Responsibilities can be divided into three categories: pre-breach (normal operations); breach-response (crisis) mode; and post-breach-response ongoing activities. Initially, boards and corporate executives must get up to speed and understand the challenges, establish the acceptable risk parameters and play an ongoing role in security governance.
Continued attention must be part of monthly and quarterly meetings. Signing off on or just deferring decisions without really understanding the business impacts to these decisions should be considered unacceptable.
IT security executives should work with appropriate parties to collect, analyze and share incident data so defenses and detection can be enhanced. Business and IT executives should also recognize that cybersecurity isnt just about technology, because the weakest links are people and processes. These gaps should be aggressively pursued and the problems regularly communicated across the organization. Lastly, a crisis-management plan should be put in place as a contingency.
Should a breach occur, its imperative that the owner/CEO (preferably) or a very high-level executive that can be viewed as the face of the company get in front of the problem and provide customers assurance that all efforts are being undertaken to resolve the problems, including making customers whole. The details of what should be relayed to customers, employees and stakeholders, and how and when it should be disseminated, should come from the crisis-management plan. A well-executed plan can safeguard the company’s image, retain customer loyalty and protect the company’s finances.
The difference between the post-breach response ongoing activities and the pre-breach cycle is that the company is now far more aware of risk exposures and this heightened awareness tends to influence activities and decision making. This is a good thing, but its unfortunate that firms (or key executives) have to go through the wringer before they make cybersecurity a priority.
Getting Ahead of the Issue
Small business owners, board members and corporate executives share the fiduciary burden and accountability for protecting company assets, even if the responsibility is delegated to IT or an outside provider. Today, these executives remain behind the curve in protecting, exfiltrating, discovering, and containing cybersecurity attacks and data breaches. Unfortunately, the frequency and variety of attacks and attack vectors will only increase year-over-year.
All must be aware of the changing challenges, establish and maintain acceptable risk parameters, and play an ongoing role in security governance. IT security executives should work with appropriate parties to collect, analyze, and share incident data so that defenses and detection can be enhanced.
Executives should identify low-hanging initiatives that can be quickly executed, such as improved password requirements, password-change frequency, two-factor authentication, and rapid deactivation of access (cyber and physical) to terminated contractors and employees. Encryption of data at rest and in transit should also be evaluated.
Cybersecurity isnt a technology issue; its a matter of business survival that puts the onus on the board and corporate executives.
Other articles by Cal: