Insights from Board Directors on Safeguarding Your Organization in the Digital Age

Safeguarding your organization in the digital age is a critical undertaking.

By implementing a comprehensive cybersecurity strategy, investing in employee training, securing your network and data, and having an incident response plan, you can better protect your organization from the ever-present digital threats.

In honor of Cyber Awareness Month, I hosted three board directors on a thought-provoking discussion on safeguarding organization in the digital age.

We explored the pivotal role of Board Directors in ensuring organization's digital resilience.  It is an honor to host this panel discussion on behalf of Global Cybersecurity Association - GCA as a special edition for CXO Spice Cyber Talks.  Here is a recap of our discussion:

We kicked off the discussion introducing our distinguished panelists and their extensive experience in cybersecurity:

• Andrew Wilder: An adjunct professor for cybersecurity at Washington University, bringing over 20 years of cybersecurity leadership experience, including a notable tenure as a regional CISO at Nestlé.

• Keyaan Williams: The Managing Director for Class LLC, with over two decades of experience in building and managing cybersecurity and privacy programs, serving as a board member for commercial and nonprofit companies, and contributing valuable insights to books and professional journals.

• Alex Sharpe: Principal at Sharp Management Consulting, LLC, recognized as a cybersecurity governance and digital transformation expert with real-world operational experience, co-founder of two firms, and participant in over 20 M&A transactions. Alex is acknowledged as a Cybersecurity Thought Leader by Thinkers 360.

Our discussion revolved around the critical role of board directors in cybersecurity, where we explored the responsibilities and strategies involved. Here's a recap of some key insights:

The Responsibilities of Board Directors in Cybersecurity

• Andrew emphasized the role of the board in implementing a system of oversight and monitoring for cybersecurity, highlighting the importance of specifying this oversight system in the organization's 10-K. The new SEC rules underscore the significance of cybersecurity risk.

Fostering a Cybersecurity-Aware Culture from the Top Down

• Alex stressed the importance of creating a cybersecurity-aware culture and the value of awareness and training in reducing cyber threats. He emphasized the need for boards to look at all dimensions of cybersecurity risk, not just the technical aspects, and integrate awareness and training into the organization's practices.

• Keyann underlined the need for a framework in successful cybersecurity governance. He referred to NIST SP 800-39, which outlines roles and responsibilities for risk management that organizations can adopt. The NIST model address security from an organization-wide perspective, so there are specific things that directors can do in the model to support cyber governance from a strategic level.

Tackling Current Cyber Threats and Challenges

Cybersecurity Venture predicted that cybercrime is going to cost the world $9.5 trillion by 2024. That's being said. What are some of the common cyber threats or challenges that you have seen facing organizations today?

• Keyann highlighted the risk of apathy in the context of cybersecurity and enterprise risk management among non-technical business leaders. They may see security as the CISO's problem and may not actively participate in discussions or solutions, believing that a budget approval from several months ago should suffice.

• To mitigate this risk, it is suggested that the CISO should be viewed as a risk leader, not just a technology manager. When cybersecurity is seen as a subset of enterprise risk management, it becomes one of many risks that the organization needs to address. In this approach, everyone in the company who is involved in risk management should actively engage in the conversation.

• Andrew emphasized the Importance of proper enterprise risk management.  Proper enterprise risk management is essential. Companies should not view it as a mere compliance requirement but as a valuable tool for identifying and addressing risks effectively.

Here are some examples of Enterprise Risk Management Done Well:   

• Engaging everyone in the organization in discussions about cybersecurity and risk management is crucial. When everyone is involved, they can collectively seek the best solutions given the available resources, budget, and external assistance. This not only addresses the cybersecurity issue but can also have positive spillover effects on other aspects of the organization, such as operations and compliance.

• Leadership teams and board members come together for Tabletop Exercise to simulate scenarios and discuss their roles in addressing cybersecurity issues, can be effective in combating apathy. This exercise helps individuals understand the real problem and their responsibilities, thereby reducing apathy and increasing engagement.

Our conversation highlights the need for a holistic and inclusive approach to cybersecurity, where everyone within the organization plays a role in managing and mitigating risks. It underscores the importance of engagement, effective risk management, and tabletop exercises to foster a culture of proactive risk awareness and response.

The Importance of Metrics and KPIs

The discussion started by highlighting the importance of metrics and key performance indicators (KPIs) for cybersecurity. Board members often need to know how to measure and monitor their organization's cybersecurity efforts.

• Boards are interested in how their organization's cybersecurity performance compares to others in the same industry or of similar size. Benchmarking helps determine if cybersecurity spending is appropriate and effective.

• Another critical metric is assessing the organization's cyber maturity. This involves both external and internal assessments, including penetration testing, to ensure a well-rounded understanding of the organization's security posture.  Metrics related to phishing attacks and awareness training completion rates can help gauge the organization's overall security posture.

Techn Evolution and Offense-Defense Dynamics

Our conversation highlighted how technology evolution is continually changing the cybersecurity landscape. Cybersecurity professionals must adapt to emerging technologies and evolving threats. Offense-defense dynamics play a significant role in shaping the cybersecurity landscape.

• Answering these three questions provides a solid foundation for the board to evaluate the organization's cybersecurity posture and make informed decisions regarding risk management and resource allocation:
  
  1. What is the current cyber risk profile of the organization?
  2. What is our actual exposure, and how are we reducing it?
  3. What specific quantifiable business impact of cyber risks and data exposures have?

The Evolving Role of Technology in Cybersecurity

• We discussed how technology's rapid evolution impacts cybersecurity,

• We highlighted the historical impact of technological advances on productivity and the ongoing struggle between offense and defense in cybersecurity.

• Ransomware is cited as an example of emerging threats enabled by technological shifts, such as the rise of Bitcoin. The discussion also touches on the need to protect, not just defend, against cyber threats.

• Our conversation highlights the potential benefits and challenges of generative AI in cybersecurity. It concludes by underlining the importance of boards understanding both the positive and negative implications of emerging technologies, especially in large enterprises.

Balancing Cybersecurity with Budgetary Constraints

• We explored the role of cybersecurity leaders as subject matter experts who can quantify cybersecurity risks and present mitigation strategies. Boards and executive teams make decisions based on their risk appetite, balancing concerns and resources.

• The concept of data-driven defense is introduced as a methodology for focusing on current threats and attacks, rather than investing in generic security measures. The analogy of improving locks on a front door while the burglars enter through a window is used to illustrate the need for asset-driven defense, protecting vital assets and intellectual property.

• The importance of recognizing that cybersecurity is also "people-driven" is highlighted. The effectiveness of security measures relies on a holistic approach that considers not only technology and data but also the behavior and awareness of individuals in the organization.

Closing Thoughts

• Emphasizing the importance of recognizing cybersecurity is everyone’s responsibility. While strong controls may lead to objections, they can significantly reduce risks. Reducing the need of administrative privileges is highlighted as a strong defense against malicious software execution. The need to configure defensive mechanisms correctly is stressed.

• Acknowledging that many data breaches originate from social engineering attacks. The conversation points out the need to prevent lateral movement across networks and privilege escalation, which are common in recent breaches. Organizations are urged to take proactive steps to address these issues.

• Encouraging organizations to adopt technology with a clear business justification and demonstrable value. Rushing to implement unproven technology without understanding its potential impact on the organization is discouraged. The focus is on ensuring that technology adds value, improves processes, reduces costs, or enhances business outcomes.

• A strong emphasis on the importance of “Going Back to Basics” adhering to fundamental cybersecurity practices, including access control, data encryption, backups, incident response, and business continuity planning. These are viewed as essential components of cybersecurity, regardless of specific standards or requirements.

Our discussion underscores the collective responsibility of cybersecurity, starting with board leadership and cascading throughout the organization. The importance of a cyber-aware culture, training, and awareness at all levels is highlighted. Cyber threats and challenges are discussed, with a focus on the role of boards in guiding organizations through these challenges. The conversation also emphasizes the ever-evolving role of technology in cybersecurity and the need for informed decision-making, especially for smaller businesses. The session ends with a call to continue the cybersecurity conversation and ensure organizations are well-prepared to safeguard their assets.