Vigilance and awareness are critical for compliance and cybersecurity maturity. If board members are not familiar with the key indicators of success for maintaining a resilient business and meeting compliance requirements, they are not fulfilling all their responsibilities.
Board members need to understand the principles of their duties to alleviate potential exposure to cyber risk and other outage causing events that could harm the organization’s revenue, and reputation.
Resilience begins with the Board of Directors, not the IT Department. A corporate board that prioritizes data security can set the tone throughout an organization by instilling a culture of security, establishing strong expectations, and breaking down internal silos to facilitate technical and strategic collaboration.
Compliance is a Board-Level Responsibility
The trend toward appointing board members with deep experience in IT security and IT operations is gaining momentum. In its 2021 publication The Changing Role of the Board on Cybersecurity: Robust oversight ‘Now’ for a secure ‘Next’, Deloitte asserted that because of the risk of crippling disruption to business, “Cybersecurity oversight has now become the most important topic for the Board after strategic planning.”
In July 2023 the U.S. Securities & Exchange Commission (SEC) adopted final rules that will “require public companies to disclose both material cybersecurity incidents they experience and, on an annual basis, material information regarding their cybersecurity risk management, strategy, and governance.” – somewhat emulating the requirements for the European Union’s General Data Protection Regulation (GDPR) regulations.
More and more focus is being placed on Cyber Resilience, to bring together traditional cybersecurity topics with operational and business resilience.
In 2023 the National Institute of Standards and Technology (NIST) released their proposed updates to the NIST Cybersecurity framework, introducing new guidance and adding a new pillar to the framework to drive improved cross-functional collaboration. The NIST framework is a valuable resource for building a cyber and operational resilience strategy.
In the State of Cybersecurity 2023 report by the Information Systems Audit and Control Association (ISACA) over 50% of companies indicated that they were “somewhat or significantly understaffed” in Cybersecurity roles. Twenty percent indicated they had unstaffed positions in their executive team in this area.
Another relevant statistic from the report indicated the top obstacles for performing a cybersecurity risk assessment:
- Time commitment
- Not enough personnel
- Lack of internal expertise
- Leadership buy-in
Given these developments and the trend making boards clearly responsible for the security of their organizations’ networks, C-level executives must review their budgets for IT operations, security, and compliance to ensure their IT leaders have the resources to meet government, regulatory and board expectations.
IT leaders must prepare themselves for the questions they are likely to hear as board members take steps to inform themselves of their organizations’ maturity.
Top Questions to Ask Before an Incident Happens
Here are key questions boards should ask their operations teams that will help them assess their current conditions and inform their strategies to come into alignment with the current threat and compliance landscape.
Q: Are our risks and the impact of those risks understood and prioritized?
The risk to the business is the most important thing to understand. Risks associated with cyber-security attacks range from loss of data – resulting in reputational damage due to disclosure requirements – to major outages that directly affect business operations. The impact of these risks is nearly always lost revenue, as well as the loss of future revenue due to the impact to existing workstreams — such as digital transformation, new product launches and other activities which depend on the same teams who will be impacted by the incident.
Mapping your vital operations that are dependent on healthy operations can help quantify the impact associated with service outages and security incidents and, help make a case for allocating more resources to IT operations, cybersecurity, and network compliance.
In most organizations, everything runs through IT. When the correlation between business services and IT dependencies are well understood, risk driven by the health of those services can be effectively communicated and prioritized.
Q: What are our most important assets and how are we protecting them?
One simple axiom in cybersecurity is You can’t protect what you can’t see. Or perhaps You can’t protect what you don’t understand is more appropriate – One of the biggest challenges in building a secure business is knowing what assets you have, what data they hold or process, and their importance to the business.
It is critical for risk management that businesses are aware of this information – the board of directors must make sure the organization’s most important assets are secure at the highest reasonable level.
Are we concerned about customer data, revenue generating processes, or company intellectual property? Asking what needs to be protected – and why – are vital first steps. If there is no agreement on what to protect, the rest of the cybersecurity strategy is at risk.
Q: How are our compliance and regulation obligations being managed?
Achieving and maintaining regulatory compliance is a rigorous process that requires constant monitoring, testing, and documentation.
Most regulatory and compliance mandates have clear lists of requirements that IT teams must follow, but technical requirements are only part of the picture and only focusing on those results in significant impact and cost to businesses during audits and in the event of an incident.
When an incident occurs reporting that incident is mandated by regulations in many regions, there must be a plan in place for doing so. Records must be available to inform investigators and to provide outside authorities with evidence that your organization did the right thing prior to the event and in response to the event. If your organization works with (or wants to work with) government agencies there will be other compliance considerations as well, depending upon your location.
Q: Have we understood the impact of a cyber-attack?
One of the other axioms of cybersecurity is Assume breach – while worrying in tone – and perhaps contentious for some – this is the one principle that can help drive decision-making that builds a resilient business.
In the cybersecurity field this is well understood, outside of cybersecurity the likelihood of an attack is often underestimated – human beings are not the best at evaluating risk until the worst happens.
Businesses must understand the impact of both cyberattacks and other outages, in the Ponemon IBM Cost of a Data Breach 2023 report, the average cost of a data breach was measured at 4.5 million dollars.
This includes 1.3 million dollars of lost business due to:
- Business disruptions and revenue losses from system downtime
- Cost of lost customers and acquiring new customers
- Reputation losses and diminished goodwill.
560 thousand dollars of additional costs were associated with non-compliance with regulations.
Whether it is due to a cyberattack, misconfiguration or other incident causing event, the cost of serious outages significantly affects businesses. In one dramatic example of the importance of maintaining healthy operations and enabling rapid recovery, a major network services provider was completely offline for twenty hours. The outage affected business and residential telephone and internet, emergency services, and critical commercial services for tens of thousands of customers.
In the short term the outage cost the company $150 million in customer credits. Long term, the company has pledged to spend ten billion dollars on improvements.
Q: What is our disaster recovery plan?
Even the best run enterprises are subject to business disruptions due to errors and incidents, so it is important to have a recovery plan to ensure operational resilience and continuity.
As a part of that plan – beyond regularly scheduled backups – it is good to conduct configuration backups prior to network testing to ensure your current processes are valid for recovery if something goes wrong when bringing systems back online. It is also important to ensure your recovery plan is designed to complement organizational compliance objectives and in accordance with regulatory requirements for data security.
How ScienceLogic can help
These questions may be difficult to answer today, but it is far better to have those conversations in advance rather than to address them following an event.
Outside of the core cybersecurity technologies it is of utmost importance for organizations to build a comprehensive understanding of their systems with a complete inventory of assets – within a business service context – allowing you to understand what assets you have and how important they are.
Combining this with continuous observability and automation for repetitive and programmatic processes – like audits and configuration backups – is vital to ensuring that decision making, recovery and compliance demonstration is fast, accurate, and fully documented.
Contact us to discuss our AIOps and Network Configuration Management and Compliance solutions with one of our experts.