Check it out what you will find on this article about cyber risk management:
- Most Boards Still Struggle with Understanding Cyber Risk Management
- What Boards and IT Teams Can Do to Improve Cyber Risk Management
- Cyber Risk Management is a Perpetual Beta
While the alarming pace at which cyber security breaches and issues are accelerating is enough to keep most CTOs up at night, there’s another problem just beneath the surface that threatens to make things only worse. Many board members in companies big and small are woefully ill-informed on cyber risk management best practices. Since a company’s top-brass is responsible for creating policies that dictate how their workforce will interact with tools, such oversight often proves disastrous.
A study by Solar Winds on the latest cybersecurity threats found that user mistakes accounted for the largest percentage of incidents, followed by poor network systems, application security and external threat actors infiltrating a company’s network. While this revelation isn’t anything new (humans have always known to be the weakest link in the cyber chain, after all), it’s still a worrying trend that needs to be taken seriously, particularly since malicious attempts targeting users are becoming ever more sophisticated. Phishing attacks, for instance, are already more common than malware, having increased an astounding 250% since last year according to a Microsoft report.
So, why is this trend so alarming now more than ever? New working trends such as BYOD, work from home, telecommuting etc only give users more reasons to play fast and lose with security as they may more may not be bound by a strong security policy.
As companies are only now beginning to understand this paradigm shift in working practices and culture, they may find themselves at an increased risk of being compromised. They cannot risk avoiding such new work practices either as doing so will put them at a competitive disadvantage against more hustling competitors that use them to both attract higher quality talent and drive up productivity and innovation.
The only way left moving forward is to make cyber security management a core part of corporate governance so that not only can a company’s board understand it better, but draft realistic policies that can stay on top of security issues.
Most Boards Still Struggle with Understanding Cyber Risk Management
Managers at the upper echelons of a company have to make organization-wide decisions which affect company performance. Obviously, taking highly detailed looks into each aspect of their organization’s workings becomes unwieldy and unrealistic. Indeed, many CEOs often relate with cyber risk management with regulatory compliance such as HIPAA, PCI etc.
“Cyber security is now a mainstream business risk. So corporate leaders need to understand what threats are out there, and what the most effective ways are of managing the risks,” says Ciaran Martin CEO of NCSC. That’s not to say that boards are unaware of the importance of cyber risk management or what the security scenario is in general. UK Government’s Cyber Health Check study, that looks at the state of cybersecurity in UK’s biggest FTSE 350 companies found that while 96% of surveyed had a security policy in place, only 16% of their boards actually had a thorough understanding of cyber risk management.
So if the survey is any indication, the vast majority of companies out there will suffer from poor investment into sound security policies. That’s not to say that board members are utterly ignorant of security either. 42% board members reported that cyber security as one of the top five most pressing matters in their agenda according to a NACD report.
While board members may not be aware of the intricacies of cyber security, they still need to find ways to strengthen their organization’s standing. As risk management is an ever present part of a board director’s portfolio, it stands to reason that cyber risk management should be added to their to-do list. Indeed, there are quite a number of things that both board members and their IT executives can do to increase the narrative surrounding cyber risk.
What Boards and IT Teams Can Do to Improve Cyber Risk Management
Up until now, board members rely on presentations and feedback from their IT teams on gaining a picture of what their security measures look like. Said presentations are often dished out with jargon heavy verbiage that many people on the board will simply not have the expertise to interpret properly. The solution therefore is two-fold…
- Firstly, tech executives need to prepare reports that the board can easily digest. And,
- Board members need to ask some very direct questions to cut to the heart of the issue.
Let’s take a look into each of these aspects.
Tech and security experts can:
Start with a context
How exactly does the company stack up against the competition vis-a-vis security? How has security affected the organization in the past? Are our employee monitoring initiatives actually working? What is going on in the industry in general and have their been any major breeches? If so, then what did the damage look like? Starting with big-picture questions such as these will help your executive team members understand the gravity of cyber risk management.
Answer their what’s in it for us
As much as tech teams like to look at cyber security as a problem in itself, an executive is going to treat it as just one other stumbling block that they need to take care of.
Since the goal of a cybersecurity presentation is to gain better involvement of the board and (probably) secure more investment, you need to explain cyber risk management through an ROI lens. Treat a cyber risk management discussion as a pitch where you are trying to sell better security to your board.
For example, if we invested ‘x’ amount in increasing our cybersecurity measures, we can realistically increase customer loyalty/decrease downtime etc by ‘x’ amount. In other words, ask yourself how exactly does a cyber threat affect your company? Another way is to present cybersecurity as an investment to stave on a future cost. That is, the legal and PR costs of cybersecurity fiasco are always greater than whatever investment they require to implement.
Lose the jargon
Insider language exists only to speed up communication within a professional circle. Obviously, your board will not be well familiar with terms that your IT team swears by. In fact, it would be better if you flipped the table and started using your audience’s language, including business terms and phrases that board members are going to be more familiar with.
Add an outside perspective
Of course you will ask for more money to make your life easier! Sadly, we all are guilty of never trusting a near source thinking they are acting out of vested-interests. Using outside sources/experts to justify your assertions will help you gain better trust.
Board members on the other hand can consider the following:
Ascertain policy effectiveness
While IT teams typically frame their own procedures and processes, boards are responsible for coming up with policies. Since the former two need policy as a context, the board can use it to gauge how well they understand its effectiveness.
Understand both what worked and what didn’t
If the company did face cyber-threats, then the board can delve deeper into why their organization couldn’t see it coming. Targeted deeper insights are certainly valid in high priority cases. Likewise, if a persisting or trending cybersecurity threat has not yet affected your company, then the board should consider knowing what their IT team is doing that’s keeping everyone safe.
Know the financial impact of both potential and incurred threats
Cybersecurity threats come in all shapes and flavors. As such each type is going to leave a separate financial footprint. Mapping a breach to a cost figure will help you understand which threats to prioritize. Yes, all threats are important, but some will always be more pressing than others.
Ask how your security can handle more democratized working styles
BYOD, remote working are all examples of a flat hierarchy. Since all such trends will involve opening your company’s walls to potential threats, it’s best to discuss this in greater detail with your IT team. Creating a thorough BYOD policy will also help you stay on top of things.
Ask direct questions
It’s important to know which questions to ask and which to forgo. The NACD has a great list of questions that apply to corporate cyber risk management. Questions like which was the most pressing cyber security issues the company faced in the last quarter, what was your most significant near-miss, how does the IT team measure security and what measures the company has to escalate serious issues will help your cyber risk management meetings stay on track.
Cyber Risk Management is a Perpetual Beta
In other words, you simply cannot sit on your laurels on this one. A consistent theme in cyber risk management studies is that threats almost always find a way to outsmart measures taken against them. It will be prudent to imagine that whatever new security tool you are implementing now only gets you a bit more borrowed time. Dedicating a portion of your IT team to always be looking out for security threats can help you stay ahead of the curve. An involved board will greatly speed up things and help the company keep its head above the water.
While managing cybersecurity in house is always a good idea, cloud based productivity tools like Runrun.it can greatly take the edge off. We know how taxing constantly revising your policies and procedures can be, which is why we provide one of the most secure digital working environments online. Not only can you assign tasks, track time and maintain a remote team effortlessly, but you can also carry out your operations knowing your assets are always secured. We’re offering a free trial so give Runrun.it a whirl!