Cybersecurity & Audit, CIO Involvement Grows, & Poor Security Culture – BSW #248
In the leadership and communications section, Cybersecurity increasingly on audit committee agendas, CIO involvement in security grows as CEOs target risk reduction, How Poor Security Culture Leads to Insider Risk, and more!
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
CRA's Business Intelligence Unit has launched its next survey on Zero Trust! What are Your Barriers to Zero Trust Implementation? Take our survey and enter to win a $500 Tango card by visiting https://securityweekly.com/zerotrust. Report results will be released at our upcoming Zero Trust E-Summit in March!
- 1. Cybersecurity increasingly on audit committee agendasCFOs can expect to see more cybersecurity experts on their audit committees. Audit committee members increasingly say they need that expertise around the table to better manage this growing responsibility, according to a report by The Center for Audit Quality and Deloitte. Almost 100% of audit committees have members with finance and accounting expertise but only 35% have members who are strong in cybersecurity, the report finds. And yet cybersecurity is the fastest-growing risk focus for the committees.
- 2. OMB issues zero-trust strategy for federal agenciesAll federal agencies must meet zero-trust goals that the U.S. Office of Management and Budget has set by 2024, building on earlier federal cybersecurity initiatives.
- 3. CIO involvement in security grows as CEOs target risk reductionHalf of CIOs are prioritizing security management this year, as CEOs push for IT and data security upgrades to reduce corporate risk, according to IDG's annual CIO survey, which included responses from almost 1,000 heads of IT and 250 line of business participants.
- 4. Banks Face Countdown to New Cybersecurity RulesNew federal rules taking effect this spring will require all U.S. banking organizations to meet two primary requirements: 1. Banking organizations must notify their primary federal regulator of any “computer-security incident that rises to the level of a notification incident” as soon as possible—but no later than 36 hours after a determination that such an incident has occurred. 2. A bank service provider must notify each affected banking organization as soon as possible when the provider determines it has experienced a computer-security incident that “has caused, or is reasonably likely to cause a material service disruption or degradation for four or more hours.”
- 5. Cyberinsurance: Federal Court Interprets Banking Fraud PolicyInsureds who think they have coverage for cyber-related losses find that their insurance providers balk at paying claims—which is kinda the point of having insurance. Companies need to examine the scope and extent of their insurance policies, including cyberinsurance and non-cyberinsurance policies, as well as the nature of the risks they think they are insuring against. There are a host of traps for the unwary and the insurance discussion should include inside and outside counsel, risk management, HR and the cybersecurity team. The worst thing you can do is think you have coverage, pay for what you think is covered and find out that it’s not covered. The second worst is to only find out that it is covered after spending hundreds of thousands of dollars in legal fees.
- 6. COMMUNICATION AND LEADERSHIPThe rapidly changing and fast-paced environment of today’s workplace requires leaders to have the tools and the skill sets they need to remain productive, efficient, and effective. With hybrid and remote work becoming more standardized and permanent, it falls to leaders to fill the void left by the COVID-19 pandemic. Communication must be the first step.
- 7. How Poor Security Culture Leads to Insider RiskCorporate leadership is expected to set the tone for the entire company. That’s especially important with regard to how the organization approaches cybersecurity. If leadership doesn’t adopt strong security practices, chances are good that same attitude trickles down throughout the rest of the company, resulting in a greater risk of insider threats.