Fortifying your defenses: Key considerations for Cybersecurity Awareness Month
October is Cybersecurity Awareness Month, which provides a time for us and all organizations to examine current security practices. Monica Landen, Chief Information Security Officer at Diligent, shares a few considerations to empower your organization.
As cyberthreats continue to evolve, it is crucial for organizations to strengthen their cyber programs and ensure that the board of directors is well-informed about the state of their cybersecurity posture.
Whether you're a new or small company that wants to grow quickly, or a global enterprise with a solid cybersecurity program in place, no organization is immune to cyberattacks. One of the key responsibilities of leaders and the board is to stay updated on the latest trends and threats in the cyber landscape. This includes understanding the potential impact of cyberattacks on the organization's overall operations, not to mention its financial stability and reputation.
Here are a few considerations for directors and executives to keep in mind, and to check in with their CISOs about:
Focus on the basics and foundational practices
It's easy to get distracted by the latest shiny technology that promises to solve all problems. In reality, foundational practices reduce cyber risk significantly.
Keeping software up to date, implementing multifactor authentication and maintaining strong password policies makes it harder for cyber criminals to gain access to sensitive information. To bolster security, routinely educate employees on best practices for identifying and resisting social engineering and emerging threats, such as deep fakes. AI empowers attackers to continuously refine and expedite their methods, making this employee training a critical and ongoing necessity.
By neglecting these fundamental practices, organizations leave themselves vulnerable to otherwise preventable attacks. This can’t be a one-and-done exercise; cyberthreats are always evolving. Reviewing and strengthening these basic practices regularly is important for maintaining a strong defense.
Consider your talent needs
Does your organization have the right talent in place to do the minimum baseline of security practices? Globally, there is a shortage of cybersecurity talent to address current challenges. According to a recent White House article, there are half a million open cybersecurity jobs in the U.S. alone.
The CISO has had to evolve from technical controls expert into a business centric leader who can effectively communicate risk management and business impact to executives and the board.
And cybersecurity expertise needs to extend to the board itself. Only a board well-versed in today’s threats is equipped to set an appropriate risk appetite, align cybersecurity to strategic initiatives and fully understand and challenge what their CISO and risk officers are telling them.
Assess your current talent pool, both within your organization and on your board, and identify any gaps in cybersecurity knowledge and skills. Consider investing in training and development programs, like the one offered by Diligent Institute, to improve the cybersecurity literacy of your leaders and board members. This will help protect your organization and demonstrate a commitment to cybersecurity to your stakeholders. You may also find you need to partner with external resources, such as cybersecurity firms or consultants, to supplement your talent.
Create better alignment between the board and CISO
Even with upskilling, most boards are not comprised of cybersecurity experts, so CISOs must avoid using technical jargon and focus on the business impact when conveying information.
“It's difficult for even the most seasoned practitioners of cyber to understand it all, so it's going to be hard for the board to understand it,” said Derek Vadala, Chief Risk Officer at Bitsight Technologies, at Diligent’s recent user conference.
Board members are most interested in how cybersecurity risks can directly affect the organization's goals and day-to-day operations. Ultimately, they want a clear answer to the question: “How secure are we?”
One effective way to communicate this is by quantifying the risks. By tying outcomes to numbers, the board can better understand the potential consequences and prioritize areas for improvement. Additionally, reporting on other key performance indicators (KPIs) or metrics such as the number of incidents, response times and compliance rates can provide a clear picture of your organization’s cybersecurity posture.
“People tend to go into the boardroom with metrics and stats and elaborate slides about what's going on in the organization. And I think you have to really synthesize that into the mindset of the board and the context of risk management,” Vadala said. “The board really wants to understand, ‘What should they be worried about it? What are you doing about it? How are we doing in that program?' It's hard to get to that conversation which is key to establishing trust because we start with bringing a lot of data and not showing what to focus on. There tends to be a crush of data before establishing guardrails about what to be worried about.”
Build your resiliency
A lot of effort is put into responsible preparedness, bringing the right people into the conversation, and having the right metrics to track. What is often not at the forefront is what happens after an attack. A crisis plan — one that has been rehearsed before it’s activated — is a must-have.
Consider holding tabletop or simulation exercises to ensure you are prepared and know how the organization will respond. The exercise may include defining who does what during an incident, from leadership to IT to communications. Assign specific roles such as incident commander, communications lead, and technical lead. Don’t be afraid to uncover gaps, discuss areas of improvement and rerun the exercise as necessary.
Security is everyone's job
It's important to create a security culture and for the board and executive leadership to lead by example. This means not only knowing the risks and possible effects but demonstrating a commitment to cybersecurity by actively participating in and supporting cybersecurity projects. By setting a tone of prioritization and accountability from the top, the rest of the organization will follow suit.
An easy win is by having a forum to talk about cybersecurity awareness. While October is a great month to do this, it's important that you prioritize this conversation all year round. This also includes regular training and awareness programs for employees at all levels, as they are often the first line of defense against cyberthreats.
While October champions the critical work done by cybersecurity professionals and cyber-literate organizations everywhere, remember that cybersecurity should be a focus not just this month, but all year long.
Learn more practical steps to secure your governance ecosystem in our guide, Securing the governance ecosystem.
