Do boards members get cybersecurity wrong?
My industry has a major issue when it comes to taking highly complex and alien concepts and putting them into a language that normal business people can understand.
Cybersecurity/business security is a complex, expensive and time-consuming process if you want to get it right.
There are no short cut, it is never complete and you have to have contingencies for any and every event.
There is also a huge difference between the IT world and the risk-based cybersecurity requirements of your business.
As a board member do you:
𝐓𝐫𝐮𝐬𝐭 “𝐈𝐓 𝐞𝐱𝐩𝐞𝐫𝐭𝐬” 𝐭𝐨 𝐤𝐧𝐨𝐰 𝐜𝐲𝐛𝐞𝐫?
Cyber and IT are different!
IT is all about keeping the lights on and the revenue engines running.
Cyber and business security is all about the risk to the business from the digital space.
What are the risk to the assets of the business, the people, information, property and your reputation?
Once you know the risks to the assets then you can mitigate them with good strategies.
𝐓𝐡𝐢𝐧𝐤 𝐲𝐨𝐮 𝐤𝐧𝐨𝐰 𝐦𝐨𝐫𝐞 𝐚𝐛𝐨𝐮𝐭 𝐜𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐭𝐡𝐚𝐧 𝐭𝐡𝐞 𝐞𝐱𝐩𝐞𝐫𝐭𝐬?
We are often faced with people outside the industry telling us that they know more about the bad guys and their capabilities than we do.
Would you tell a mechanic that you know more about cars, or an accountant more about taxes or a solicitor more about law?
We use subject matter experts for a reason!
For some reason, everyone knows more about cyber and does not see the industry as experts in the field.
𝐔𝐧𝐝𝐞𝐫𝐬𝐭𝐚𝐧𝐝 𝐜𝐲𝐛𝐞𝐫 𝐟𝐢𝐧𝐚𝐧𝐜𝐢𝐚𝐥 𝐥𝐢𝐭𝐞𝐫𝐚𝐜𝐲?
There is a simple equation that we use regularly in the industry.
Spending $1 before a cyber event is equivalent to spending $9 after an event.
97% of cyber-attacks are preventable but to prevent them you need to be proactive.
𝐈𝐦𝐩𝐥𝐞𝐦𝐞𝐧𝐭 𝐈𝐧𝐬𝐮𝐟𝐟𝐢𝐜𝐢𝐞𝐧𝐭 𝐨𝐯𝐞𝐫𝐬𝐢𝐠𝐡𝐭 𝐨𝐟 𝐝𝐚𝐭𝐚, 𝐜𝐮𝐬𝐭𝐨𝐦𝐞𝐫𝐬, 𝐚𝐬𝐬𝐞𝐭𝐬, 𝐚𝐧𝐝 𝐛𝐮𝐬𝐢𝐧𝐞𝐬𝐬 𝐜𝐚𝐩𝐚𝐛𝐢𝐥𝐢𝐭𝐲?
If you do not know your assets then you cannot protect them.
Understanding your assets is the first step in protecting your organisation from a cyber event.
𝐇𝐚𝐯𝐞 𝐈𝐧𝐚𝐝𝐞𝐪𝐮𝐚𝐭𝐞 𝐮𝐧𝐝𝐞𝐫𝐬𝐭𝐚𝐧𝐝𝐢𝐧𝐠 𝐨𝐟 𝐜𝐲𝐛𝐞𝐫 𝐫𝐢𝐬𝐤, 𝐦𝐢𝐭𝐢𝐠𝐚𝐭𝐢𝐨𝐧 𝐚𝐧𝐝 𝐦𝐨𝐧𝐢𝐭𝐨𝐫𝐢𝐧𝐠
The risk to every organisation from the digital space is significant.
A simple noncriminal event – lost laptop, printer failure or corrupt hard drive can cause major issues.
Understanding the protection requirements takes an understanding of what your assets are, what are the risks to those assets how can those risks be mitigated and visiting the whole process again every three to six months.
𝐔𝐧𝐝𝐞𝐫𝐬𝐭𝐚𝐧𝐝𝐢𝐧𝐠 𝐭𝐡𝐞 𝐮𝐬𝐞𝐟𝐮𝐥𝐧𝐞𝐬𝐬 𝐨𝐟 𝐚 𝐜𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐟𝐫𝐚𝐦𝐞𝐰𝐨𝐫𝐤
Implementing a framework to secure an organisation is essential in ensuring the organisation is protected.
It reduces the chances of things being overlooked as well as reducing the requirements for knee-jerk reactions to things happening in real-time.