There should be little doubt about the importance of cybersecurity these days, given the amount of attention the topic has garnered. The attack surface is growing as a result of the increasing number of connected devices, malicious apps, the Internet of Things, cloud services and the digitization of business functions. Board members are under pressure from all sides to keep data and business operations safe from cyber-attack.
Indeed, we know boards are concerned about cyber risks, though they are not always as engaged as they should be, according to a report from the US State of Cybercrime, 30% of participants stated that there is no board engagement in this area at all, compared to 25% who report full engagement in security issues, planning and decision making.
To avoid damaging data and financial losses, boards must have a deep understating of the cyber risks that their organizations’ face. But how are they supposed to know what’s important, when the information received is filled with jargon?
Now more than ever, it is up to a company’s CISO to lay out the landscape in a way that is easily accessible with actionable information to ensure the organization is making cost-effective decisions regarding its handling of cyber-risks. Here is what they need to hear from the security team.
Be proactive
A recent survey revealed that 2016 saw more than 4,000 breaches that exposed over 4.2 billion records. That was approximately 3.2 billion more records than the previous all-time high. Unfortunately, with attack surfaces expanding but security budgets staying tight, talent remaining scarce, and tools lacking seamless integration, it's no wonder that security pros have concerns that they can’t put their defensive technologies to work as effectively as they'd like.
To this end, security executives should not wait for the board to ask questions about cyber risks and security preparedness. Rather, CISOs and CSOs should proactively and regularly update the board on what’s being done to monitor and mediate against cyber risks.
One suggestion is to start by reminding them that we’re now operating in a “cloud-first” world. Tell them that your team is driving hard to keep business-critical applications and data that reside in on-premises, private, and hybrid clouds safe amid a growing number access points that hackers can use to launch an attack.
Learn from experience
You’ve seen past approaches fail. While they may still have value, your board needs to know that ultimately they leave your enterprise with too many disparate systems; too many alerts with too little cause and resolution information; and no protection against zero-day threats that exploit unknown vulnerabilities.
Relying on point systems or Security Incident and Event Management (SIEM) solutions also results in there being too much of a focus on how something bad has already taken place, versus a proactive approach that involves understanding how current activity informs that something bad is about to happen.
Change to suit the landscape
Make it plain to your directors that the threat environment is expanding. Tell them that to combat it, you are pursuing the deployment of a comprehensive and integrated security solution. Explain that your concentration has been on moving beyond implementing discrete defense disciplines – perimeter defenses, log management, vulnerability management, and endpoint security – and even Defense-in-Depth layering tactics, which have fallen short.
Holistic, adaptive security as standard
Highlight the fact that your efforts instead now veer towards a holistic and adaptive security solution that can complement existing security deployments so that ROI isn’t sacrificed. What matters today is a multi-layered security architecture that takes a “predict, detect, and neutralize” stance spanning premise-based, cloud and hybrid network environments.
These days, a modern, agile security architecture must include the ability to automatically recognize patterns in network behavior that let you find threats before they occur – a capability that can be enabled by adaptive behavior analysis and machine learning. Such an architecture should include: real-time analytics, continuous expert monitoring, perimeter and interior protection, peer-level information sharing and operational ease of use.
Given what’s at stake, it’s never been more critical for directors – and your company’s investors – to keep on top of cyber security threats and how to address them. Considering the ease of access that hackers have to tools to do their dirty work – not to mention the criminal enterprise or state sponsorship behind many attacks – this problem isn’t going away anytime soon. Ultimately, CISOs need to give the board the confidence they need to make high-stakes cyber risk decisions that are so critical to business today.