Check Point Software’s cyber security evangelist Ashwin Ram shares 5 essentials for boards that will help drive cyber readiness.
A recent spate of successful cyber attacks against Australian organisations, the resulting Privacy Legislation Amendment, and significant increases in penalties due to data breaches should have placed cyber readiness at the forefront of many boardroom discussions. Organisations that experience a successful data breach can expect weeks, if not months, of intense media scrutiny and significant unplanned costs. The reality is that many of the successful breaches are not the result of so-called sophisticated attacks, but failure to get the basics right – in other words, lack of good cyber hygiene.
In my conversations with CISOs, it is obvious that one of their primary challenges is getting the appropriate level of risk awareness and then the appropriate executive sponsorship for cyber security programs. While risk management is fundamental to good corporate governance, it often feels like reducing cyber risk requires some black magic before being taken seriously at the executive table. This is where boards can play a crucial role ensuring that executives are doing everything possible to reduce cyber risks.
According to consulting powerhouse PwC, “Cyber is a complex, technical area with emerging threats occurring almost weekly. Most board members are not cyber experts, yet boards have a fiduciary obligation to understand and oversee this significant risk.”
What can boards do to navigate the cyber minefield and steer organisation towards cyber readiness? In this article, I will share some key questions and considerations for boards, helping them drive cyber maturity through focus on a robust risk management program and on a cyber aware culture throughout the organisation; starting from the very top.
The key areas of focus must be cyber literacy of board members, prevention of any impact to ongoing operations, protection of customer data and protection of reputations. Then, they can examine evidence of the effectiveness of security controls and processes, incident response and risk management. There are, off course, other areas of focus for boards, however, the aforementioned areas deserve the most urgent attention.
You can’t fix a problem that you don’t understand. One of the key questions therefore must be, ‘do we have cyber-expertise within the board?’ Adding a cyber expert to the board must be a priority to ensure boards are on top of current and emerging cyber threats. To quickly mature cyber literacy, boards can also engage external cyber experts. While not every member of the board needs to be a cyber-expert, it is important that board members are cyber literate. At the very least, an understanding of the top attack vectors, issues that have occurred at peer organisations and related factors that have the greatest impact on the cost of cyber attacks should be considered foundational knowledge.
Board members should seek out various online publications, such as CyberTalk, that are focused on keeping cyber executives up-to-date on current cyber threats and trends. This can be a great resource for boards to improve their cyber literacy.
Another effective way in which members of the board can assume leadership around their organization’s cyber challenges, while simultaneously increasing their own cyber literacy, includes offering mentorship opportunities to the organizations’ cyber executives and CISO. This can help build trust and transparency, yielding mutual benefit.
Crown jewels protection
Most cyber criminals are motivated by financial gains. To that end, their primary focus is gaining access to an organisation’s crown jewels and monetizing malicious activity as much as possible. Ransomware attacks, for example, have evolved from double extortion to triple extortion over the last couple of years. This means that cyber criminals are not only demanding ransom from organisations, but are also demanding payments from organisations’ customers. This is why boards must help drive a culture of attack prevention. To meet community expectations and regulatory requirements, protection of customer records, patient data, financial information, personally identifiable information (PII), trade secrets and other highly sensitive data must receive top priority.
It is worth noting that not all attacks are financially motivated. Some have ideological or geopolitical motives. Earlier this year, The Washington Post reported, “In February, a hacker or hackers breached the water-treatment system in Oldsmar, Fla., and attempted to raise the level of sodium hydroxide, or lye, in the water more than 100-fold — from 100 parts per million to 11,100 parts per million. Sodium hydroxide, used to control water acidity, is poisonous at high levels.”
These types of attacks are designed to harm lives or cripple nations. Relying on detection capabilities in these cases can prove to be fatal. This is why a prevention-first approach is an absolute must.
Boards will do well to ask the following crown jewels-specific questions:
- Do we know what and where all of our crown jewels are?
- Do we have an appropriate level of security to prevent unauthorized access?
- Are we using encryption technology to secure our crown jewels?
- Do we have a clear understanding of who the owners of critical and highly sensitive assets within our organization are? Is this clearly documented and communicated?
- Are asset owners consulted before access to crown jewels is granted or modified?
- Do the asset owners have control over who or what can access crown jewels?
- Are we using credible 3rd party experts to test the security controls protecting our crown jewels?
- Are we resilient to an attack, with multiple layers of prevention?
- How fast can we restore critical operations if encrypted by ransomware?
- Do we need an MSSP to monitor 24/7 and assist with Incident Response?
Effectiveness of security controls and processes
Many organisations invest in cyber security controls without proper evaluation. Post-breach analysis of many successful cyber attacks has revealed that many attacks could have been prevented. However, the controls implemented were not effective – in other words, the security controls of the incumbent vendor could not identify and block the attacks. Here are some questions the board can ask to validate security effectiveness:
- How often do we validate the effectiveness of security controls?
- Are we using credible external partners to validate best practices to block attacks?
- Can our endpoint security automatically remediate ransomware attacks on remote devices?
- Are we regularly evaluating our controls to ensure we are blocking current threats?
- Are our security controls geared towards preventing attacks?
- Do we have controls in place to nullify weaponized documents delivered to our employees via personal emails or from trusted business partners?
- Are we regularly validating controls’ effectiveness for cloud misconfiguration, exposure of corporate credentials, phishing attacks and vulnerabilities in 3rd party software?
- Are we using the principle of least privilege and default deny as part of our security policies, particularly for our crown jewels?
- What independent tests are we using to validate security control effectiveness prior to procurement?
- Are we using credible, industry accepted frameworks and security models to mitigate cloud-based threats?
Sound cyber security practice takes into account people, process and technology. Some key questions to validate sound security processes include:
- Are any of our C-Level executives engaged and driving the cyber steering committee?
- Do we have offline backups, and are we able to recover quickly from the backups?
- How often are we testing business continuity processes?
- Are we moving from DevOps to DevSecOps?
- What is the status of our Zero Trust roadmap?
The Cost of a Data Breach Report 2022, conducted by the Ponemon Institute, found that “Having an IR team and an IR plan that was regularly tested led to significant cost savings. Businesses with an IR team that tested its IR plan saw an average of USD $2.66 million in lower breach costs than organizations without an IR team and that do not test an IR plan. The difference of USD $3.26 million versus USD $5.92 million represents a 58% cost savings.”
To ensure effective incident response capability, boards should seek answers for the following:
- Are our top executives, including our CEO and all key business stakeholders, participating in regular tabletop exercises?
- Have we validated our incident response playbook with a 3rd party Incident Response Team?
- Are we testing our incident response plan under new normal conditions where not every member of the response team can be in the same room?
- What were the main areas of concern from previous tabletop exercises, and have they been addressed?
- Do we have existing arrangements with any dedicated 24/7 Incident Response Team with a proven track record, which can quickly assist, if needed?
- Do we have our general counsel, members of the HR team, public relations team and key stakeholders as part of the incident response team and do they know their roles and responsibilities?
- Have we established a process to notify relevant authorities and business partners in the event of a successful cyber attack?
- Do we have a process in-place to document security incidents inline with any legal or regulatory requirements?
“The effectiveness of risk management depends largely on the degree to which it is part of an enterprise’s culture and the extent to which risk management becomes everyone’s responsibility”. 
Some key risk management questions that cyber aware boards should be asking include:
- Do we have any high-risk cyber vulnerabilities that have been left unaddressed?
- What resources are required to address threats that will cause the organisation the most harm?
- What part of the security posture requires the most urgent attention?
- Do we have a risk register for all of our ongoing IT-related projects?
- Are we regularly carrying out Risk Assessments against the entirety of our digital footprint?
- Are we leveraging a strong compliance framework like NIST Special Publication 800-53 to ensure that we are addressing and improving our posture over time?
- Do we have an understanding of our current risk exposure and potential consequences of a compromise?
- When evaluating new security controls, are we doing our due diligence to ensure new risks are not introduced?
When it comes cyber attacks, a commonly held belief is ‘not if, but when.’ The reality of the threat landscape is much worse than many perceive, as was highlighted by the Cost of a Data Breach Report 2022, which found that “83% percent of organizations studied have experienced more than one data breach, and just 17% said this was their first data breach. Sixty percent of organizations studied stated that they increased the price of their services or products because of the data breach.”
This revelation, and the newly introduced legislation paving the way for hefty penalties now demand that the board drive cyber readiness with a focus on threat prevention and the prevention-first cyber security model. Boards should focus on understanding what is required to mitigate cyber risks. In other words, ‘what does good cyber capability look like?’
 ISACA, CISM Review Manual 16th Edition
For more from security expert Ashwin Ram, see CyberTalk.org’s past coverage. Lastly, to receive more timely cyber security news, insights into emerging trends and cutting-edge analyses, please sign up for the cybertalk.org newsletter.