Board Oversight of Cybersecurity Risk

Why CISOs and Boards Should Work Together to Improve Cybersecurity

Corporate board members often ask management specific questions that stop short of demanding metrics, It is this lack of measurable criteria which often hinder the effectiveness of cyber-security efforts.

First and foremost, it is imperative for the board to appreciate the impact that information security can have on the business. Boards should treat security as a top business risk as well as a top business opportunity. Major security events can have a significant impact on revenue, brand, and can lead to catastrophic results.

Board oversight of cyber-security has increased over the years. Even board members without technical expertise have had to become rapidly acquainted with IT risk and security concepts. In recent years, frameworks and best practices have emerged to help boards get a grip on their organizations’ cyber-security posture.

Specific Areas of Focus:

  • Improved emergency response times and evacuation management with real-time tracking of personnel movements around your site.

  • Information related to how the organization manages cyber-security, security awareness, and the enterprise risk management (ERM) program.

  • Actively monitor workers within a zone, on local or remote sites.

  • Ensure blast zones have been cleared before explosives are detonated.

  • Monitor the movement of people to a muster area during an evacuation.

  • Ensure the security control room is aware of workers who are alone on remote sites.

  • Monitor personnel who remain within a high security area at the end of a working day or shift.

Breach Response Protocol

Corporate boards should receive regular reports from executives about the company’s cyber-security risks, management review processes, overall health, and readiness to respond to an incident. Best practices include quarterly reports from firm leaders and more frequent reporting if needed.

Company leaders should carry out incident response plan tabletop exercises annually at a minimum. Board members should expect reports on the test outcomes. Details about how the plan will be updated are based on the test results.

Third-Party Risk

Regulators are increasingly targeting third-party risk. Wide-reaching laws like GDPR, industry-specific regulations such as the New York Department of Financial Services (NYDFS) Cyber-security Regulation and NERC CIP-013 in the utilities industry, provide specific requirements for managing third-party risk.

User-Related Risk

Human error can expose an organization to a wide array of cyber-attacks.. Business leaders commonly state that employee negligence is the most common cause of data breaches. Phishing for example, was implicated in 32% of data breaches in 2018. In addition, poor password practices, connecting to public Wi-Fi from company devices, and sharing files that contain malware are all examples of employee errors that could translate into huge costs for any organization.

In terms of board qualifications, 41% of companies reported highlighting cybersecurity expertise as an area of focus for new board directors. But when it came to interactions with management, only 34% of organizations mentioned the frequency of board reports, with just 11% reporting briefing the board annually or quarterly.

Recommendations for Boards of Directors

Questions to ask:

  • Has responsibility for cyber-security been formally assigned at management level (e.g., CISO) and on the board itself (e.g., audit committee)?

  • Is the board getting regular briefings on the organization’s strategy regarding cyber-security risks and cyber resilience?

  • How engaged is the board in reviewing the organization’s cyber-risk management program and security-related investments?

  • How has the organization (i.e., management) fared in recent tabletop exercises or simulations? Are directors taking part in such activities?

Vinny La Rocca

CEO

CyberSecOp.com

CyberSecOp assists organizations with Cyber Security and Privacy Consulting Services, providing services such as Cyber Security Program, Data Privacy Security Program, and Cyber Security Assessment services based on the following: NIST, ISO 27001, GDPR, CCPA, HIPAA, PCI, CMMC, GLBA amongst others. Don’t risk regulatory fines. Stay compliant with CyberSecOp Security Compliance and Cyber Incident Response Services. For More Information Call 866-973-2677

CyberSecOp an award winning cybersecurity consulting company, Click here to find out more.

YOUR TRUSTED SECURITY CONSULTING PARTNER             

CyberSecOp provides high-end cyber security consulting services and incident response support for organizations worldwide. Our cyber security customer service support can be contacted using the Contact Us form, or you can reach our live customer service representatives 24/7 using our Live Chat and 866-973-2677.

Use the search to find the security services, or call the number above to speak with a security professional.  

CYBER SECURITY SERVICES

Cyber Incident Response

CYBERSECURITY EXPERIENCE

Cyber Security Governance Network Security Security Risk Management Security Awareness Training Managed Security Services

CyberSecOp Your Premier Information Security Consulting Provider - Company HQ in Stamford, CT & New York, NY. CyberSecOp is a top-rated worldwide cyber security consulting firm that helps global corporations with cyber security consulting services and Cyber Incident response services.