Most of organization today rely on computer technologies to function. Cybersecurity and Cyber Risk Management ensures that the organization can exploit the full potential of technologies. Those topics are then strategic to an organization resilience. The decision-making and support places the discussion at the Board level.
How cybersecurity is embedded into our strategic structure ?
Cybersecurity is an enabler of organization’s overall objectives. It impacts every aspect of an organization. It must then be integrated into the senior executive level discussion, decision-making and in the organizational risk management.
Good cybersecurity is not just having sufficient budget or the best technologies. It is first a human factor topic. Build healthy relationship with cybersecurity goes by a top level support, an integration into the organization culture, building the right process and manage them.
How do we manage security expertise and human resources ?
Cyber skills are in very high demand. Today it is expected that the cybersecurity workforce should grow 65% to meet the defense needs. Organization must take steps to ensure they can attract and retain cybersecurity expertise.
The solution involves the creation of internal program to build skills in-house, listening to the workforce demands to build an attractive employer image and outsource specific functions the organization trust to be able to monitor.
How are we building a positive cybersecurity culture ?
Cybersecurity can be seen as a burden for those who have to enforce the rules in their day to day job. It make their tasks heavier, with no reward and raising concern may equals to fall into trouble. People must feel safe to raise concern and to challenge ineffective practices.
Putting the people at the heart of the strategic structure and policies enlight them about the “why” and “how”. Focusing only on the technological will increase the risk to overlook the needs of people to perform their duty securely. It generally results in the creation of dangerous and hidden shortcuts that create new cybersecurity risks.
What are our Crown Jewels ?
Understanding what technical assets are keys to achieve organization’s objectives is mandatory for an effective cyber risk management strategy. Like any Business Risk, it is impossible to mitigate all cybersecurity vulnerabilities. The defense has to be prioritized.
Technical experts need the support of Top Management and Business Practice to protect the organization essentials. They must be provided the suitable tools and channels for communicating their advises, as well as the level of organization the Board needs to take decision.
Who are our adversaries ?
Too frequently when talking about cyberattacks, the “Threat” is seen as a kind of technical abstract entities. Cyber Threat are People. They can be lonewolf hacker or organized group, they can target precise industrial segment or act in an opportunistic manner.
Understanding one’s organization threats requires first to understand what is valuable in the organization. We do not face the same criminal predation depending of who we are. The prioritization of the defense also comes by screening the cyber adversaries and focus on the one hitting the strategical structure.
How is aligned cyber security and risk management ?
As cybersecurity is born among technical teams and risk management is tied to high management, the first is generally subordinated to the second. It is a huge mistake. Risk Management generally focus on meeting compliance standards. Cyber Threat don’t care about compliance standards.
The most effective cyber risk management must build the minimal security baseline on industry and regulation requirement. Then use this foundation for creating cyber risk scenario and explore the systemic consequences of cyber disruptions.
How effective are our cyber security measures ?
Implementing good security measures is mandatory to meet regulatory requirements. But it foremost helps the organization to meets strategic objectives and reduce the likelihood of significant incident. You can’t avoid cyberattack attempts, but you can reduce its impact.
While build the security baseline, the security control baseline must be implemented at the same time. It means setting up technical metrics aligned with the organization objectives and missions. Using recognized framework such as ISO27001 or NIST800-53 is a good place to start to mitigate the highest priority risks. When the needs and the threats of the organizations evolves, you will have to create your own controls to assess if defenses is still effective.
How do we collaborate with Third Parties ?
Every organization is part of a Global Value Chain. It may have implemented the best security culture, but sometimes the problem come from the outside. Cyberattacks on your Third Parties can be just as damaging as if you were the target.
Cybersecurity practice and Cyber Risk analysis must be include in any decision about a new strategic collaboration. Among the most critical, investing, merging or acquire a third party must include in the diligence a cybersecurity assessment of their network.
How is planned our cyber incident response ?
Cyber incident have a direct impact on an organization’s budget, productivity and reputation. In time of crisis some hierarchical layers must be taken apart to ensure a seamless dialogue between technical expert and strategic decision-maker.
As an executive to be prepare to respond to a cyber attack will help to prevent increasing damage, to reduce the financial impact and to manage the operational disruption. With the media interest into cybercrime stories, the Board must be prepare to also manage the external and internal perception of the management of the attack to preserve their reputation.
Impact on reputation, on operation, new regulation such as Data Privacy Laws have raised the expectation of customers, investors, regulators and the wider public when it comes to cybersecurity. It is now a mandatory features for any organization.