[BreachExchange] Cybersecurity progress will require speaking the right language

Audrey McNeil audrey at riskbasedsecurity.com
Tue Aug 22 20:28:30 EDT 2017


http://www.bankingtech.com/915081/cybersecurity-progress-
will-require-speaking-the-right-language/

Elizabeth Denham, the UK’s information commissioner, made an astute point
when she recently called for senior bank executives to get the same
cybersecurity training as front-line staff, following the global WannaCry
ransomware attack. But implementing the kind of comprehensive cyber defence
strategy which includes such training will require a monumental culture
shift at the top.

According to a UK government survey of over 1,000 UK businesses, 69%
categorise cybersecurity as a high priority. This is a promising figure,
but also one which is riddled with significant flaws. The most important of
these is the huge disparity between the number of firms which assert
cybersecurity as a high priority and the number which actually treat it as
one. In the same survey, seven out of ten business admitted they had no
formal, written cybersecurity policy. Nine out of ten attested to the lack
of a formal incident management plan at their firm.

This is extraordinary when you consider that cyberattacks have become the
number one threat to modern business, leaving a $500 billion bill for the
global economy, at an average cost of $3.8 million per breach, according to
Microsoft. To add insult to injury, the median amount of time that an
attacker resides in a network before detection is 146 days.

However, despite this financial risk and exposure to malicious intent,
company boards have been slow to adopt to the leading role that is required.

Often, this lack of direction is driven by the misguided perception that
system security is an issue confined to the IT department. Boards expect
their CIO or CISO to resolve these problems, and move on to focus on
operational objectives.

But how can we incentivise any meaningful culture change in the people who,
by the definition of their position, have been in the industry the longest?
The answer lies in speaking to company boards using the language they will
understand.

One sure way to do this is to state the following: an effective
cybersecurity strategy will benefit the company’s balance sheet. When
companies decide who to do business with, risk is always a pivotal factor,
and so the better your security, the more attractive your services are.
Since board meetings are often directed towards strategy, presenting
cybersecurity in terms of financial risk and reward makes it an integral
part of a business plan, rather than just being a periphery issue.
Fundamentally, safety of operations can help you grow market share as your
firm becomes a low risk option when compared with competitors.

The impending conflict between inept cyber plans and new regulatory
mandates exacerbates the problem of the lacking board response. The
implementation date for the EU’s General Data Protection Regulation (GDPR)
is now just over ten months away. Leaving the nitty gritty of what this
entails aside, board members need to be aware that holding vulnerable
customer data could result in a hefty fine being slammed on the table:
either €20 million or 4% of the company’s global turnover, whichever is
greater. Tell that to a CFO and the message will hit home.

Furthermore, cybersecurity apathy can be reduced by ensuring board members
share their experiences with industry peers, raising awareness of the
threats firms may be exposed to. Knowledge is key, and so if people
understand the huge impact that a data breach can have, then they are much
more likely to implement appropriate preventative measures and response
plans.

The board’s knowledge of what is going on in their industry will no doubt
be increased as GDPR sets in and fines become public knowledge.
Nevertheless, healthy industry dialogue can act as a more constructive and
more in depth approach. Once boards come to realise that we are swimming in
a cesspool of criminality, they will take note.

Acting on these points would push boards to ask the right questions. Do
they have a functional cybersecurity strategy that incorporates protection
and detection capabilities as well as response plans? Have they checked
whether they can actually execute their response plans in real-time
scenarios? Have they run due diligence to ensure no data is left vulnerable
by third-party, partner companies?

Once such questions are answered, companies will develop a clear cyber
defence culture. This will not just make the data more secure in the short
term. It will engender a spirit of vigilance throughout the workforce so
that everyone is on the lookout for potential weaknesses, allowing solid
cyber defences to be routinely built into operational structures. After
all, once your boss cares about something, it is immediately in your
interest to care as well.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170822/b3565f45/attachment.html>


More information about the BreachExchange mailing list