[BreachExchange] Cybersecurity is everyone’s responsibility – and it starts at the top

Audrey McNeil audrey at riskbasedsecurity.com
Wed Nov 16 20:09:58 EST 2016


http://www.csoonline.com/article/3140924/security/
cybersecurity-is-everyones-responsibility-and-it-starts-at-the-top.html

Cybersecurity is a problem that every level in an organization faces, one
that goes well beyond the purview of a Chief Security Officer. Leadership
and all members of the executive management team must be committed, and
that commitment must radiate throughout every level of every department.

A laissez-faire attitude toward cybersecurity is like a bad stomach bug –
it only takes one person to infect the masses, then everyone suffers. If a
cybersecurity program isn’t supported by operations, production, finance,
sales, marketing and IT, your company will be left vulnerable to bugs and
plagues that will eat away at your profits and reputation. In addition, the
safety of the public may be at risk, and for those in the government, your
mission will falter, and your citizens will not be served.

We’ve seen what happens to enterprises that lack commitment at the top.
Yahoo’s request that customers change passwords after a recently discovered
breach was not accompanied by an aggressive and mandatory program to
enforce better cybersecurity. Reports that hundreds of millions of accounts
may have been compromised have shaken confidence in Yahoo’s core business.
The Office of Personnel Management (OPM) of the United States Government
has seen the compromise of millions of sensitive personnel records of
government employees and applicants. These events signal enterprise-level
failures, the consequences of which may endure.

Enterprise failures such as those at Yahoo and OPM are preventable. Top
leadership is in a role to do what no one else can do: communicate the
importance of cybersecurity throughout the organization. Leaders must pay
attention to cybersecurity issues. They must be visible and vocal, and they
must demonstrate knowledge of policy and regulatory requirements that
impinge on their business.

CEOs and other C-suite executives know that Sarbanes-Oxley requires the
presence of effective accounting controls. These same executives must take
responsibility for putting in place the controls required for effective
cybersecurity. Anything less is inexcusable.

But, does this happen? When the Office of Personnel Management suffered two
breaches last year, the former director told Congress that no one was
individually responsible except for the perpetrators. If top leadership
isn’t responsible for putting programs in place, or for managing people who
do or for requesting performance data on cybersecurity, who is? Top
leadership is in a role to ask questions and to communicate the vision and
value of a company. These are the things only leadership can do. That’s why
they are leaders. Leaders are responsible individually and collectively for
what their enterprises do and don’t do.

How to instill responsibility in everyone

Everyone in the organization needs to know their role in protecting the
company’s intellectual property, its mission, customers, employees, and the
public. They must be competent at execution in times of crisis and before
disaster strikes. Regular communications about cybersecurity policies and
procedures are required to align with and support the enterprise
cybersecurity program and its execution.

When leaders spell out the corporate priorities, they should discuss the
value of information and intellectual property to the enterprise and the
need to safeguard it.

Business unit managers, team leaders and supervisors, need to be explicitly
accountable for the secure operation of their units within the
organization. They should also regularly discuss best practices with their
team.

Employees should see and read daily reports on cybersecurity best
practices. They should have immediate access to information via corporate
networks and other materials. Regular cybersecurity training should be
mandatory.

Stay ahead of potential crises

A well-defined strategy leads to more effective communications around the
enterprise-wide cybersecurity program. Leaders should ask the right
questions and consider options that help define a cybersecurity strategy.
They need to take an active interest in identifying and managing potential
gaps that typically hinder organizations, including:

Integration plans driven by acquisitions should address cybersecurity –
Leaders should ask what new cybersecurity threats and vulnerabilities are
inherited from an acquisition.

Keep cybersecurity managers during economic or corporate downturns –
Companies that drastically reduce the number of people who oversee
cybersecurity as a result of a downturn may create more security problems
and potential costs than if they kept a robust team in place.

Take ongoing inventory of technology assets – This is particularly
important as companies grow and change. Leaders need to know what
information is vulnerable, and they need to maintain important records,
such as who has administrative privileges to important files and systems.

Plan for breaches of social media platforms – Social platforms represent
significant problems as they are a common vehicle for spreading malware.
Cybersecurity managers should know what teams use social media and put in
place policies to prevent malware from infecting these platforms.

Know what information is at risk for ransomware – Leaders should keep an
inventory of information that is valuable enough to be a likely target for
ransomware and have a plan in place to handle scenarios should they occur.

Have a good communications plan in place – If a breach occurs, employees,
shareholders, regulators, customers, suppliers, and partners need to know
what’s going on, what leaders are doing about it, and their ongoing
commitment to resolving the situation and preventing similar incidents. A
thoughtful communications plan must be driven by the needs of leadership to
their constituents in an unhurried, thoughtful, and effective way. Use that
level of communication before a breach is detected to build stakeholder
commitment throughout the enterprise.

A commitment to cybersecurity has to be institutionalized. Cybercrime is
more organized and sophisticated than ever before. Leaders must be mindful
in their approach to planning and communication, and outline with great
clarity ownership and responsibility to all.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161116/8ba82b37/attachment.html>


More information about the BreachExchange mailing list