[BreachExchange] New Year’s resolution for 2018: Cybersecurity is the top priority for the Board

[Audrey McNeil]

http://www.securityinfowatch.com/article/12388559/new-
years-resolution-for-2018-cybersecurity-is-the-top-priority-for-the-board

Right up to the end of the year, massive cyber attacks made immense waves
in 2017. In the year ahead, organizations must prepare for the unknown so
they have the flexibility to endure unexpected and high impact security
events. To take advantage of emerging trends in both technology and
cyberspace, businesses need to manage risks in ways beyond those
traditionally handled by the information security function, since
innovative attacks will most certainly impact both business reputation and
shareholder value.

Based on comprehensive assessments of the threat landscape, the Information
Security Forumrecommends that businesses focus on the following security
topics in 2018:

- Crime-As-A-Service (CaaS) Expands Tools and Services
- The Internet of Things (IoT) Adds Unmanaged Risks
- Supply Chain Remains the Weakest Link in Risk Management
- Regulation Adds to Complexity of Critical Asset Management
- Unmet Board Expectations Exposed by Major Incidents

We’ve provided an overview for each of these areas below:

1. Crime-As-A-Service (CaaS) Expands Tools and Services

Criminal organizations will continue their ongoing development and become
increasingly more sophisticated. The complex hierarchies, partnerships and
collaborations that mimic large private sector organizations will
facilitate their diversification into new markets and the commoditization
of their activities at a global level. Some organizations will have roots
in existing criminal structures, while others will emerge focused purely on
cybercrime. Organizations will struggle to keep pace with this increased
sophistication and the impact will extend worldwide, with cryptoware, in
particular, becoming the leading malware of choice for its threat and
impact value. The resulting cyber incidents in the coming year will be more
persistent and damaging than organizations have experienced previously,
leading to business disruption and loss of trust in existing security
controls.

2. The Internet of Things (IoT) Adds Unmanaged Risks

Organizations will adopt IoT devices with enthusiasm, not realizing that
these devices are often insecure by design and therefore offer many
opportunities for attackers. In addition, there will be an increasing lack
of transparency in the rapidly-evolving IoT ecosystem, with vague terms and
conditions that allow organizations to use personal data in ways customers
did not intend. It will be problematic for organizations to know what
information is leaving their networks or what data is being secretly
captured and transmitted by devices such as smartphones and smart TVs. When
breaches occur, or transparency violations are revealed, organizations will
be held liable by regulators and customers for inadequate data protection.
In a worst-case scenario, when IoT devices are embedded in industrial
control systems, security compromises could result in harm to individuals
or even loss of life.

3. Supply Chain Remains the Weakest Link in Risk Management

Supply chains are a vital component of every organization’s global business
operations and the backbone of today’s global economy. However, security
chiefs everywhere are concerned about how open they are to an abundance of
risk factors. A range of valuable and sensitive information is often shared
with suppliers and, when that information is shared, direct control is
lost. This leads to an increased risk of its confidentiality, integrity or
availability being compromised. In the coming year, organizations must
focus on the weakest spots in their supply chains. Not every security
compromise can be prevented beforehand, but being proactive now means that
you— and your suppliers—will be better able to react quickly and
intelligently when something does happen. To address information risk in
the supply chain, organizations should adopt strong, scalable and
repeatable processes — obtaining assurance proportionate to the risk faced.
Supply chain information risk management should be embedded within existing
procurement and vendor management processes. This readiness may determine
competitiveness, financial health, share price, or even business survival
in the aftermath of a breach.

4. Regulation Adds to Complexity of Critical Asset Management

New regulations, such as the European Union General Data Protection
Regulation (GDPR), will add another layer of complexity to the issue of
critical information asset management that many organizations are already
struggling with. The GDPR aims to establish the same data protection levels
for all EU residents and will focus on how organizations handle personal
data. Businesses face several challenges in preparing for the reform,
including a widespread lack of awareness among internal stakeholders. The
additional resources required to address the obligations are likely to
increase compliance and data management costs while pulling attention and
investment away from other important initiatives. In the longer term,
organizations will benefit from the uniformity introduced by the reform.
But it is not just in the area of privacy where legislation will bite.  The
increasing burden of compliance and legislative variances across
jurisdictions will increase the burden for multi-nationals and those
businesses targeting international trade.

5. Unmet Board Expectations Exposed by Major Incidents

Boards will expect that their approval of increased information security
budgets will have enabled the Chief Information Security Officer (CISO) and
the information security function to produce immediate results. However, a
fully secure organization is an unattainable goal, and many boards are
unaware that making substantial improvements to information security will
take time – even when the organization has the correct skills and
capabilities. Consequently, the expectations of boards will quickly
accelerate beyond their information security functions’ ability to deliver.
Misalignment between a board’s expectations and the reality of the security
function’s ability to deliver will be most cruelly exposed when a major
incident occurs. Not only will the organization face substantial impact,
the repercussions will also reflect badly on the individuals and collective
reputations of the board members.

A Continued Need to Involve the Board

The role of the C-Suite has undergone a significant transformation over the
last decade. Public scrutiny of business leaders is at an all-time high, in
part due to massive hacks and data breaches. It’s become increasingly clear
in the last two years that in the event of a breach, the hacked
organization will be blamed and held accountable. That means everyone in
the C-suite is potentially on the chopping block.

The executive team sitting at the top of an organization has the clearest,
broadest view. A serious, shared commitment to common values and strategies
is at the heart of a good working relationship between the C-suite and the
board. Without sincere, ongoing collaboration, complex challenges like
cybersecurity will be unmanageable. Covering all the bases—defense, risk
management, prevention, detection, remediation, and incident response—is
better achieved when leaders contribute from their expertise and use their
unique vantage point to help set priorities and keep security efforts
aligned with business objectives.

Given the rapid pace of business and technology and the countless elements
beyond the C-suite’s control, traditional risk management simply isn’t
nimble enough to deal with the perils of cyberspace activity. Enterprise
risk management must build on a foundation of preparedness to create risk
resilience by evaluating threat vectors from a position of business
acceptability and risk profiling. Leading the enterprise to a position of
readiness, resilience and responsiveness is the surest way to secure assets
and protect people.

Incidents will happen as it is impossible to avoid every breach. But you
can commit to building a mature, realistic, broad-based, collaborative
approach to cybersecurity and resilience. Maturing your organization’s
ability to detect intrusions quickly and respond expeditiously will be of
the highest importance in 2018 and beyond.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171228/08651902/attachment.html>