董事会成员不需要成为网络安全专家,也能在定义其组织的整体网络健康方面发挥重要作用. In this article, we will discuss how to shift boardroom conversations and considerations about cybersecurity to enable members, company management, and information security personnel to work together to implement a more effective cybersecurity program.

Why Boards Should Stop Searching for the ROI on Cybersecurity

If you’re looking for the ROI on cybersecurity, you may find it difficult to measure.

These are not words you’d expect to hear from a shareholder at a cybersecurity company, right?

That doesn’t mean that cybersecurity is unimportant, though. The problem doesn’t lie in the value of information security—it’s absolutely valuable. The problem lies in the typical conversation around its value.

Imagine:

You own ABC Widgets, Inc., and you have a warehouse where you store all your widgets.

Every day, you pay employees to work there. One of their tasks is to ensure that the warehouse is locked before they leave.

Every day, they lock the warehouse before leaving. What’s the ROI for the 5 minutes it took to lock the warehouse? If no one ever tries to break in, then the ROI on that effort is zero. On the other hand, if locking the warehouse thwarts an actual break-in attempt, then the ROI could be everything in the warehouse.

So, what is the ROI on locking the warehouse? The effort doesn’t increase earnings or revenue – it prevents the loss of inventory, thereby avoiding losing money.

这个类比有助于阐明试图衡量有效网络安全计划的价值所面临的挑战. Cybersecurity rarely offers a clear way to “win” in the traditional sense, as such investments aren’t typically tied to direct increases in company revenues. Instead, cybersecurity investments offer strategies to prevent losses which are, quite honestly, often hard to get people excited about. Even so, the boardroom conversation around cybersecurity must shift if we want to understand its true value.

Instead of asking how much more money a company can make from its cybersecurity efforts, it is more appropriate to ask how much the company is avoiding losing by investing in cybersecurity. That can be hard to determine, but like most things in information security, proper evaluation starts with a risk assessment.

While many security threats are similar across organizations, cybersecurity risk is different for every company. The purpose of a risk assessment is to help an organization identify, catalog, and measure the unique cybersecurity risks it faces, and the potential impact if those risks were to be realized.

Once a risk assessment has been completed, the organization will have a solid basis for discussing cybersecurity in the boardroom. At that point, 董事会成员和公司高管拥有必要的背景知识,可以识别组织面临的风险, their likelihood of occurring, and the potential impact on both revenue and public opinion of the entity.

To properly evaluate the benefits of cybersecurity investments, instead of asking how cybersecurity will increase profits, ask how it will decrease or prevent losses. 投资网络安全可以帮助公司避免代价高昂的错误和潜在的客户信任损失——这很难用具体的金额来衡量.

Is Management Involving the CISO in Strategic Business Decisions?

Seasoned Board of Directors members know that big decisions happen quickly. Often, significant company decisions don’t include all key leadership representatives within the company, such as the security team. This oversight can leave the security experts scrambling to implement controls, identify other risk mitigation strategies, or otherwise get up-to-speed with company changes, and can introduce unexpected costs and delays into the planned changes.

This omission generally happens because of a simple misunderstanding. 人们有一种误解,认为安全团队是“不”警察,会尽其所能阻止企业做出重大改变.

However, the goal of a strong cybersecurity function is to align itself with the goals of the business, 并就网络安全方面的考虑向商业领袖提供建议,以便他们做出明智的决定, not to say “no” whenever possible.

Here’s a simple analogy:

When asked why brakes on a car are important, most people will respond, “Because they let you stop when you need to.”

In actuality, brakes are important because they allow the car to go faster than it would without them.

Imagine driving a car without brakes. To avoid a major catastrophe, 汽车必须停在平坦的地面上,时速不能超过几英里(而且它可能需要在地板上开一个像《明升体育app下载》里那样的洞,这样司机就可以用脚把它停住)。.

The same is true for information security controls. They don’t exist to slow an organization down, or worse—to stop it in its tracks. An organization’s cybersecurity team exists so the company can take bigger risks more safely.

Think about this:

Without security controls, an organization would hardly be able to store, process, or transmit any sensitive data, because it would be so readily accessible to anyone who wanted to get into a network and find it.

安全控制和网络安全团队的努力使企业能够最有效、最安全地运作. However, 当安全团队能够参与战略业务决策时,即当管理层与安全团队或首席信息安全官(CISO)之间建立了双向关系时,安全团队可以以最小的成本带来最大的价值。.

How can a Board of Directors help foster that relationship at an organization?

First, understand that it is the responsibility of the management team to involve the CISO in strategic decisions. Rarely will a CISO beat down the door of management to get involved in big decisions. And even if that does happen, he or she may not find an executive team who understands why his or her involvement is necessary. Thus, 管理层必须主动了解CISO角色的重要性,以及让安全团队参与战略决策的好处.

Second, CISO有责任成为一名优秀的团队成员,并努力理解业务目标. What does that mean, exactly? Mainly, the CISO can’t be the “no” police. He or she shouldn’t attempt to shut down any proposition that presents a risk to the organization. The CISO must understand not just the plans made by the management team, but also why they are important to the business.

如果管理团队提出一项战略举措,对公司的安全状况构成适度风险,但可能带来巨大的经济回报, the CISO must be willing to entertain and potentially help implement the idea. Put another way, 首席信息安全官应该承认拟议的业务计划的好处,并寻求找到负担得起的方法来将风险管理到可接受的水平.  Beyond that, 首席信息安全官必须理解董事会的语言,并能够以易于理解和访问的方式向管理层展示安全概念, without the “geekspeak” often associated with information technology conversations.

In the end, both the CISO and the management team must be working toward the same goal—a better business. However, each side must do its part to ensure that the goal can be realized.

Is the CISO Reporting Appropriately Within the Company?

A hammer is a valuable tool—but not if you’re trying to cut down a tree. In the same way, a cybersecurity team is an asset to a company’s success, but it’s most effective when used correctly.

When trying to determine if an organization is effectively using its security team—and consequently, 如果首席信息安全官的报告结构是合适的,首先要问这个问题:公司需要和/或期望网络安全团队为组织提供什么? The answer to that determines the appropriate reporting structure for the security function.

Traditionally, cybersecurity teams follow one of two basic modes of operation:

1. Oversight

In this function, the cybersecurity team is separate from the company’s IT team. The CISO reports to the Chief Legal Officer or Chief Compliance Official. 这种结构的好处是,它允许在it团队(通常处理日常技术操作)和网络安全团队(将时间更好地用于解决安全和遵从性挑战)之间分离职责.

This model works best for organizations that are process-centric (i.e., 公司已经为大多数业务操作实现了正式的流程,不需要花太多时间“在运行中”解决问题)。. For this model to work most effectively, “oversight” must be defined very clearly.

  • How will the security team oversee company processes?
  • What exactly will be done?
  • What specific activities are involved in the oversight process?
  • What authority will the cybersecurity function have to prescribe solutions?

2. Operations + Oversight

In this structure, the cybersecurity team is responsible for both the oversight of the company’s security program, as well as some of its day-to-day IT operations. 这个模型最适合那些不一定以过程为中心,并且发现自己在“灭火”的组织,” because it allows for a rapid, integrated response when necessary.

这种模式的好处是,它允许网络安全团队直接与it团队合作——这在任何组织中都是必要的. Beyond that, it allows organizations to mature to a more process-centric structure, at which point the IT and cybersecurity teams can be segregated. One challenge with this structure is that day-to-day operations can consume the team’s security efforts. Instead of spending their time identifying and communicating risk and aligning strategic priorities, cybersecurity experts can get stuck chasing helpdesk tickets.

3. The Hybrid Method

While the two methods above have their benefits, the most advanced companies follow a hybrid model, in which the cybersecurity team is spread across three reporting categories:

  1. Reports both to the IT Department and the cybersecurity team itself
  2. Reports solely to the IT Department
  3. Reports solely to the Oversight/Compliance/Etc. Department

What’s the benefit of this structure? This model creates three minor divisions within the cybersecurity team: one team that provides oversight, one that handles operation, and another that performs both oversight and operations as needed. This model allows the security team to be flexible and responsive to day-to-day operations, when necessary, while maintaining strong (and objective) security and compliance posture. 在这种混合设计中,首席信息安全官最终向谁报告,取决于网络安全功能预计将为公司提供什么, as well as the organization’s culture.

董事会代表应了解管理层决定的网络安全运营模式,并熟悉网络安全有望为公司带来什么. This knowledge will allow Directors to determine if security is reporting appropriately within the company.

Does Your Company Have a Comprehensive Cybersecurity Program?

While it would be great if there were an exact set of steps to follow to be fully secure, there are no one-size-fits-all cybersecurity programs. From a 30,000-foot view, developing a comprehensive information security program seems straightforward—and it is. The challenges appear when you begin to get in the weeds and look at specific risks an organization faces, because many cybersecurity questions don’t have a straightforward answer.

Just like a tailored suit or the way each person prefers their coffee, cybersecurity programs are unique. To have a comprehensive cyber program, it’s not enough to look at what other companies are doing and mirror their efforts. Each organization must define what an appropriate program looks like for their company. Boards of Directors should ask management, “What does a good cybersecurity program look like for us?”  That said, 每个组织都应该采取四个关键步骤,以确保他们的网络安全计划适合他们的需求和风险承受能力.

1. Perform a risk analysis.

A risk analysis is the foundation of an information security program. It asks and answers questions such as: What type of data does the company store, process, and/or transmit? What’s the likelihood that sensitive data could be accessed by a malicious user? What would be the consequences of a breach? The good news is that organizations don’t have to do this analysis on their own. There are experienced, 合格的实体(如LBMC网络安全)可以提供客观但全面的网络安全风险视角,并帮助确定弱点的优先级,以便每个组织都可以确保利用其有限的资源来解决最重要的网络风险.

The risk analysis should evaluate the company against a well-established, universally accepted industry standard like NIST CSF, ISO 27001, or any other common security framework in the company’s industry. 这些框架的创建者花时间定义了所有网络安全项目应该考虑和解决的一般领域和功能. 使用框架作为评估和决策的基础,可确保实体对其风险进行深入和全面的考察.

2. Develop controls to integrate security into business operations.

Auditors (and hackers, for that matter) don’t care how much a company talks about cybersecurity. They care whether controls are in place and functioning as designed. 使用风险分析作为指导方针,以确定必须实现(或增强)哪些控制以在合理程度上保护数据. This is where decisions and actions begin to differ for various companies.

Some companies store incredibly sensitive data in highly visible and accessible systems, and therefore must spend high dollars to protect that data. Other organizations store lower-risk data in less accessible ways, which can often be afforded a lower budget. Ultimately, 每个组织都必须确定如何在日常业务运营中实施网络安全,以将风险降低到可接受的水平.

3. Write it down.

For the security program to be truly real, it must be written down. Documentation is important for a few reasons. First, employees can’t perform their security duties if they don’t know what those duties are. 记录安全控制为公司的信息安全计划提供了清晰度和透明度, as well as its expectations for protecting sensitive data.

Second, 如果一个项目的目标和方法没有清晰地记录下来,评估项目的有效性是很困难的. 验证安全控制是否到位并有效运行的正确方法是检查(审计)它们. Without a written record of controls that are required to be in place, it is impossible to know what to evaluate to determine the organization’s security posture.

4. Implement the controls.

Determining and documenting cybersecurity controls are huge steps for many companies. The problem is, too many companies stop there. Often a company has comprehensive documentation about their security program, but their implementation of the control processes is lacking.

To ensure the cybersecurity program produces the desired results, organizations must carry the baton across the finish line. Once controls have been designed and documented, they must be effectively implemented throughout the company. Be sure not to make the mistake of documenting desired future-state as the current reality; document the controls that are truly being performed within the organization today. Documenting what the organization aspires to do might be helpful to set a future goal, but it won’t impress an assessor. What’s written down should reflect reality within the organization.

Is the Company Fostering a Culture of Compliance and Security?

Here’s a fact: Employees at every organization create, handle, and manipulate sensitive data daily. That means employees are the first line of defense for protecting an organization’s sensitive data.

The problem is, at many companies, cybersecurity training isn’t treated as a learning opportunity, but rather a box to be checked off periodically (and largely forgotten after it’s completed). Add to that the fact that, after working with sensitive data for a significant period, many employees fall into one of two camps:

1. They become numb.

Some employees handle sensitive data so often that they forget it’s even sensitive. 他们如此频繁地接触和处理这些数据,以至于他们把敏感数据当作昨晚足球比赛的结果来对待. It’s trivial.

2. They become overly sensitive.

Other employees become the opposite of numb. They feel the weight of the data they handle—all of it. 这意味着他们可能会错误地将明显不敏感的数据分类为“敏感”,或者可能会采取不必要的措施来保护不重要的数据.

How can a Board of Directors help management and the employees discern sensitive data and handle it correctly? Ask one simple question: Has the company implemented proper security awareness training?

Proper training means making sure the organization’s cybersecurity awareness program is tailored to the individual functions inside the company. 许多组织为所有员工提供相同的培训——尽管不同部门的员工以不同的频率处理大量不同的数据.

While a baseline security awareness training program is helpful for all employees, companies should also provide additional training to certain employees based on their specific job function.

For example:

医疗保健公司的入门级员工可能会处理一定数量的客户或患者的轻度敏感数据.

与此形成鲜明对比的是,高级网络安全团队成员经常与公司的所有敏感数据进行交互.

In the examples above, both employees should have a baseline level of security awareness training, but the cybersecurity team member should undergo more intensive training as well. Further, the entry-level employee should have training relevant to the data he or she handles regularly.

To truly develop a culture of compliance and security within an organization, the company may have to change the way it views and reacts to data handling mistakes. Cybersecurity mistakes can’t always be viewed as punishable offenses or unforgivable blunders. If employees believe they’ll be punished every time they make a mistake, 他们可能会试图隐藏这些错误,以及他们对网络安全相关话题缺乏了解,因为他们担心自己会陷入麻烦.

Instead, view the majority of data handling mistakes as teaching opportunities. 信息安全失误是一个机会,可以重新审视和澄清员工的责任,并准确地告诉他们如何在未来避免问题. And of course, there should be consequences if an employee continually fails to fulfill his or her responsibilities.

A culture of compliance and security starts with the tone at the top. It’s up to Board members to emphasize to the company that cybersecurity is:

  • Important, not just at a general level, but at a specific level for each role.
  • A continuous learning experience for everyone involved. It’s okay to admit a mistake or lack of knowledge in efforts to improve.

Tips on Cybersecurity Vendor Risk Management

Each of a company’s vendors presents a unique risk to the organization. Whether it’s a risk to information security or the availability of the company’s product or service, all vendor services come with a specific level of risk.

In the current technological environment, vendors are not only helpful but are required to run certain aspects of many businesses. Most organizations keep tabs on their vendors at the beginning of the relationship, 让他们签署一份保密协议和/或某种类型的合同,概述与协议相关的责任和期望. 出于合规性目的,这些组织还可能每年检查一次其供应商的安全状况.

Companies may be checking off the boxes to keep the auditors happy—but, if all they’re doing is checking boxes, they’re not properly managing the risk posed by vendors. Here are three key questions Board members should ask management regarding vendors:

1. Do we understand who all our vendors are?

This question may seem simplistic, but the list of vendors is likely larger than expected. 花点时间看看合同管理系统或应付账款,确定一个具体的供应商名单是值得的.

An important note here is that risk does not stop at the vendor. Thanks to HIPAA’s Omnibus Rule passed in 2013, vendor risk management programs must extend to the entire chain of vendors in a particular supply chain. That means vendors’ vendors—and so on, all the way down the chain, may need to be included in the inventory.

2. Do we have a risk ranking for each of our vendors?

Not all vendors pose the same level of risk. 废物管理公司可能不会像云服务提供商那样给公司的安全性或可用性带来同样程度的风险. Management should be asking questions that help determine the level of risk for each vendor, such as:

  • What type of data does this vendor handle? Is it sensitive?
  • How much data do they handle on a daily, weekly, monthly, etc. basis?
  • How many people interact with the data?
  • Is this vendor critical to the delivery of our products/services to our customers/clients?

The larger a role a vendor plays in a business, the higher the level of risk they introduce. Remember, don’t just look at risk solely from a security perspective. If a vendor doesn’t handle much sensitive data, but is critical to the company’s business offering, that vendor might still receive a high-risk ranking.

3. What controls have we implemented for our vendors?

As mentioned earlier, 大多数公司都擅长在关系开始的时候“打勾”并签署适当的文件. But to have a truly comprehensive vendor risk management program, controls should be implemented throughout the entire business lifecycle.

Implement controls that address the risks identified in Step 2. For example, 对于存储正常业务流程所需的大量数据的云服务提供商来说,定期执行备份并离线存储副本可能是合适的. The strategies utilized for each vendor risk management program may not eliminate certain risks entirely, but they should be able to mitigate risks to a reasonable extent.

Vendors are integral to most business processes. Therefore, it is important to not only start these relationships on the right foot, but to maintain them effectively throughout the entire business lifecycle. 正确设计和实施对这些关键业务关系的监督将有助于公司实现其目标 vendor risk management.

Gaining Comfort Around the Company’s Legal Processes

Look around. 这就是我们所需要注意到的,今天的技术景观与过去大不相同. With an abundance of new “smart” devices comes an increased risk that they will be targeted. And with a staggering amount of personal data stored, processed, and handled every day, it’s no surprise to see legislation developing around the topic.

Keeping up with changing rules, regulations, and laws around cybersecurity is a full-time job. The cybersecurity profession is evolving—quickly. The idea behind laws and regulations around information security is to inform consumers, so they can make better decisions related to their privacy.

董事会成员可能并不关心消费者对网络安全相关法律程序的理解, 他们应该对公司对这些法律程序的理解以及遵守任何适用法规的义务感到满意. Board members should be asking:

How is the company maintaining a current understanding of cybersecurity laws and regulations?

These laws and regulations set the tone for the company’s entire culture around information security, so they can’t be an afterthought. 每个组织都应该有一名总法律顾问或首席运营官,以便及时了解最新的网络安全法律法规,并有效地与公司董事会和领导团队沟通这些法律法规的后果. Beyond that, 每个组织还应定期与外部法律顾问合作,以确保总法律顾问或组织没有忽视任何“盲点”.

It’s not only important for general and external counsel to stay abreast of laws and regulations, 但这些人也必须与网络安全团队密切合作,以确保网络负责人对法律法规有透彻的了解,并有效地实施控制措施来解决这些问题. Legal counsel should also examine each of the company’s contracts with vendors, as these contractual arrangements and obligations can introduce cybersecurity requirements, such as compliance with requirements from PCI or HIPAA.

The common thread here is reduction of risk. Noncompliance with laws, regulations, or contractual obligations adds significant risk to an organization. Maintaining awareness around these topics decreases the risk of harm to reputation, loss of sensitive data, failure to meet contractual obligations, and much more.

With all of the newsworthy events occurring related to cybersecurity compromises and data breaches, it’s hard to overlook these topics, but it’s also hard to manage cybersecurity issues effectively. LBMC Cybersecurity can help identify the laws, regulations, 以及公司必须履行的合同义务,并帮助您将控制措施落实到位,以有效地解决这些问题.

Secure Organization’s Non-Digital Assets

Often, employees are too involved to be able to take a step back and look at the full picture of an organization. That’s where boards are most effective. They can take a 30,000-foot view of the company and provide effective guidance from that perspective. This is especially true with information security. 数字资产面临如此多的威胁,以至于很容易忘记存储大量敏感数据的经典物理资产: paper.

了解您的组织如何处理纸张与了解如何处理数字资产一样重要. Why? Because paper can contain sensitive information just as easily as a digital file or email, but often gets overlooked in the stream of information about phishing, firewalls, bits, and bytes.

Due Diligence for Proper Paper Destruction

Imagine outsourcing document destruction to a third-party. Because the company is local and seems reputable, you don’t do much background research on them. They seem trustworthy, so you leave it at that.

Now, imagine experiencing a breach and having no idea how it occurred. You ask, “I thought we were doing everything right—what did I miss?”

Next, you’re informed that the documents you thought were being destroyed were found, fully-intact, at a local dump.

And, instead of being able to place the full weight of blame on the vendor, your company receives a fine from the Attorney General because you didn’t perform appropriate due diligence.

Management of Non-Digital Assets is Critical for Security

That’s why the appropriate management of non-digital assets is critical. We often think of breaches in terms of “malicious users” and “hackers,没有意识到最简单的格式——纸张——可以为某些人提供足够的信息,从而在组织中造成严重破坏.

If you want to ensure your organization is handling non-digital assets effectively, here are some key questions you can ask:

  • Are we outsourcing storage and destruction of physical assets? If so, who are those vendors? Have we conducted appropriate due diligence?
  • How are documents stored at vendor facilities? Are they protected from environmental destruction (water, fire, etc.)?
  • How are we physically securing spaces where paper documents are stored and used?
  • What about printers? Are files printed and then picked up? Or, do employees need to log in to the printer to accept a print job?

这些问题的目的是为了更好地了解公司在哪里以及如何处理和存储纸质资产, then to ensure there are controls around those areas and processes.

Physical assets vary depending on the industry of your organization. Regardless, appropriate security controls are imperative. If you need help determining appropriate controls or assessing the effectiveness of your current controls, LBMC can help.

Everything Your Board Should Know about Cybersecurity Insurance

如今销售的大多数新车都有良好的安全功能,旨在减少碰撞的几率,并在发生碰撞时将对乘客的影响降到最低. Of course, most new car buyers don’t buy a car expecting to utilize the safety features – in fact, buyers hope to never have to use them!  In an ideal world, those safety features would sit unused for years.

Cybersecurity insurance is like those car safety features. It’s something an organization hopes it will never need to advantage of, but that will be very helpful in the event of an emergency. Put another way, cyber insurance is something many organizations don’t know they need, until they wish they already had it.

The difference between a car’s safety features and cybersecurity insurance, though, is that, while safety features might help car occupants walk away from a crash without a scratch, no company walks away from a breach without feeling its effects.

While cybersecurity insurance can’t stop a breach, it can help offset the cost of cleaning up the mess after a breach occurs. The problem is that cybersecurity insurance is not cheap.

But here’s the good news: How much cybersecurity insurance costs an organization depends, in large part, on the quality of the company’s cybersecurity program.  When determining the cost and amount of coverage to offer, insurance companies must assess the risk involved in taking the company on as a customer.

Customers who pose more of a risk—i.e., companies “who are more likely to experience a breach” (read: Don’t have a comprehensive cybersecurity program)—will likely pay more for insurance or be denied the opportunity for coverage at all.

Conversely, companies that pose less of a risk—i.e., “who are less likely to experience a breach” (read: DO have a comprehensive cybersecurity program)—will likely find adequate coverage available and pay less for the insurance.

In short—cybersecurity insurance isn’t a bad idea, but it’s unlikely to solve any cybersecurity problems. Instead, it will help offset the cost of solving problems after they’ve already happened. Companies can protect themselves—and get a better rate—by implementing a comprehensive cyber security program.

Here are a couple of conversation starters for Boards:

  • How has management determined the amount of cybersecurity insurance the company needs?
  • What level of cybersecurity insurance does management require for critical vendors?

No matter where your organization is at in its cybersecurity journey, LBMC can help.

我们希望这篇文章能够帮助您和您的董事会改变关于网络安全的对话和考虑,以便您的董事会成员, company management, and information security personnel can work effectively together to implement a more effective cybersecurity program. To learn more about how LBMC Cybersecurity’s comprehensive cybersecurity servicescontact us today!