (if ever) asked to report on metrics to the board of directors.
So why the change? Simply put, boards are becoming more savvy about cybersecurity risks and want to do everything they can to get ahead of potential issues. As a result, CISOs and other security professionals are getting a more important seat at the executive table.
In this article, we’ll explain three cybersecurity policies your security team should ensure are in place and examine two of 2016’s largest cybersecurity threats: ransomware and targeted spear-phishing attacks.
First, you’ll want to keep these two simple-but-critical tips in mind when reporting on cybersecurity in the boardroom.
Today’s CISO has to be able to monitor the metrics and communicate the results to board members so they can understand the risk management trade-offs. Some CISOs find themselves too far into the weeds, managing too much detail and not being able to narrow it down so the board can digest it properly. It’s important not to speak in absolutes, and also make sure you talk to the board in their language. It may be helpful to cut out the cybersecurity jargon and talk in terms of risk management, stock price, and bottom line—all things executives understand clearly.
Board members need to be able to see beyond the boardroom and fully understand risks from a business continuity standpoint, a business concentration standpoint, and a cybersecurity standpoint. When they’re armed with this information in a quantitative way—with the right level of abstraction—they can focus on getting behind a solution, changing a process, or adding additional resources.
We highly recommend using board-ready cybersecurity metrics, like peer performance comparisons and incident response rates. You can gather these internally or use an external business solution like BitSight Security Ratings. If you can leverage these simple metrics, you can make your presentation easy to understand and data-driven.
Traditionally, CISOs focus more of their budget on protective and defensive investments—but smart CISOs today are looking to refocus some of that budget to detection and recovery.
Why? Because there will always be some gap in your protection program. CISOs and boards that recognize this gap are able to move around their budget, get the right programs in place, and focus on resiliency and rapid recovery. For instance, one metric BitSight tracks is how quickly companies patch vulnerabilities on their network. The organizations doing very well with their cybersecurity practices are excellent at detecting security incidents and recovering rapidly.
The modern CISO needs to be able to make a case to the board about how cybersecurity practices will impact them and the business directly. This includes expressing why—and how—company-wide cybersecurity policies should be put in place.
There are many reasons why it’s critical for you, the security professional, to be involved in cybersecurity policy. For one, it’s important for employees to know how cybersecurity is viewed in the organization. If the cybersecurity and executive teams are wholly involved with reviewing policies and setting them in motion, employees will not question whether or not cybersecurity is being taken seriously. Some organizations consider employees’ adherence to cybersecurity policies as part of their performance reviews, adding another layer of importance.
Below, we’ve detailed three cybersecurity policies your organization needs to be addressing. This list, of course, is not exhaustive or even comprehensive. But if you aren’t enacting these three policies, you’ll very likely regret it in the future.
An acceptable use cybersecurity policy spells out what employees may and may not do with the work-related devices they use. It should, among other things, detail:
These corporate restrictions are critical for several reasons. First of all, if there’s something employees should be aware of, it should be clearly stated to them so they can avoid taking certain actions themselves and help police this internally. If there isn’t a specific written policy in place, employees can’t be held accountable as easily for any downloads they may have initiated that introduced malware into your corporate network.
This policy (which may be divided into many separate policies depending on your organization) should detail where and how employees should (or should not!) access their work-related electronic devices. For example, an employee needs to know the answers to these hypothetical scenarios:
Regardless of the types of scenarios you cover, the point should be to help employees avoid potentially risky behavior that they may not be aware of—and keep all employees in line with the organization’s cybersecurity strategy.
It is just as critical—if not more so—to ensure your employees know how to enact your policies as it is to put them into place. Therefore, it’s important to train employees on proper “cyber hygiene” regularly. They should, among other things, be aware of:
This should all be spelled out both verbally and physically (in a cybersecurity policy document) so every employee understands the expectations.
Some fall into “internal organization and engagement” while others specifically target “third-party engagement.” They may include:
Having a formal set of cybersecurity policies is the best way to create a complete cybersecurity program—so if you’re implementing these steps, you’re headed in the right direction.
Two of the largest threats in 2016 were ransomware and targeted spear-phishing attacks. Below, we’ll take a deeper dive into these threats and examine several countermeasures that should be taken to help avoid them.
Below, we’ve detailed two of 2016’s biggest threats—ransomware and targeted spear phishing attacks—with details your board will be interested in hearing.
In early 2015, the FBI issued a guidance post and a podcast on this threat. The bureau noted that there has been a recent increase in reported instances of ransomware and warned against paying ransoms. Lately, we’ve seen several reports of hospitals being targeted by ransomware. Take these two cases, for example:
On February 5, 2016, a hacker used CryptoLocker software to hijack the hospital’s network and demanded a ransom of 40 bitcoin in exchange for access to their files. At the time, this was equivalent to about $17,000. The hospital purportedly paid the ransom before reaching out to law enforcement, which is contrary to FBI advice.
In April 2016, the Lansing BWL was the victim of a ransomware breach. An employee opened a malicious email attachment, which then encrypted files on BWL’s file servers. It is unclear whether a ransom was demanded, but it has all the other indications of a ransomware breach.
Often the dollar amount demanded by the attackers is relatively small, especially if you’re a large organization. What seems to be more difficult to deal with is the loss of productivity. In the case of a hospital, the loss of time when you’re forced to send people back to paper and pencil to document and process health records is a problem.
There are a few pieces of advice that are important to keep in mind when it comes to ransomware:
Ransomware is definitely hot in security news right now, but another thing we’re seeing pop up quite a bit are targeted, sophisticated spear-phishing attacks.
Phishing attacks have changed substantially over the years and are far more targeted than they once were. Hackers today will often use names of administrators or C-level executives to give their emails the gravitas they need. These spoofed emails are then used to request, say, W-2 information or a bank transfer.
Several schools fell victim to spear-phishing attacks in 2016:
1. Train employees to be skeptical. User awareness training should be mandatory so employees are skeptical of what they’re sent and diligent about following up on potential threats through the proper channels.
This training can cover myriad topics, but should certainly cover the following:
2. Consider employing email authentication technologies. There are some technologies, like Open SPF, DKIM, and DNSSec, that any organization with a website should consider using to limit the possibility of their domain being used for a phishing scam. This solution isn't a panacea against spear phishing, but it can reduce an organization's likelihood of exploitation. That won’t stop you from being the target of a spear-phishing attack, but it will reduce the likelihood of your domain being used in one.
The commonality between ransomware and targeted spear-phishing attacks is the end user. Both threats are typically the result of some kind of user action. So while it may seem (particularly from the examples above) that users are a weak point, they’re also an important point of strength. If your employees—your last line of defense against these types of cybersecurity threats—are well-trained on detection, you will have a strong cybersecurity system.
Cybersecurity briefings were once considered a check-off-the-box conversation at the board level—but today, executives understand the regulatory, fiduciary, organizational, and personal liability that could come from a data breach. Furthermore, the importance of proper vendor risk management is well-known in executive circles. Boards realize that they need to focus on identifying whether there’s an issue with a vendor, communicating regularly about security issues, and managing vendors at scale. As a security professional, this increased awareness plays in your favor!
To further prepare for presenting security information to the executive team, download this free guide. It will walk you through how to nail down your presentation goals and style, how to select the most compelling metrics for your board, and a number of critical things to keep in mind before and after a board presentation.
Since the creation of the first CISO role about 25 years ago, the job has changed dramatically. What was once an uncommon position has quickly become standard, with the majority of companies including a cybersecurity-specific role in...
A monthly or quarterly report is a great way to summarize a SOC’s performance and uncover insights for executive leadership. But as a security and risk manager or executive, what information should you request from the managers who...