Preface
Gone are the days when cybersecurity was considered an area of expertise for a select few. As more and more organizations go online and incorporate the internet into their various levels of functioning, the need for basic awareness of cyber safety measures for all stakeholders, particularly board and C-suite members, increases. A top-down approach is always healthy and advisable when it comes to cyber hygiene. However, this is easier said than done because not all board members would bring the same understanding of security and risk management measures. The first step is to make cybersecurity a known concept to all these top-level executives running an organization so that each vector head can be updated about the technical know-how when a cyberattack does target their organization. After all, it is not whether cyberattacks will target our organizations; it is more about whether we will be equipped with adequate risk mitigation and management strategies when cyberattacks will target our organizations.
Today, you do not need to run a renowned or flourishing enterprise to become a cyberattack victim. Cybercrime is gradually evolving to become a well-structured industry where malware, security loopholes and ways to compromise them, stolen data and intel, etc., are being traded among the threat actors. State-sponsored hackers and threat actor groups facilitate cybercrime mostly for financial gain but also to compromise confidential intelligence from organizations. This book, titled "Cybersecurity: Risks and Challenges Facing the Board and the C-Suite and The Way Forward," was written to make board and C-Suite executives ready to have a dialogue on their preparedness for the eventuality of a cyber attack.
Cybersecurity is not a domain-specific responsibility of the CIOs, CISOs, or CTOs, it goes above and beyond just these C-suite executives, and for them to offer a series of risk prevention and management measures, ample support is required from the board and other stakeholders. When an attack occurs, there is much more at stake than just the organization's reputation. Revival from an attack also involves legal, operational, usability, and cost issues, and that is where the C-suit looks at the board or senior management team for assistance. Establishing transparency in this entire process where the same version of the truth is known to all and the same sense of urgency is felt by everyone from top to bottom is one of the foremost steps to enhancing an organization's cybersecurity capabilities.
All members must exhibit equal involvement and consistent efforts at strengthening the organization's security systems to ensure a secure working environment and the long-term sustenance of the organization in this perennially cyberattack-prone world. This book attempts to give insights to the board and C-suite executives into making cybersecurity an organizational affair rather than a departmental or expertise-based topic.
Introduction
Cybersecurity is beyond being just an IT issue and is more of an enterprise-wide risk management aspect. Board leaders globally report that cyberattacks are one of the riskiest factors facing their businesses. This makes it all the more important for the C-suite and senior management leaders to discuss their organization's cyber readiness and incident response plan. While most cybersecurity decisions in an enterprise are the brainchild of the C-suite, they still need to establish a dialogue with the board. They need to update them on the latest technological upliftments required, the risks and loopholes in the system and discuss all hurdles on the way to creating an attack-resilient working space. If in doing this, the C-suite fails to communicate its ideas to the board, there may be uncertainty in dealing with a cyber incident. There is a dire need to change how we perceive cybersecurity—it is not about fear but business innovation. The C-suite needs to analyze the various backgrounds and make enough room for the differing cybersecurity acumen of board members before presenting their cybersecurity pitch. All this and more have been highlighted in this book, written solely for the benefit of the board and C-suite executives.
Becoming the victim of a cyberattack makes an organization undergo a host of tangible and intangible costs, from stolen funds and intellectual property to system and legal damages, from regulatory fines and financial compensation to loss of customers and business partners' trust. Therefore, organizations must identify various cyber risks, such as third-party attacks, patch management, insider threats, etc., while formulating their cybersecurity strategies. When the senior-level leadership takes an interest in this process, the end goal of creating a more secure, vigilant, and resilient business is achieved.
Titled "Cybersecurity: Risks and Challenges Facing the Board and the C-Suite and The Way Forward," this book gives a holistic, descriptive, and well-researched overview of how cybersecurity should be perceived. It highlights several aspects, including the role of the board and the C-suite in ensuring cybersecurity, the various challenges ahead, and the mitigation measures to create a better and safer digital space for their organizations. At its core, the book propagates that perceiving cybersecurity as a joint capability makes the organization cyber resilient, which means that cyberattacks might target them, but they will already have the required cyber literacy, concepts, tools, and strategies in place to identify, prevent, and overcome these attacks.
Cybersecurity for the Board and C-Suite
1.1 Is Cybersecurity Everyone's Responsibility?
1.1.1 Tone at the Top
1.1.2 Board's Role
1.1.3 Board Participation in Policy and Advisory
1.1.4 The Potential Cost of a Data Breach
1.2 Why the Board and C-suite Are at Risk
1.2.1 The Online Presence and Connectivity
1.2.2 Time and Urgency of Tasks at Hand
1.2.3 Failing to Take Advice From Security Experts
1.3 Why the Board and C-suite Should Care
1.3.1 Reputation
1.3.2 Regulations
1.3.3 Finances
1.3.4 Resilience
1.3.5 Risk Appetite
1.3.6 Accountability
1.4 The Key Responsibilities
1.4.1 Due Care
1.4.2 Due Diligence
1.5 Conclusion
1.6 References
A data breach can have severe consequences for enterprises, including loss of intellectual property, regulatory investigations, and financial risk originating from fake transactions. The greatest risk is the organization's reputation and trustworthiness in the eyes of its customers, employees, investors, and other stakeholders. The Board and C-suite's role is vital in ensuring that the organization effectively manages its cybersecurity risk and preserves the confidentiality, integrity, and availability of crucial information assets. Hence, the Board must prioritize cybersecurity appropriately and ensure that the cybersecurity procedures and policies are maintained and adequately funded. Besides, their role in creating a cybersecurity-aware culture within the organization is paramount.
1.1 Is Cybersecurity Everyone's Responsibility?
Organizations today witness the erosion of trusted perimeters, rising number of advanced persistent threats, and proliferation of devices. Hence, one must understand that gone are the days when cybersecurity was the concern of the IT department alone1 (Kevin Parra, 2017). Employees need to realize that the security of the information is not the domain of a particular department in the organization. It is everyone's responsibility, from the executive suite to the bottom-most employee.
1.1.1 Tone at the Top
The C-suite or Board's commitment or 'the tone at the top' plays a crucial role in creating a cyber-aware culture within the enterprise where cybersecurity is thought of and accepted as everyone's responsibility. The top executives collaborate with employees, users, business partners, and technologists to ensure that procedures, policies, and best practices get implemented. They can lead efforts to:
Classify the information assets by understanding what is vital to the organizational mission.
Craft a cybersecurity framework and document a security program to ensure everyone understands the security policies, procedures, guidelines and controls.
Address risks while implementing and updating information systems. 2 (UW–Madison Information Technology, 2016)
Employees and system users are more attentive while using or sharing information.
1.1.2 Board's Role
The Board plays a crucial role in shaping the enterprise cybersecurity culture and keeping confidential and sensitive information assets safe. In an oversight role,
The Board looks at the organization's financial controls and systems.
It oversees its overall cybersecurity management, including appropriate systems, processes, risk mitigation strategies, and controls.
It helps to form a governance perspective as its key responsibility. The Board's key priority is to verify that the management has a clear view of how the business will get affected in the event of a cyber-attack3 (Deloitte, 2021).
Additionally, they must have the appropriate skills, the right approaches, and adequate resources to minimize the likelihood of a breach and minimize damages.
1.1.3 Board Participation in Policy and Advisory
Simply 'being aware' of imminent cyber threats is not enough for the Board in today's 'New Normal' situation. They must understand each data breach's criticality and know the necessary steps to manage and mitigate the security risks. The Board must adequately prioritize cybersecurity and ensure protective procedures and policies are in place, followed, and appropriately funded for future updates. They should thoroughly analyze the organization's most valuable information assets and determine the risk each might present if there is a cyber breach or loss. A discussion around prioritizing risks and mitigating them should take place among the Board of directors and senior executives4 (Spencerstuart, 2015).
1.1.4 The Potential Cost of a Data Breach
As discussed earlier, there is a substantial monetary impact for modern organizations of all shapes and sizes suffering a data breach. IBM's 2022 Cost of a Data Breach report states that the average cost of a data breach reached a new high of $4.35 million globally. The figure is a 2.6% increase from 2021 and a 12.7% rise from 2020. Other key findings of the report are:
The total cost average for a ransomware breach is $4.54 million, higher than the average data breach cost.
The average per capita (per record) cost of a data breach rose by 10.3 percent from 2020.
In 2021, lost business opportunities took the largest breach cost share, at an average of $1.59 million.
The average cost of a breach having a lifecycle greater than 200 days is $4.87 million.
Apart from the financial implications, there are indirect costs for the organizations suffering a breach, as listed below.
Reputational Damage: Organizations find that customer conversion costs become higher, their brand name does not command the same price premium, and market share gets lost. For a public sector enterprise, the near-term cost impact assessment gets reflected in stock price movement13 (Hill, M., 2022).
Severe business downtime: Often, a breach will not take an enterprise completely offline, but its possibility cannot be eliminated. The business continuity and recovery costs will keep increasing as more critical systems continue to go down.
Regulation and litigation: Enterprises are seeing large fines and paying hefty settlements because data privacy and protection laws are becoming increasingly strict.
1.2 Why the Board and C-suite are at Risk
Executives are the top targets for smart and patient threat actors not because they are strapped for time but because they possess the most valuable information about an organization. The iPass Mobile Security Report states that over 500 CIOs and IT decision makers from the US, the UK, France, and Germany consider C-level executives to pose the greatest cybersecurity threats. 5 (Cohn, B, 2017).
A global survey of C-suite executives by Nominet indicates that 71% of the top executives admitted they didn't know adequately about the major threats their organizations face6 (Ciphertex, R., 2019). Such serious gaps in cybersecurity knowledge make them more vulnerable to attacks, who are otherwise easy targets for the following reasons.
1.2.1 The Online Presence and Connectivity
C-level executives are frequently traveling, public-facing, and connecting from unsecured locations/networks while they are on the move, like hotels, airports, and client sites. Moreover, they have access to privileged information, are under fewer security constraints than others, and are mostly surrounded by an "entourage" of privileged people who provide easy access to the executive. Executives have more attack vectors – ways one can breach an individual or a corporation – than the average employee7 (Samhat, A., 2020)
1.2.2 Time and Urgency of Tasks at Hand
Executives, usually pressed for time, end up making split-second decisions. Imagine you have fifty new emails and only fifteen minutes to go through them before your next meeting. You cannot typically get time to adequately gauge the legitimacy of each email in such a situation. You see an urgent message from the accounting department asking you to review the budget by clicking on it, but it could be a fake document containing a malicious file5 (Cohn, B).
1.2.3 Failing to Take Advice From Security Experts
According to a Radware study, 82% of CEOs thought of having a "high" level of information security knowledge. However, the disparity between the findings of the Nominet report and the CEO's self-assessment indicates a false sense of security. It reflects in the low level of acceptance and buy-in of advice from security employees: Only 36% CISOs say the senior management takes their advice regularly6 (Ciphertex, R., 2019).
1.3 Why the Board and C-suite Should Care
Executives' growing cyber-attacks exposure highlights the need for enterprises to take a comprehensive approach to managing cyber security risks rather than leaving it for the IT security team to resolve. Given their key role in promoting development, learning, and change management, the Board and C-suite leaders are crucial players in the cyber resilience journey. It assumes greater significance because cyber-attacks result in greater costs than financial impediments for the enterprise.
1.3.1 Reputation
These days, every enterprise collects data from its clients, which they must store securely. In every business, adequate cybersecurity procedures give your clients peace of mind that their confidential data is safe with you. You may not suffer a breach today or tomorrow, but if you skip on cybersecurity and don't define robust standards, your organization will suffer greater damage than financial loss – a blow to the brand's reputation. Whether the attack leads to lawsuits, monetary losses, or reputational damage, it will affect your bottom line8 (GrowthForce).
1.3.2 Regulations
Adhering to industry compliance standards helps keep employees safe and protects organizations from lawsuits. Additionally, a good compliance culture can make employees more productive. One of the most crucial things the C-suite executives can do is model the compliance culture at the office. If they show others that compliance matters to them, it will send ripple effects throughout the organization9 (Kashmer, K., 2021).
1.3.3 Finances
Investing in cybersecurity technology and expertise is a financial outlay that some executives may want to trim. However, if their organization becomes the victim of an attack, they may have to shell out more for:
Notifying affected parties about the breach
Insurance premiums
Public relations support
Attorney fees and damages from civil cases against the enterprise.
1.3.4 Resilience
Business continuity enables organizations to continue their core business functions when faced with an attack, disaster, or other interventional forces. Often, they have disaster recovery plans revolving around natural disasters. A good recovery plan will include remaining cyber resilient during events and other occurrences that put the organizational systems at risk11 (Microfocus). Thus, the C-suite must define policies to sustain business operations while ensuring non-stop business transformation and customer outreach during times of crisis.
1.3.5 Risk Appetite
While minimizing risk is a key part of the equation, the C-suite must also consider technology in the business context. They must evaluate and work out appropriate tradeoffs between risk, innovation, and growth12 (Minar, M., 2022). To set the boundaries, the enterprise's cybersecurity strategy must align with the risk capacity, risk appetite, and level of risk an organization can accept in pursuit of its business objectives.
1.3.6 Accountability
As with most culture changes, building organizational cyber resilience works better when executives lead by example: defining and modeling a culture where employees believe it is their responsibility to maintain a cyber vigilance level. Everyone within the enterprise holds some responsibility for cyber risk. However, with everyone responsible and executives busy performing their legacy duties, enterprises can fail in designating an appropriate leader who is ultimately accountable for cyber risk.
Cyber risk is critical for everyone within the enterprise, but the ultimate responsibility rests with top leaders. Implementing comprehensive cyber awareness training, cross-functional governance programs, and collaborating with development and learning experts in HR can accelerate cyber risk maturity. Additionally, setting cyber maturity goals and expanding cyber resilience accountability to leaders beyond the Chief Information Security Officer (CISO) is crucial7 (Samhat, A., 2020).
1.4 The Key Responsibilities
Leaders who develop a deeper view of their organizational position regarding cyber risk gain a critical understanding for managing the business better. Effective cyber risk management starts with Board and C-Suite awareness. Sharpening their ability to understand risk, tailor performance, and move the enterprise closer to cyber maturity begins with answering a few critical questions.
1.4.1 Due Care
Many organizations focus on education and awareness as they strengthen their cybersecurity posture to become more vigilant, secure, and resilient. But how do you change employee behavior? Guidance should come from the C-Suite and Board. They must take due care that:
Employees' values, interests, and ethics align with the enterprise's cyber risk strategy, tolerance, appetite, and approach.
Executives are comfortable talking honestly and openly about cyber risk using an acceptable vocabulary that promotes shared understanding.
Organization-wide awareness and education campaigns focus on cyber risk (employees, contractors, third parties, etc.).
Staff take personal responsibility for risk management and proactively seek to involve higher management when needed.
1.4.2 Due Diligence
Determining the right accountability at the C-suite level is essential. If oversight includes merely a 5-minute update on cyber events, you are not doing enough to manage risk effectively. The organization achieves high maturity in the due diligence when:
The Board and C-Suite are responsible for overseeing the development of a cyber risk initiative and confirming its implementation. A C-level executive is accountable for cyber risk management.
The Board and C-Suite are informed about cyber threats and their potential impact on the enterprise.
The Board includes one or more members or leverages strategic advisors who understand cyber, and IT risks.
An established senior management-level committee is dedicated to the cyber risk issue.
Due diligence is evident in regular budget analysis, updates, and challenging questions to top-level executives14 (Deloitte).
1.5 Conclusion
With more advanced pervasive and dynamic cyber threats faced by enterprises today, the need of the hour is to design and implement enterprise-wide security solutions comprising policies, tools, and monitoring mechanisms. The Board and C-suite must rise to their role of providing operational and management oversight for the cybersecurity operations. Finally, as industrial systems move towards increased digitization in Industry 4.0, such enterprise-level security initiatives should focus on IT/OT (Information Technology/Operations Technology) integration to fully ensure the confidentiality, integrity, and availability of critical data assets.
1.6 References
Parra, K (2010). Cybersecurity: It's Everyone's Responsibility. Nist.gov. https://www.nist.gov/system/files/documents/2017/01/25/kparra_cybersecurity-responsibility.pdf
UW–Madison Information Technology. Principle 1: Security is everyone's responsibility. https://it.wisc.edu/learn/cybersecurity-and-safety-principles/principle-1-security-is-everyones-responsibility/
George, D., Garg, V. (2021). The changing role of the Board on Cybersecurity. Deloitte.com. https://www2.deloitte.com/content/dam/Deloitte/in/Documents/risk/in-ra-changing-role-of-the-board-on-cybersecurity-noexp.pdf
Dickstein, M. (2015, August). Cybersecurity: The Board's role. Spencerstuart.com. https://www.spencerstuart.com/research-and-insight/cybersecurity
Economist Education. Learning Redefined. https://execed.economist.com/blog/industry-trends/c-level-execs-and-ex-employees-pose-greatest-cybersecurity-risk
Ciphertex. (2019, August 4). Cybersecurity Accountability Spread Thin in the C-Suite. https://ciphertex.com/cybersecurity-in-the-c-suite/
The One Brief. When the top is targeted: Protecting the C-suite from cyber risk. https://theonebrief.com/when-the-top-is-targeted-protecting-the-c-suite-from-cyber-risk/
GrowthForce. Major failure in the C-suite: CEOs need to take more caution in cybersecurity. https://www.growthforce.com/blog/ceos-caution-cybersecurity
ComplianceLine. (2021, October 17). The C-suite's role in a culture of compliance. https://complianceline.com/the-c-suites-role-in-a-culture-of-compliance/
Investopedia. (2022, July 13). 6 ways cybercrime impacts business. https://www.investopedia.com/financial-edge/0112/3-ways-cyber-crime-impacts-business.aspx
Microfocus. What is cyber resilience? https://www.microfocus.com/en-us/what-is/cyber-resilience
Minar, M. (2022, February 23). If cyber risk is an unavoidable truth, what's your true cyber risk appetite? EY. https://www.ey.com/en_ch/cybersecurity/if-cyber-risk-is-an-unavoidable-truth-whats-your-true-cyber-risk-appetite
Hill, M. (2022, August 23). What is the cost of a data breach? CSO Online. https://www.csoonline.com/article/3434601/what-is-the-cost-of-a-data-breach.html
Deloitte. (2017). Assessing Cyber Risk: Critical questions for the Board and the C-suite. https://www2.deloitte.com/content/dam/Deloitte/ch/Documents/risk/ch-en-risk-assessing-cyber-security.pdf
2.1 A Lack of Cybersecurity Awareness Among the Board and Management
2.1.1 The Risk
2.1.2 The Impact
2.2 Managing the Unknown
2.2.1 Underestimating or Not Knowing the Enemy
2.2.2 Not Preparing for Risks
2.3 People, Process, and Technology Risks
2.3.1 People
2.3.2 Process
2.3.3 Technology
2.4 Risks Lurking in Supply Chains
2.4.1 Supply Chain Risks
2.4.2 Risk Mitigation
2.5 Data Breaches
2.5.1 Data Security Risks
2.5.2 Data Privacy Mitigation
2.6 Third-party Risk Management
2.6.1 Vendors and Contractors
2.6.2 Third-party Applications and Systems
2.7 Conclusion
2.8 References
Cybercriminal activities involving phishing, ransomware, and data breaches keep targeting multiple sectors and supply chains very frequently. Therefore, boards are finally giving serious attention to cybersecurity. Two-thirds of C-Suite executives observe cybercrimes as the leading threat to their organizations.
They have learned that a cybersecurity incident can disrupt businesses, bring down share values, invite litigation, initiate leadership turnover, and destroy reputations. Organizations looking to establish a market foothold and stabilize and maintain their positions must align internal processes and incorporate cybersecurity at the very top, starting with the C-Suite.
2.1 A Lack of Cybersecurity Awareness Among the Board and Management
Cybersecurity is a shared responsibility rather than an achievement in isolation. Leadership and board oversight are concerned with cybersecurity issues, and the tone at the top must make changes and shift focus to understanding the strategic issues. Since most of the board may lack adequate experience in IT and cyber risks, cybersecurity is often left to the expert circle to resolve.1 (Deloitte, 2021)
This culture must change as a lack of awareness makes threat actors target high-profile officials and positions with less expertise in managing cybersecurity. It often leaves organizations vulnerable to cybersecurity incidents and cyber-attacks. Did you know that only 40% of organizations believe that the board members truly understand cybersecurity? That is astounding since the C-Suite is highly targeted by malicious actors and faces various threats of high severity.
2.1.1 The Risk
There is a high need for board members who understand cybercrimes' impending threat to organizations. Top-rated threats, such as malware, phishing, DDoS (Distributed Denial of Service), social engineering, and ransomware attacks, require the attention of business leaders.
Hiring and retaining the right team of people with adequate cybersecurity skills is another challenge that the organizations and the board as a whole face. When a person with significant experience and expertise in an enterprise's IT systems and applications leave, the risks are significant. Sophos says the cybersecurity skills shortage is here to stay, with 73% of organizations expecting difficulties recruiting cybersecurity employees in the next two years. Furthermore, the attack vectors of tomorrow will be similar to the top ones present today, which means the risk will remain the same2 (Sophos, 2022).
2.1.2 The Impact
If a given cybersecurity risk is materialized, the impact could be both positive and negative.
Many organizations often change cybersecurity strategies following an attack or breach, and only 16% of organizations make quarterly changes.
Other organizations may face the consequences such as lawsuits, regulatory fines, etc.
Vendors may assume the role of educating executive teams and the board, which may not be effective as 60% of respondents believe the vendors fail to provide the correct information regarding cybersecurity awareness to educate the board adequately.
And the entire organization may have to bear the impact when any cyberattack hits inadequately trained or unaware C-Suite or board members.
As such is the situation, the board members must assess cybersecurity gaps and understand the correct steps to take in case of a breach2, forming a critical part of digital transformation and protection (Sophos, 2022).
2.2 Managing the Unknown
In the words of Donald Rumsfeld, the former US Secretary of Defense (1975 to 1977, 2001 to 2006), there are also unknown unknowns compared to the knowns, which often present greater difficulties. The quote certainly fits the cybersecurity world, as no single effective technique can guard an organization from the diverse attacks it may face. That's why managing unknown threats by combining emerging technologies is key to cybersecurity protection and improvement3. (eWeek Editors, 2022)
2.2.1 Underestimating or Not Knowing the Enemy
As organizations and industries continue to advance technologically and emphasize tangible assets such as reputation, brand, knowledge, clientele, and intellectual property, the unknown threat of malicious actors hiding in the shadows waiting to hit requires attention. Cybercrime is among the most underestimated economic risks4 (Development Asia, 2022). The board must learn from the COVID-19 pandemic and the transforming world that preparing to handle abnormal and unknown circumstances will provide an edge over threat actors and their evolving malicious attempts and threats.
2.2.2 Not Preparing for Risks
With the ongoing international cyber war, threat actors, and advanced state-sponsored attacks, malicious actors hold organizations hostage until ransom and other demands are met6 (Mezic, I., 2022). The board of directors must become knowledgeable participants in cybersecurity oversight and understand that cybersecurity means much more than mere data protection.
Suppose the board does not recognize the risks to the organizational reputation, finances, client data, and business continuity and continues to take cybersecurity as a technical problem rather than an organizational one7 (Pearlson K., Neto N., 2022). In that case, the risks may eventually be the organization's downfall, leading it to an unrecoverable state following a cyberattack.
2.3 People, Process, and Technology Risks
Cyber risk governance is a three-pronged approach, including people, process, and technological risks. 'People' concerns the human elements, such as the vendors, customers, and the workforce, while 'processes' include operational elements, such as risk reporting, rules, regulations, and oversight. And 'technology' concerns implementing the right mechanisms to automate processes and aid the organization to make it smarter and more effective.
Once the board understands the risks that could arise from these three elements and how to maintain the delicate balance among them, it will be a step closer to achieving the best practical approach with a robust management framework for cyber risk governance and a cyber-secure organizational environment8 (Nasdaq MarketInsite, 2019).
2.3.1 People
People could be the weakest link in the cybersecurity chain. The following are the typical risks that could arise from the 'people' component.
Lack of Cybersecurity Awareness Among Employees:
A lack of cybersecurity awareness among the workforce is a significant red flag concerning the protection of any organization. Board’s role is to spread cybersecurity awareness and promote a cyber-aware culture.
Human Errors and Accidents: With over 90% of cyberattacks resulting from human errors, the board, the managers, and the stakeholders must emphasize cybersecurity and promote a security-first approach to protect the organization at the unit and department level.
Customers, Vendors, and Third-party Contractors:
The involvement of customers, vendors, service providers, and third-party contractors also opens any organization to cyber risks. Since external parties can access the organization's database to some extent, they could interfere with the business network and introduce hazards into the supply chain or the ecosystem.
Strong IAM and PAM: The organization must scrutinize C-suite executives, partners, and privileged vendors with access to internal organizational or customer data, systems, and processes for adequate cybercrime protection9 (Chipeta C., 2022). At the same time, the board must help information security teams to implement robust identity and access management (IAM) and privileged access management (PAM) systems.
2.3.2 Process
Process-related risks may be the result of an absence of process or inadequacy of the existing processes around managing cybersecurity risks.
Lack of effective and efficient processes, such as cybersecurity risk reporting, incident management, and BCP-DR (Business Continuity Planning and Disaster Recovery), could be one of the serious reasons that could add to the severity of process-related cyber-risks.
If the processes are not designed accurately and with security in mind, with information gaps and risk managers flying blind, low-priority information assets may be overprotected and part of high-priority ones ignored.
However, the following tools may come in handy for C-suite and the board members to have a high-level overview of enterprise cybersecurity posture:
Processes around advanced management information systems (such as a dashboard or single pane of glass cloud console) may provide executives the power to transform organizational cyber resilience by offering risk transparency.
A robust cyber risk management process could be an effective solution if supported by accurate and timely information.
A holistic cyber risk management information system and processes that include transparency, a risk-based overview, and a return on cyber investments can go a long way in protecting enterprise information assets10 (Boehm, J. et al., 2020).
2.3.3 Technology
One of the main technology factors contributing to cyber risks is using legacy systems. The threat of legacy technologies and the benefits of transitioning from such systems to advanced technology solutions are briefly elaborated on below.
Legacy or Outdated Solutions:
Every vulnerability in a system invites challenges from malicious actors. Legacy systems are a critical technology component that leads to significant threats to cybersecurity as they cannot accommodate the latest security features such as encryption methods, role-based access, MFA (Multi-Factor Authentication), and automation11 (Rani, R., 2020). The board must improve the security framework by regularly investing in the latest solutions and assessing the systems for risk exposure.
Transitioning from Legacy Technologies to State-of-the-Art Technologies:
Legacy infrastructure is notoriously vulnerable to cyber-attacks. By adopting cloud-based platforms that are open and secure, organizations can form a modular ecosystem that integrates various technologies, comes bundled with cybersecurity, and appeals to customers who can interact seamlessly12 (Katara S., 2022). Cloud vendors and service providers ensure information is not vulnerable to threat actors and offer tools most suitable for a broad spectrum of business activities.
2.4 Risks Lurking in Supply Chains
Supply chains have always adopted the latest technology and evolved like clockwork. However, the technologies that build supply chains also threaten their cybersecurity through pitfalls and vulnerable loopholes.
2.4.1 Supply Chain Risks
The C-Suite needs to understand that with manufacturers, suppliers, service providers, and the workforce involved, various touchpoints can harm the supply chain through attacks such as the following13 (Lukić, D).
Supply Chain Breaches: These are security breaches by infiltrating operating systems or the supply chain network for deleting, replicating, or corrupting data.
Malware Attacks: These are caused by malicious software that halts all operations by infecting systems with malicious code. They can launch a DoS (Denial of Service) attack or ransomware that performs a similar denial for a ransom demand.
Data Breach: Data breaches happen because of successful infiltration attempts by threat actors through a phishing attack or similar social engineering tactic.
2.4.2 Risk Mitigation
The board is responsible for fully comprehending the business's supply chain threats. Hence, it needs to hire professionals and work with cybersecurity teams to assess all cybersecurity measures, improve current standards, and treat cybersecurity as an ongoing process instead of a one-time effort13 (Lukić, D). The C-Suite and the board should:
Develop a minimum cybersecurity standard (the baseline) for suppliers in contracts and establish rules to enforce the standard.
Limit the number of suppliers and select reputed vendors that provide highly secure service.
Encourage open reporting in the organization to prioritize problems and deploy countermeasures rapidly and effectively.
2.5 Data Breaches
No industry is safe from data breaches, as many recent cases show. Some examples are the Harbour Plaza Hotel Management data breach that affected 1.2 million customer records, the Pegasus Airlines data breach that compromised 23 million files, and the malicious extraction of 60 GB of voter data from the Philippines COMELEC (Commission of Elections)14 (Tunggal, A., 2022).
The board members must learn and understand the privacy requirements, taking on unique approaches to managing critical data. Studies show that 75% of board members who engage in privacy matters struggle to understand data's implications and obligations. It begs quality training and awareness and robust data privacy practices implementation involving the C-suite so that the organization is protected on operational and technical levels15 (Bergman, K., 2019).
2.5.1 Data Security Risks
Lack of participation, conveying wrong information, and a lack of incorporation of security discussions leave organizations vulnerable. Data security begins not in IT but with the Board of Directors. A board that prioritizes data security can establish a strong 'security first' culture and break internal silos, facilitating strategic collaboration in the enterprise16 (Ho., J., 2021). No single formula suits all organizations, but building a team of stakeholders, including CISOs, establishing board-level oversight, and holding regular security briefings are some actions that can propel an organization towards robust security.
2.5.2 Data Privacy Risks
With data collected from the workforce, partners, and clientele to power the latest technologies of AI (Artificial Intelligence) comes the risk of exposure or loss of such data due to cyberattacks. Attacks include espionage, data exfiltration, software exploits, or data breaches. Reviewing the key issues, regulatory developments, and board oversight of enterprise data privacy policies should be a priority17 (NACD, 2022). Board must recognize that efficiently handling critical matters is key to minimizing data privacy risks and should invite researchers and experts to share evolving data privacy and cyber threat knowledge.
2.6 Third-party Risk Management
Third parties are an integral part of any business. However, they often carry substantial cybersecurity risks for the organization. Evaluating and managing the third parties that any organization relies upon is an essential role that corporate boards must include in their duties.
2.6.1 Vendors and Contractors
Third-party vendors and contractors often handle critical business and customer data, paving the way for crucial data security challenges. Hence, the organization must implement an efficient and effective third-party risk management program. However, one must only do it after establishing an efficient board committee covering vendors and contractors. Regardless of choice, the board needs to be responsible for oversight of the third parties that the organization involves in business18 (PwC).
2.6.2 Third-party Applications and Systems
Outsourcing has been an indispensable business component for organizations worldwide, especially in the insurance and investment sectors. With third-party applications and systems becoming the norm and the implementation of the cloud giving shape to many endpoints, it is crucial for board members to apply a proactive and comprehensive approach to third-party application management and extend the scope of control required. Third-party application or supplier risk framework as a whole will help define ownership and governance among internal stakeholders19 (McKinsey & Company, 2017).
2.7 Conclusion
Organizations worldwide are stepping up to prioritize cybersecurity, and board members are key to establishing the groundwork for a cyber-secure enterprise. As cyber threats have increased, board executives have become aware of their organizations' potential risks. A 'security first' approach is crucial for the future of any enterprise or business, which is why board members must start embracing this trend seriously or start preparing for the tide that could topple their empires.
2.8 References
Deloitte. (2021). Cyber security: everybody's imperative: A guide for the C-suite and boards on guarding against cyber risks. https://www2.deloitte.com/content/dam/Deloitte/ky/Documents/risk/KY-RA-CyberSecurity-Everybody'sImperative_Aug2021.pdf
Sophos. (2022, April). The Future of Cybersecurity in Asia Pacific and Japan.
EWeek. (2022, March 8). Detecting the unknown unknowns in cybersecurity.
https://www.eweek.com/security/detecting-cyber-security-threats/
Hacker, P. (2020, June 25). The Cost of Underestimating Cybercrime. Development Asia.
https://www.development.asia/printpdf/insight/cost-underestimating-cybercrime
Maluf, D. (2018, August 13). MANAGING UNKNOWN-UNKNOWNS IN CYBER-SECURITY. Technical disclosure Commons. https://core.ac.uk/download/pdf/234667526.pdf
Mezic, I. (2022, May 16). Why organizations need to prepare for cybersecurity risks greater than stolen data. Forbes. https://www.forbes.com/sites/forbestechcouncil/2022/05/16/why-organizations-need-to-prepare-for-cybersecurity-risks-greater-than-stolen-data/?sh=63909f0856cf
Pearlson, K., & Neto, N. (2022, March 4). 7 pressing cybersecurity questions boards need to ask. Harvard Business Review. https://hbr.org/2022/03/7-pressing-cybersecurity-questions-boards-need-to-ask
Nasdaq. (2019, April 23). People, Process, Technology: A Three-Pronged Approach to Cyber Risk Governance. https://www.nasdaq.com/articles/people-process-technology-three-pronged-approach-cyber-risk-governance-2019-04-23
Chipeta, C. (2022, Sptember 2). What is third-party risk? https://www.upguard.com/blog/what-is-third-party-risk
Boehm, J., Kaplan, J., Merrath, P., Poppensieker, T., & Stähle, T. (2020, January 29). Enhanced cyberrisk reporting: Opening doors to risk-based cybersecurity. Mckinsey & Company.
Rani, R. (2020, July 9). Updating Legacy Systems Amid Growing Cybersecurity Concerns. Security Intelligence. https://securityintelligence.com/posts/secure-legacy-systems-cybersecurity/
Katara, S. (2022, September 23). How technology can mitigate cybersecurity risks to infrastructure. Forbes. https://www.forbes.com/sites/forbestechcouncil/2022/09/23/how-technology-can-mitigate-cybersecurity-risks-to-infrastructure/?sh=258643bc2344
Lukic, D. Cybersecurity in supply chain management, risks to consider. CyberSaint Security.
https://www.cybersaint.io/blog/cybersecurity-in-supply-chain-management-risks-to-consider
Tunggal, A. (2022, September 25). The 67 biggest data breaches. Upguard.
https://www.upguard.com/blog/biggest-data-breaches
Bergman, K. (2019, September 10). Why bringing data privacy management to the board level will reduce data breaches. Forbes.
https://www.forbes.com/sites/forbestechcouncil/2019/09/10/why-bringing-data-privacy-management-to-the-board- level-will-reduce-data-breaches/?sh=161a40ad5a78
Federal Trade Commission. Corporate boards: Don't underestimate your role in data security oversight. (2021, April 28).
NACD. (2017, June 19). The board's role in data privacy oversight FAQ.
https://www.nacdonline.org/insights/publications.cfm?ItemNumber=44612
PriceWaterhouseCoopers. How your board can oversee third-party risk. PwC.
(N.d.). McKinsey & Company. (2017, October). Improving third-party risk management.
Jones, D. (2022, September 30). C-suite, boards are prioritizing cybersecurity, but still expect increased threats. Cybersecurity Dive.
https://www.cybersecuritydive.com/news/c-suite-threats-cybersecurity/633069/
PriceWaterhouseCoopers. A C-Suite united on cyber-ready futures. https://www.pwc.com/us/en/services/consulting/cybersecurity-risk-regulatory/library/global-digital-trust-insights.html
3.1 Level the Playing Field
3.2 Protecting Yourself: Cybersecurity Measures C-Suite Executive Should Follow
3.2.1 Basic Cyber-Hygiene
3.2.2 Personal Mobile Device Management
3.2.3 Cybersecurity Awareness, Education, and Training for the Board and C-Level
3.3 Protecting Your Organization
3.3.1 Prioritize Your Threats
3.3.2 Leverage Layered Security
3.3.3 Protection Against Third-Party Apps
3.3.4 App and Asset Risk Scoring
3.3.5 Real-Time Patch Management to Patchless Protection
3.3.6 Refining Policies Pertaining to Cybersecurity
3.3.7 Cybersecurity Awareness, Education, and Training for Employees
3.4 Selection of Enterprise Tools, Technologies, and Solutions
3.4.1 Automation and Remote Update2.4.2 Risk Mitigation
3.4.2 App Threat Analysis
3.4.3 Detecting CVEs and Zero Days
3.4.4 Network Security Monitoring
3.5 Conclusion
3.6 References
Cybersecurity risks and challenges are becoming a growing concern for C-suite executives and board members. The ever-changing technology landscape demands that leaders be proactive in addressing the risks. Some common cybersecurity threats include data breaches, phishing attacks, and malware.
While the risks can seem daunting, leaders can take steps to mitigate them. By implementing strong cyber security procedures and policies, conducting regular training and awareness programs, and working with trusted security partners, the board members and C-suite executives can help protect themselves and their organizations from the clutches of cyber threats1 (Atkins, 2022).
3.1 Level the Playing Field
C-suite executives and board members need to understand the vulnerabilities to level the playing field regarding cyberattacks. Though they have a fair idea and concern about cybersecurity, they are often not directly involved in a cybersecurity strategy building or adequately aware of its intricacies. And cyberattacks targeting these officials are often more sophisticated and focused than those against general employees. Hence, such entities must be deeply aware of the specific risks and form policies for proactive involvement in cybersecurity.
Board members and C-suite executives can follow the below principles to mitigate risks and maintain a healthy cybersecurity posture for themselves and the organization:
Maintain a holistic approach to cybersecurity instead of considering it an isolated technical concern.
Involve all stakeholders to build up adequate support and productive contribution in decision-making.
Integrate business processes and cybersecurity strategies for creating value and developing trust2 (McKinsey & Company).
3.2 Protecting Yourself: Cybersecurity Measures C-Suite Executive Should Follow
There are several cybersecurity measures that C-suite executives should follow to protect themselves. This section explains the basic security practices to be followed, how to securely use their devices like mobile phones and laptops, and the need for awareness programs for C-suite executives and board members about social engineering attacks and how to avoid them2 (McKinsey & Company).
3.2.1 Basic Cyber-Hygiene
It seems the simplest process to follow, yet many C-suite executives continue to use weak passwords. C-suite officials and the board should use strong passwords and never reuse them. They should also enable two-factor authentication (2FA) or Multi-factor authentication (MFA) whenever possible. They should keep their software up to date and patch any security vulnerabilities as soon as possible.
They must be careful about what information they share online and make sure to encrypt any sensitive data. Regular backup of data is also important to prevent permanent data loss. Finally, it is also important to remember that cyber hygiene must start from the top. Hence, the C-suite is responsible for strictly adhering to it to create a cybersecurity culture among all other employees downwards3 (Carpenter, 2021).
3.2.2 Personal Mobile Device Management
C-suite executives should follow some basic personal mobile device management (MDM) practices to protect themselves.
They should ensure that their devices are password-protected and that the passwords are strong. They must also encrypt their data to make it more difficult for malicious actors to access it.
They should install and use reputable mobile security apps and include their devices in the organization's mobile device management (MDM) network.
They should also avoid using public Wi-Fi networks, which are often insecure.
Finally, they should keep their software up to date to ensure they have the latest security patches4 (Hooper, 2022).
3.2.3 Cybersecurity Awareness, Education, and Training for the Board and C-Level
Malicious actors' attempts on accounts of C-level employees can be the most disastrous as those accounts will have the highest privileges and hence can result in the highest losses. Therefore, security awareness and education campaigns and sessions for the C-suite and the board members are as important as the other employees in the organization. The awareness and education programs for C-level officers must focus on how a breach can affect the organization's profit margin and the bottom line so that the vitality of such campaigns is driven home5 (Rose, 2022).
3.3 Protecting Your Organization
Considering the increasing frequency and sophistication of cyber-attacks, boards must manage the cyber risks proactively. There are several steps that boards must take to prepare for the next cyber threat. Cyber awareness of the top-level employees is also necessary, as the 'tone at the top' can directly impact the attitude of other employees and the general cybersecurity culture of the organization.
3.3.1 Prioritize Your Threats
Cybersecurity threats come in many forms, from viruses and malware to phishing scams and ransomware. Some are more serious than others, and some are more likely to target specific industries or organizations.
As a result, organizations need to assess their risks and prioritize potential threats. There are several factors to consider when prioritizing threats, including the potential impact, severity of the threat, and the likelihood of it occurring in the organization6 (Blue Bastion, 2020)
3.3.2 Leverage Layered Security
Layered security is a security approach that uses multiple layers of security controls to protect critical digital assets. Different layers of security compensate for the deficiencies of one another, and with each technology component, malicious actors will find it hard to infiltrate the network. By using multiple layers of security, boards can make it more difficult for malicious actors to penetrate their systems and access sensitive data. Some examples of security controls in a layered security approach include firewalls, intrusion detection, and prevention methods, and encryption7 (Bonuccelli, 2020).
3.3.3 Protection Against Third-Party Apps
Third-party apps are often not as secure as first-party apps and can be a source of malware and other security threats. Boards can help protect against these threats by ensuring that only trusted third-party apps are allowed on devices and networks. Scrutinizing the third parties and avoiding their vulnerabilities will protect the top-level officials and the organization from spear phishing, ransomware, malware, and other attacks.
3.3.4 App and Asset Risk Scoring
This system can help identify which apps and assets are most at risk concerning cyberattacks and prioritize them for protection. The App and Asset Risk Scoring system assigns a risk score to each app and asset depending on factors such as the sensitivity of the data it handles, the likelihood of a cyberattack, and the potential impact of an attack. This information can then prioritize which apps and assets need the most protection. The risk score can also be an important metric for the efficiency of cybersecurity controls8 (Null, 2021).
3.3.5 Real-Time Patch Management to Patchless Protection
Patch management is considered a critical component of any cybersecurity strategy, as businesses can reduce their exposure to attacks. And real-time patch management involves continuously monitoring for new vulnerabilities and patching them as soon as they are discovered. However, the process is further advanced today, and patchless protection consists in detecting and eliminating threats even before they unleash the attack. It needs no patches, and vulnerable applications are protected by a force field, making them safe even in the absence of patches9 (Vicarius).
3.3.6 Refining Policies Pertaining to Cybersecurity
This process can include ensuring that all employees are trained in cybersecurity best practices and developing advanced procedures for handling data breaches. It is also about establishing clear lines of communication between the board and the security team and using state-of-the-art cybersecurity tools to maintain a healthy security posture of the organization10 (Security Scorecard, 2021).
3.3.7 Cybersecurity Awareness, Education, and Training for Employees
Awareness, education, and training for employees must be based on the understanding from the top level. An important element is the tone at the top, as it will decide the overall safety culture among the employees. All employees must be trained in cybersecurity best practices, identifying vulnerabilities and threats well in advance and reporting any incident immediately for effective and efficient cyber recovery.
3.4 Selection of Enterprise Tools, Technologies, and Solutions
Selecting the right enterprise tools to mitigate cybersecurity risks and challenges is important. The right tools can help an organization to detect and respond to security incidents, protect sensitive data, and improve the overall security posture. Enterprise tool selection should be based on several factors, including the organization's security needs, budget, and technical capabilities.
Organizations should also consider whether they will use the tools for strategic or tactical purposes. The right enterprise tools can help organizations detect and respond to security incidents, protect sensitive data, and improve the overall security posture.
3.4.1 Automation and Remote Update
Automation tools will assist in tasks such as patch management, which can be time-consuming and difficult to do manually. These tools also help reduce the chances of human error, a factor that often leads to security breaches.
Remote update tools allow organizations to remotely update their systems and data without physically visiting each system. Updating software and firmware remotely can be challenging without the right tools.
3.4.2 App Threat Analysis
App threat analysis tools are used to evaluate the security of mobile apps. These tools can analyze an app's code, permissions, and other factors to determine potential security risks. Many app threat analysis tools also offer recommendations for mitigating any risks.
Various app threat analysis tools are available, each with strengths and weaknesses. Choosing a tool appropriate for the app you're testing is important. For example, some solutions are better at analyzing Android apps, while others are better for iOS apps.
Some app threat analysis tools are open source, while others are commercial products. Some solutions are free, while others must be purchased11 (Positive Technologies, 2019). Thus, the threat analysis tool to be chosen must fit well with the existing technology stack being used by the organization.
3.4.3 Detecting CVEs and Zero Days
CVEs (Common Vulnerabilities and Exposures) are publicly disclosed vulnerabilities that have been assigned a unique identifier. Zero day vulnerabilities are those that have not been publicly disclosed and may not have a CVE identifier. These vulnerabilities may be known to attackers but not to the public or the vendor. Detecting CVEs and zero days can be accomplished through a variety of means.
CVE and zero-day detection tools scan for vulnerabilities in systems and networks. These tools can help identify potential security issues that attackers could exploit. By detecting vulnerabilities, organizations can take steps to mitigate their risks.
3.4.4 Network Security Monitoring
Network security monitoring tools are an essential part of any network security strategy. Network security monitoring identifies and responds to security events and incidents on a network. The process can be automatic or manual, but it often combines both. Various network security monitoring tools are available, each with strengths and weaknesses. They include intrusion detection systems (IDS), intrusion prevention systems (IPS), firewalls, and network activity monitors. A network security monitoring toolkit's most important components are IDS and IPS. IDS looks for suspicious activity by monitoring network traffic, while IPS blocks or mitigates suspicious activity12 (Carklin, 2022).
3.5 Conclusion
There is no shortcut for protecting your organization against cybersecurity risks and challenges. Still, taking a proactive and holistic approach can significantly reduce the chances of becoming a victim to malicious actors. The board and C-suite executive team must keep themselves up-to-date on the latest threats and trends and work hand-in-hand with the security team to develop a robust cybersecurity strategy that addresses the organization's unique needs. The right approach can help keep the C-suite and your organization safe from any harm from nefarious intrusions.
3.6 References
Atkins, B. (2022, March 18). Cybersecurity and the role of the board. Forbes. https://www.forbes.com/sites/betsyatkins/2022/03/18/cybersecurity-and-the-role-of-the-board/
McKinsey & Company. Perspectives on transforming cybersecurity.
Carpenter, P. (2021, November 9). Five best practices to mitigate C-suite cyber risk. Forbes. https://www.forbes.com/sites/forbesbusinesscouncil/2021/11/09/five-best-practices-to-mitigate-c-suite-cyber-risk/?sh=6d815f195829
Hooper, A. (2022, August 16). What is mobile Device Management (MDM) and which product is perfect for you? IT Support Guys. https://itsupportguys.com/it-blog/what-is-mobile-device-management-mdm/
Rose, A. (2022, January 11). Why Security Awareness Training Should Begin in the C-Suite. Dark Reading. https://www.darkreading.com/careers-and-people/why-security-awareness-training-should-begin-in-the-c-suite
Blue Bastion. How to prioritize your cybersecurity. https://www.bluebastion.net/prioritize-your-cybersecurity/
Bonuccelli, G. (2020, July 13). Ultimate guide to layered security: Protect your virtualized infrastructure. Parallels. https://www.parallels.com/blogs/ras/layered-security/
Null, C. (2021, September 28). What is a cyber risk score? Tanium. https://www.tanium.com/blog/what-is-a-cyber-risk-score-and-why-does-it-matter/
SecurityScorecard. (2021, July 12). 8 top strategies for cybersecurity risk mitigation. https://securityscorecard.com/blog/6-strategies-for-cybersecurity-risk-mitigation
Positive Technologies. 2019. (2019, June 19). Vulnerabilities and threats in mobile applications. https://www.ptsecurity.com/ww-en/analytics/mobile-application-security-threats-and-vulnerabilities-2019/
Carklin, N. (2022, February 7). Network security monitoring: A complete guide. Parallels. https://www.parallels.com/blogs/ras/network-security-monitoring/
Curry, S. (2017, November 16). Boards should take responsibility for cybersecurity. Here's how to do it. Harvard Business Review. https://hbr.org/2017/11/boards-should-take-responsibility-for-cybersecurity-heres-how-to-do-it
Osborne, J. (2021, January 26). How to level the playing field against cyberattacks. Hospitality Technology. https://hospitalitytech.com/how-level-playing-field-against-cyberattacks
Klemash, S. (2018, July 17). How boards can prepare for the next cybersecurity threat. EY. https://www.ey.com/en_gl/board-matters/how-boards-can-prepare-for-the-next-cybersecurity-threat
Klimburg, A. (2022, February 16). 5 ways to protect your organization during cyber conflict. World Economic Forum. https://www.weforum.org/agenda/2022/02/protect-during-cyber-conflict/
National Cyber Security Center. (2021, June 29). Device Security Guidance. https://www.ncsc.gov.uk/collection/device-security-guidance/policies-and-settings/using-third-party-applications-on-devices
Follis, E. (2017, June). Know why patch management tools are required in the IT infrastructure. SearchSecurity. https://www.techtarget.com/searchsecurity/feature/The-business-case-for-automated-patch-management-tools
Rapid7. Cyber security awareness: What boards and executives need to know. October 2014. Nacdonline.org. https://www.nacdonline.org/files/Cyber%20Security%20Awareness%20eBook.pdf
Rapid7. What is Patch Management: Benefits & Best Practices. https://www.rapid7.com/fundamentals/patch-management/
4.1 Know Your Threats, Vulnerabilities, and Risks
4.1.1 Top Vulnerabilities
4.1.2 Key Threats
4.1.3 Other Major Risks
4.2 Shifting Left: 'Security-By-Design'
4.3 Accelerating Cybersecurity Initiatives
4.3.1 Focus on Security Automation
4.3.2 Autonomous Vulnerability Remediation
4.3.3 Single Pane of Glass
4.3.4 Maximize Vulnerability Management Efficiency
4.3.5 Prioritization
4.4 Conclusion
4.5 References
As discussed in the previous chapters, cybersecurity and cyber risks are a top boardroom issue in these unprecedented times. Recent years saw high-profile data breaches, including cyber risk events at Facebook, Uber, Yahoo, Google, Equifax and other companies, leading to major corporate crises. Such attacks become a corporate governance issue for boards because they must face litigation, come under the regulators' scrutiny or hold CEOs accountable. Apart from the financial costs of cybercrime, a cyber incident damages the corporate reputation and can impact the organization's market value. Therefore, Boards and C-suite executives must be well prepared before a breach occurs to take an active role in the detection and avoid negative consequences resulting from inadequate oversight.
4.1 Know Your Threats, Vulnerabilities, and Risks
Directors and the board are crucial in providing risk governance and independent oversight capabilities. They cannot micro-manage cybersecurity risks but must ensure the management adequately oversees the practices. However, if the executives lack an in-depth understanding of the cyber issues, they will not understand the ramifications of what executives explain to them. Thus, To fulfil their oversight responsibilities, the board must proactively address knowledge gaps and acquire profound cybersecurity expertise to protect their corporate interests1 (IMD, 2022).
4.1.1 Top Vulnerabilities
Cyber-security efforts must span the enterprise, with the C-suite continually assessing the changing threat landscape and taking proactive steps to address the evolving exposures. According to OWASP, the top security vulnerabilities include2 (OWASP, 2021):
Software and Data Integrity Failures
Identification and Authentication Failures
Security Logging and Monitoring Failures
Vulnerable and Outdated Components
Security Misconfiguration
Insecure Design
Injection
Broken Access Control
4.1.2 Key Threats
Cyber vulnerabilities can crop up across the enterprise' people, operations or supply chains to impact customers and threaten business continuity. The key threats include:
Business Email Compromise (BEC): These scams are spear phishing attacks only, targeting senior executives to make them reveal confidential organizational information or get them to transfer funds to threat actors, or any other malicious purpose.
Social Media Threats: Threat actors can use public information available on social media platforms, like LinkedIn, Facebook, Instagram, etc., to create profiles of targets.
Insider Threats: Employees remain one of the common causes of security breaches.
Data Privacy Concerns: Various organizational departments must address particular requirements of the CCPA and the GDPR. Non-compliance will lead to stricter and bigger penalties. 3 (Bokil, S., 2020)
Increased Cyber Crimes: No matter the business size, one of the major challenges executives face is the risk of becoming a cybercrime target.
Mobile Security Threats: With the growing importance of mobile devices in an organizational network, they are a common target of adversaries, resulting in:
Data leakage
Social engineering
Wi-fi interference
Crypto-jacking
Poor password hygiene
Physical device breaches
4.1.3 Other Major Risks
Some other major risks c-level executives need to keep in mind include the following:
Third-Party Backdoors: As supply chains become complex and organizations rely on more third-party vendors, cybercriminals can creep into the supply chain and pose a significant threat. A supply chain breakdown can greatly degrade operations and impact revenue.
Growth of Connected Devices: IoT devices have become more ubiquitous in today's technological age, and every connected device presents a unique security risk.
Operations at Risk: While technology can increase the organization's operational efficiency, it increases the risk of business disruptions through ransomware, malware or other threats.
Innocent or Malicious, Employees are a Major Cyber Threat: Organizations face a significant cyber risk – whether through human error, negligence or malicious intent.
4.2 Shifting Left: 'Security-By-Design'
A modern shift-left approach for organizations shifts security responsibilities to the developers, moving it to the process beginning when they are provisioning the infrastructure. By testing CloudFormation and Terraform for security before execution, just like they would test the application code for reliability and quality, developers can make fixes before committing the code to production. Thus, they will prevent any bugs that affect customers and result in data loss. Ideally, the C-suite and Board incorporate security into the design and requirements phases5. (Seiersen, R., 2021)
Shifting security left requires cross-organizational cooperation. As with other broad-based changes, executive sponsorship is critical. A prudent strategy is establishing a shift left working group, including representation from all stakeholders. The group will:
Survey existing security tools and practices: "What are we doing now?"
Ask Security experts/ DevSecOps to identify high-priority risk areas by assessing the current security posture: "How effective is the current approach, and what are its loopholes?"
Define a shift left strategy and clearly communicate it: "What will we do about it, and how to talk about it?"
Identify the low-hanging fruit—those best tools or practices that get easily implemented and demonstrate clear ROI to the leadership: "What can we begin with that will demonstrate our approach's value to shifting left?"6 (Chenetz, M., 2022)
4.3 Accelerating Cybersecurity Initiatives
Today's markets, economies, business networks, and supply chains are so deeply interconnected that a single breach can result in widespread disruption. However, most enterprises don't see the emerging risks because they spend more time looking back at what happened rather than scanning the road ahead for emerging threats.
Boards and C-suites should find ways to anticipate the risks coming around the bend and be prepared to make swift, well-informed decisions to manage those risks effectively7 (MetricStream).
4.3.1 Focus on Security Automation
Organizations can use automation, which removes low-value tasks from the busy desks of executives. They can use it to scan high data volumes and review documents for specific patterns, and flag irregularities for fraud mitigation. Furthermore, as the sophistication and volume of cyberattacks continue to grow, automating detection and mitigation is a prudent choice for C-suite to implement. Risk automation will help them resolve compliance and risk management issues while fostering better critical process maturity and business alignment across:
Compliance management
Governance management
Configuration and change management
Disaster recovery
Third-party and supply chain risk
Enterprise risk management
Findings management and remediation
Automation offers efficient management of controls testing and validation, real-time risk exposure reporting through integration with SIEM technologies, external threat feeds, and vulnerability scanning and management tools. 8 (Bundy, J., 2021)
4.3.2 Autonomous Vulnerability Remediation
When it comes to vulnerability management, it is crucial to aim high. Since the stakes are so critical, it needs to be top-notch, and your vulnerability management program must strive for the best in class. The Board and C-suite must define their vulnerability management program around these key elements:
Scope (what does it cover)
Strategic importance (from C-suite down)
Integration (with other key processes, systems, and stakeholders) 9 (Balbix, 2019)
After getting the elements right, "the devil lies in the details."
Ongoing vigilance (vulnerability scanning, re-scanning, mitigation) helps organizations stay ahead of emerging threats.
Discipline (well-defined and strong enforcement) and integration help them sustain a robust security posture over time.
Leveraging emerging technologies such as AI/machine learning will help them make sense of large data amounts to gather relevant insights, elevating the program to a new level.
The most successful vulnerability management programs bridge the gap between the big picture (organization-wide security) and the relevant details (systems, organizations, processes). They detect software vulnerabilities and security issues that can lead to the exploitation of critical systems and mitigate risk across the organizational infrastructure.10 (Spring, J. M. et al., 2021)
4.3.3 Single Pane of Glass
Facing an evolving threat level and the increasing magnitude of the potential impact, executives must insist on full transparency for cyber risk and ways to actively manage it to protect their organizations. They need cyber risk dashboards to make the information most accessible to decision-makers.
Full asset visibility in one place
Users can focus the dashboard around their areas of interest, from C-suite to the technicians. Executives can quickly configure the dashboard to view data for a specific asset or switch to the various risk metrics. 11 (RiskSense)
KRIs adapted to individual roles
KRI (Key Risk Indicators) must be adapted to individual roles. The business-unit managers must be restricted to viewing only KRIs related to their business unit. At the same time, the CIO (Chief Information Officer) or CRO (Chief Risk Officer) must have the option to aggregate dashboard output across business functions, units, and entities.
Assess and remediate threats from one dashboard
The dashboard must enable faster decisions to mitigate threats and increase the enterprise's overall resilience. Frequent updates, integrated data from trusted sources, and analytical capabilities allow the decision-makers to extract meaningful insights directly from the dashboard. They receive the facts they need to fight against digital fraud, attacks, and blackmail.
Limit the scope of heavy controls to critical, high-risk assets
A robust cyber risk dashboard will offer information that helps risk managers rebalance the scales. Thus, they focus their resources and energy on averting the biggest threats to their organization's most critical assets.12 (Boehm, et al., 2018)
4.3.4 Maximize Vulnerability Management Efficiency
It is practical to patch all Windows systems at a global bank within two days, but the business disruption it causes will be unacceptable. This is just an example to illustrate the situation. So, what is the acceptable time frame to fix security vulnerabilities?
The Board and C-suite must tie the vulnerability management practices to their enterprise's specific needs, not a mythical standard. Based on how quickly vulnerabilities get exploited, they must prepare to perform emergency remediation on critical systems within hours of a vendor-released patch to address the vulnerability.13 (Gartner, 2021)
Furthermore, remediation must consider various security controls, not just patching. The security controls' availability must become a part of the prioritization process. For example, when you prepare a critical vulnerability list for your enterprise, you might prioritize easy-to-fix vulnerabilities over resource-intensive ones. Thus, you will get the most protection in the shortest time.
The vulnerability management program must allow effective communication among the relevant IT Operations team and an integrated workflow to track the remediation process across these teams. Additionally, to ensure maximum efficacy, skilled and trained resources must get incorporated into security teams, who validate and work in parallel with IT Operations for vulnerability closure. 14 (Nanda, S., 2017)
4.3.5 Prioritization
Executives' risk perception may not align with the potential impact of various threat actors. Cybercriminals have different threat profiles based on their level of sophistication, intent, and the proportion of the incident attributed to them. Some rogue individuals have a relatively low threat profile because of lower complexity, limited funding, and because they exploit known vulnerabilities easier to secure. Focusing greater effort on that group may offer an adequate risk reduction for the investment made compared to addressing sophisticated actors, like organized crime groups, national governments, and industrial spies. Malicious insiders and external agents (employees, vendors, partners) may pose greater risks.15 (IBM, 2016)
Furthermore, it is crucial to forge a symbiotic relationship between the CFO and CISO (Chief Information Security Officer). While a CISO technically presents the risks and works, a CFO helps improve security by assisting in translating threats into a language better understood by the senior leaders.
4.4 Conclusion
Any organization establishing a track record to guarantee its users, customers, and partners access to threat-free, clean business services, and the content will differentiate itself in today's evolving cyber landscape. Today, the Board and C-suite must go beyond establishing baseline protocols to define, create and maintain a secure environment. Collaboration and understanding across the board are key to achieving cyber-resilience within an enterprise. The C-level executives and cybersecurity experts must find a common data language to understand and mitigate the risks.
4.5 References
Board oversight of cyber risks and cybersecurity. (2022, August 19). IMD Business School for Management and Leadership Courses. https://www.imd.org/research-knowledge/articles/Board-Oversight-Cyber-Risks-Cybersecurity/
OWASP Top ten. (n.d.). Owasp.org. Retrieved October 4, 2022, from https://owasp.org/www-project-top-ten/
Bokil, S. (2020, January 10). Top 4 challenges C-level executives will need to combat in 2020. EnterpriseTalk. https://enterprisetalk.com/featured/top-4-challenges-c-level-executive-will-need-to-combat-in-2020/
Samhat, A. (2019, February 13). The eight cyber risks that are worrying the C-suite. The One Brief. https://theonebrief.com/the-8-cyber-risks-that-are-worrying-the-c-suite/
Seiersen, R. (2021, January 4). A modern shift-left security approach. Forbes. https://www.forbes.com/sites/forbestechcouncil/2021/01/04/a-modern-shift-left-security-approach/?sh=7f5cb277293e
Chenetz, M. (2022, June 10). Who needs to shift left in security, and why. Cisco Blogs; Cisco Systems. https://blogs.cisco.com/developer/whoneedsshiftleftsecurity01
GRC: Top 5 focus areas of the board and C-suite. (n.d.). Metricstream. Retrieved October 4, 2022, from https://www.metricstream.com/insights/GRC-Top-5-Focus-Areas-of-the-Board-and-C-Suite.html
Bundy, J. (n.d.). Introducing an automated approach to risk management. Optiv. Retrieved October 4, 2022, from https://www.optiv.com/insights/discover/blog/introducing-automated-approach-risk-management
Vulnerability management program: How to build it? (2019, November 27). Balbix. https://www.balbix.com/insights/how-to-create-a-best-in-class-vulnerability-management-program/
Spring, J. M., Householder, A., Hatleback, E., Manion, A., Oliver, M., Sarvapalli, V., Tyzenhaus, L., & Yarbrough, C. (2021). Prioritizing vulnerability response: A stakeholder-specific vulnerability categorization (version 2.0). Cmu.edu. https://resources.sei.cmu.edu/asset_files/WhitePaper/2021_019_001_653461.pdf
Executive Dashboard: Overview. (n.d.). Risksense.com. Retrieved October 4, 2022, from https://help.risksense.com/executive-dashboard-overview
Boehm, J., Merrath, P., Poppensieker, T., Riemenschnitter, R., & Stähle, T. (2018, November 19). Cyber risk measurement and the holistic cybersecurity approach. Mckinsey.com; McKinsey & Company. https://www.mckinsey.com/capabilities/risk-and-resilience/our-insights/cyber-risk-measurement-and-the-holistic-cybersecurity-approach
Vulnerability Management Should be Based on Risk. (n.d.). Gartner. Retrieved October 4, 2022, from https://www.gartner.com/smarterwithgartner/how-to-set-practical-time-frames-to-remedy-security-vulnerabilities
Sameer Nanda (2017). Researchgate.net. Retrieved October 4, 2022, from https://www.researchgate.net/publication/318316549_Approach_to_an_Efficient_Vulnerability_Management_Program
(N.d.). Ibm.com. Retrieved October 4, 2022, from https://www.ibm.com/downloads/cas/M94RB4WR
5.1 Understanding Cybersecurity Culture
5.2 Why Is It Important to Build and Invest in a Good Cybersecurity Culture?
5.3 Cybersecurity as a Strategic Business Enabler
5.4 Educate and Empower the People
5.4.1 'Humans' - The Weakest Links in The Chain
5.4.2 Employee Training, Awareness, and Education
5.4.3 Employee Recognition
5.5 How to Build and Foster a Robust Cyber-aware Culture
5.6 Building Cyber Resilience and the Way Forward
5.7 Conclusion
5.8 References
Cyber-attacks are becoming more regular, sophisticated, and frequent with each passing day. Advanced safeguards and protective technologies at an equal or a higher level of sophistication are required to combat such threats. However, many cyber incidents have proved that technology alone cannot defend an organization's security posture.
The human factor in an organization is crucial in determining the organization's well-being. It necessitates making cybersecurity culture an integral part of any organization or business.
5.1 Understanding Cybersecurity Culture
Cybersecurity culture is a concept most crucial to keeping an organization secure in the 21st century, an age of technological advancements that have never been before. Cybersecurity culture aims to drive home the message that it is not entirely technology but employees and the people associated with the organization who are responsible (sometimes even unknowingly) for maintaining or ruining an organization's security. It involves:
Individual factors: These include the knowledge of individuals associated with an organization, their attitudes, and assumptions regarding cybersecurity.
Organizational factors: These concern the leadership and the social norms they set regarding cybersecurity. It also involves the policies and planning of processes regarding matters related to cybersecurity.
These factors build the cybersecurity culture of an organization. More than anything, people can protect an organization from cybersecurity breaches.
5.2 Why is it Important to Build and Invest in Good Cybersecurity Culture?
Every person associated with an organization, from the topmost chair to the lowest employee and even those from outsiders (like third-party contractors and customers), is an important link that helps maintain an organization's cybersecurity.
According to a report by Verizon, 82% of all data breaches in 2021 involved a human link or a human error that it calls the "human element." This information proves why building and investing in a good cybersecurity culture is the need of the hour for every business and organization that cares about its reputation and respectable existence.
Cybersecurity culture demands sound investments to prevent the following and build a safety-first approach among the employees:
Malicious links and files: Employees and others associated with an organization may click on malicious links and attachments in fraudulent emails from malicious actors. They may also download unknown or malicious files from untrustworthy or harmful websites.
Vulnerable public Wi-Fi: Public or free Wi-Fi is often a trap that most employees of reputed organizations fall into. Accessing or trying to access protected organizational files containing important or confidential information through public networks or devices that are unprotected can inadvertently harm the organization's cybersecurity.
Social engineering: Social engineering scams are becoming increasingly sophisticated every day. Malicious actors aim at entrapping more and more negligent employees from reputable businesses to get hold of sensitive data, thereby compromising the organization's reputation.
5.3 Cybersecurity as a Strategic Business Enabler
While it may be unknown or seem unlikely to many, cybersecurity can be one of the major enabling factors for a business. Here are a few reasons why:
Increases productivity: If a business's cybersecurity is well enabled and ensured, employees can pay attention to more productive arenas like innovation. If a business establishment has less confidence in its cybersecurity posture, much time and attention are concentrated on the area, preventing a business from competing with its rivals.
Improves customer relationships: Investing in cybersecurity can help your customers trust you more than your competitors because their businesses aren't as secure as yours. Cybersecurity breaches generally affect the reputation of an organization way more than finances. Therefore, one of the best ways to attract more customers is to ensure a strong cybersecurity culture in your organization.
Avoiding unexpected attacks: No business or organization can see a cyber-attack coming, and despite every precaution, it can still face an attack. To ensure the best response immediately, organizations must conduct "cybersecurity drills," like the fire drills in offices to handle a fire outbreak. It will ensure preparedness among staff for an immediate response and significantly reduce the impacts and losses resulting from an attack.
5.4 Educate and Empower the People
You can emphasize the importance of the human element in upholding an organization's cybersecurity posture more. Acknowledging the vulnerabilities of human resources, educating the employees and creating cybersecurity awareness among them, and recognizing their contribution towards improving cybersecurity as part of building the cybersecurity culture can help an organization tremendously.
5.4.1 'Humans' - The Weakest Links in the Chain
The cybersecurity chain comprises the humans or the employees in an organization, outsiders like the customers and third parties, the technological tools and their security implications, and processes that impact security. The human element, however, is the weakest among them. The smallest of errors an employee commits can ruin the reputation and affect the financial resources of an organization or a business. Every human associated with an organization should therefore be well-informed and trained in cybersecurity.
5.4.2 Employee Training, Awareness, and Education
Besides creating general employee awareness regarding data breaches and their consequences, it is important to regularly provide hands-on cybersecurity training and drills. Cybersecurity education plays an important role in preventing and countering cyber-attacks efficiently.
5.4.3 Employee Recognition
Employee recognition is not only innovative but also a positive way of enabling cybersecurity and ensuring quick response following an attack. Organizations and businesses can provide incentives like certificates and appreciation for employees who can quickly respond to critical situations with a bearing on cybersecurity. It is an excellent way to resist cyber-attacks and prevent them from building into full-blown attacks.
5.5 How to Build and Foster a Robust Cyber-aware Culture
Building a cyber-aware culture is not too difficult. Inculcating a sense of cybersecurity in the employees' minds is the duty of the leadership of an organization. For instance, if a CEO or any other official of such designation calls meetings with employees regularly and makes sure to start or end every session with some reference to cybersecurity and its relevance, it might go a long way in protecting the organization.
Making employees responsible: If you can gradually and steadily make cybersecurity part of the structural fabric of an organization, cyber-attacks and undesirable consequences from them will significantly reduce. Apart from instructions regarding cybersecurity, it is important to let employees know that the safety and reputation of the organization are in their hands.
Choosing a culture leader: People holding designations like the CISO or even CIO are expected to be concerned with cybersecurity strategies and policies. They are the ones that take most of the initiatives. Still, it might be helpful if someone not directly involved with the cybersecurity arena, like a CEO or marketing manager, comes forward and takes up the responsibility of infusing cybersecurity culture within employees.
Employee recognition: An organization's cybersecurity is more likely to be ensured if it is made an integral part of the formal evaluation of every employee. For instance, in a cyber-attack drill in such a system, if an employee fails in the given task repeatedly, they would face the consequences increasing in severity each time. Similarly, suppose an employee proves themself capable of protecting the data and privacy of their organization, even through a small act. In that case, they must receive incentives, rewards, appreciation, or certificates.
5.6 Building Cyber Resilience and the Way Forward
Cyber resilience aims at enabling an organization to respond and cope with unfortunate events that may disrupt its normal processes in a short time. Here are a few ways that show how nurturing the cybersecurity culture can help an organization build stronger cyber resilience.
Business impact analysis and risk analysis
Business impact analysis and risk analysis are two important ways an organization can calculate how much they must lose if they face an unfortunate event of a cyber-attack. Incorporating such concepts into the cybersecurity culture awareness campaigns positively impacts the employees, who become more concerned and take responsibility for protecting the organization from harm.
Create and prepare a proper cyber resilience plan
Cyber resilience plans and strategies involve not only technology but also awareness among employees. Technically, organizations can hire third-party data protection systems. However, awareness among all employees about the resilience strategies and principles as part of the cybersecurity culture will enormously help protect an organization's security and create cyber resilience like no other.
Regularly test and keep up with cybersecurity updates
As mentioned earlier, cybersecurity drills play a major role in keeping employees ready to respond to any disruptive event. Since humans constitute the weakest link in the cybersecurity chain, it is essential to focus enough on them. And regular tests and updates can overturn the situation and convert humans from the weakest links into the strongest assets as far as protecting the organization is concerned.
5.7 Conclusion
An organization can protect its data and privacy and, in turn, its reputation in numerous ways. And cybersecurity plays an integral role in sustaining and boosting an organization's business and building customer trust. This fact makes it important for every organization to invest in and pay great attention to building and maintaining excellent cybersecurity culture. A strong foundation of cybersecurity culture in any organization can raise its security posture significantly, positively impacting its business growth and customer relationships.
5.8 References
Everard, T. (2021, May 27). What is Cyber Security Culture and why does it matter for your organization? PA Consulting. https://www.paconsulting.com/insights/what-is-cyber-security-culture-and-why-does-it-matter-for-your-organization
National Cyber Security Centre. (2019, March 21). Developing a positive cybersecurity culture. https://www.ncsc.gov.uk/collection/board-toolkit/developing-positive-cyber-security-culture
Walia, P. (2022, September 13). Building A cybersecurity culture in your organization. Forbes. https://www.forbes.com/sites/forbestechcouncil/2022/09/13/building-a-cybersecurity-culture-in-your-organization/?sh=2ca0bcf947a9
Stackpole, B. (2022, March 15). How to build a culture of cybersecurity. MIT Sloan. https://mitsloan.mit.edu/ideas-made-to-matter/how-to-build-a-culture-cybersecurity
Kirvan, P. (2022, January). Build a strong cyber-resilience strategy with existing tools. SearchSecurity; TechTarget. https://www.techtarget.com/searchsecurity/tip/Build-a-strong-cyber-resilience-strategy-with-existing-tools
Final Words
The ebook "Cybersecurity: Risks and Challenges Facing the Board and the C-Suite and The Way Forward" was the author's attempt to bring board members and C-suite executives on the same page about cybersecurity. Usually, when the C-suite approaches the board with presentations on their plans for the organization's cyber well-being, they use cybersecurity jargon, which moves past many board members. The idea is to familiarize all senior-level organization members with cybersecurity and make them see the dire need to emphasize cyber-risk management to ensure a more stable and secure growth curve for the organization. The chapters of this book present these top leaders with a very daunting question 'Should cybersecurity be a shared responsibility?' It then explains why collective efforts and open discussions on the current security loopholes and the strategies to mitigate cyberattacks are so important across all levels of the organizational hierarchy.
Once the preliminary step of getting the board and C-suite members to talk about cybersecurity is done, the next step is to develop a cybersecurity plan. Multiple approaches can be adopted to ensure safety against malicious threat actors, insider attacks risk, or third-party supplier hacks. These measures include privileged access control, security tabs on employee devices, etc. There must be consistent and constant measures to educate and train all employees on basic cyber hygiene. Awareness is the first step to ensuring a sensible incident response from employees. This can be done via regular mentions in the company newsletter, having an FAQ page, or having a cybersecurity update forum where employees receive information on the latest threats, best privacy practices, the security do's and don'ts, etc.
Maximizing vulnerability management efficiency is the way forward, and the step-by-step guide for board and C-suite executives to achieve that has been provided in this book. Many changes need to be made in the perception, prioritization, budget, recruitment, risk management, strategies, policies, and data backup process so that organizations do not undergo huge financial, operational, repetitional, and data losses in the event of a cyber-attack. The tech team, C-suite, or individual employees alone cannot shield an organization from online predators, but they are all stronger together. The board and C-suite are at the head of all the cybersecurity planning. A little foresightedness, a constant evaluation of the organization's cyber maturity, and updated data backup (either on the cloud or otherwise) ensure that organizations continue to flourish despite the threat from various attack vectors.