Security pros may not think of the boardroom first when considering how to improve cyber security and better manage cyber resilience. However, board members can use their considerable power and experience to become a great asset to an organization’s overall cyber security posture.
Given the continuing occurrence of costly data breaches, boards know they must take more responsibility to protect their organizations against financial and reputation loss as a result of cyber security failures. Boards can help in threat defense by doing the following: adopt better practices in risk reporting and analysis; seek informed external opinion; and support the use of the most advanced technology to accurately assess their organization’s cyber resilience.
Boards are pivotal in improving the levels of corporatewide cybersecurity and are responsible for managing cybersecurity resilience and providing confidence to stakeholders in the business that levels of control are commensurate and appropriate. However, board members will want to know just what a good cyber security defense looks like. The simple answer: Good cyber security protects the data and applications the company cares about – and that differs for each organization. So, boards need to draw on the knowledge and expertise of others to make the right judgements.
Corporate boards are responsible for many other risk-related activities where qualitative analysis and professional opinion are used to support its decisions. Financial risk management serves as one example. Boards need to execute this same level of scrutiny when assessing cyber security and resilience. They need to require cybersecurity professionals to deliver reporting at a standard of detail and analysis that parallels other types of formal risk reports.
The role of penetration tests
Of course, no organization can be 100% secure against attack and there’s a significant difference between the capability of an individual downloading a basic attack tool from the internet to the capability of serious organized crime or hostile intelligence services. Therefore, the level of technical control may also vary.
Penetration tests can help companies establish what level of control needs to occur, in context with the capability of a potential attacker. These test results help to form an opinion that the security team can present to a board and other stakeholders.
They also offer an indication of the level of resilience that the organization has against technical cyber security attacks. By simulating malicious attacks from inside or outside of the organization to see how easy it is to break into a network or computer system and steal valuable data or deny access to critical assets, companies can evaluate the vulnerabilities they are up against.
The technical cyber resilience opinion
As an industry, those responsible for technology often like to set formal targets or key performance indicators (KPIs) backed by mathematics. However, KPIs generally are not used against the number of unsuccessful attempts at fraud or money. And that’s why opinion-based reports are so important. Indicators based on statistics such as the number of successful or prevented attacks and breaches are interesting from a headline perspective, but are often not very useful as a demonstration that the organization has in place appropriate and commensurate cybersecurity controls.
It may come to pass that senior penetration testers will be formally asked for their opinion on the appropriateness of the technical controls, which then can form a core part of the overall board cyber resilience report. Under those circumstances, cybersecurity resilience opinions would become statements that provide information about an organization’s cybersecurity resilience position for stakeholders and decision makers. Unlike some other aspects of the business, resilience against attacks are often a very technical issue and therefore we must find a way of describing the technical cyber security controls to a wide range of stakeholders. While the stakeholders range from the board to investors, suppliers and customers, the question about resilience against attack must get balanced against questions about the justification of more corporate investment in cybersecurity.
To provide the same degree of confidence as financial or legal opinions, qualified external experts must offer the cybersecurity resilience opinion with a detailed understanding of technology combined with the ability to contextualize this in terms of supporting security activities and desired business outcomes. They need to examine the technical cyber security position and give their professional view on whether management has taken appropriate and justified steps to protect the information systems they are responsible for over given periods.
Penetration tests are a valuable tool in proving that the controls in place are providing an appropriate level of protection, while cyber threat intelligence will help to contextualize the controls in relation to type of attackers and their capability. This combined information gives security operations centers deeper knowledge with which to make decisions on risk mitigation and/or more security investments.
Specific industries such as banking and financial services, aviation, telecommunications, and energy, are already setting up their own methodology to improve cyber threat intelligence. The first of these was CBEST, developed by the Bank of England (BoE) and supported by CREST. It’s a framework to deliver controlled, intelligence-led cyber security tests that replicate behaviors of threat actors identified by government and commercial intelligence providers as posing a genuine threat to systemically important financial institutions. The inclusion of specific cyber threat intelligence ensures that the tests replicate as closely as possible the evolving threat landscape and therefore will remain relevant and up to date.
The power a board can yield in cyber resilience
Boardrooms have inherent power to influence important members of their organization’s executive team and other stakeholders. By taking more responsibility to gauge the level of cyber resilience and risk mitigation in their organization, they add another layer of cyber defense.
Take a page from financial reporting and begin the practice of obtaining a cyber security resilience opinion. This gives added intelligence to just how prepared the organization is in preventing, or responding to threats. By using third party expertise, and analysis like penetration tests, a board will not only gain the confidence of all stakeholders, but have the satisfaction of being a more powerful contributor to the organization’s business viability.
Tom Brennan, chairman, CREST USA
