To protect their organizations, chief executive officer (CEOs) and board of directors need to have a clear understanding of cybersecurity, its underlying risks, and the best ways to respond to cyber threats. Without a proper understanding of risk, organizational leaders may not take the appropriate actions, resulting in greater risk to the entire organization.
In today’s world, more than just the chief information security officer (CISO) needs to be involved in cybersecurity conversations. CEOs and board of directors should be involved security-related discussions, as well as, the decisions that are made to protect the organizations. It is your responsibility to make sure appropriate and accurate information is communicated.
This article provides key concepts to help guide leadership discussions about cybersecurity.
Communicate Cybersecurity Concepts Throughout the Organization
Chief Operating Officers (COOs), Chief Information Officers (CIOs), CISOs, Vice Presidents (VPs), Directors, and Senior Managers need to all communicate about cybersecurity. Conversations should be held with information technology and security leadership within the organization. The proactive steps that an organization takes could prevent them from becoming the next victim of a devastating cyberattack.
Leadership Awareness Is Key
Is leadership aware of cybersecurity including organizational risks, threats, and potential business impact?
CEOs and CISOs need full situational awareness when it comes to cybersecurity including organizational risk, threats, vulnerabilities, and potential business impact. CEOs and board of directors should be required to look into cybersecurity risks and the information that you provide them is extremely important!
Drive Cybersecurity From a Top-Down Approach
Cybersecurity awareness needs to be driven from a top-down approach and should have leadership support across the entire organization. All levels of management need to drive security awareness. It should not solely be one security manager’s responsibility to change employee behavior for the entire organization. Leadership-driven security awareness programs can be more effective and can help build a security-first culture across the entire organization.
Third-Party Phishing Assessments Should Be Required
Third-party phishing assessments can provide the organization with unbiased testing and reporting to reveal the true organizational risk. Phishing campaigns run by internal security teams can often be influenced by inside knowledge or can be influenced by requests from leadership resulting in inefficient scenarios and inaccurate metrics.
Implement a Security Operations Center (SOC)
Consider a security operations center (SOC) that can provide leadership with real-time data on security events. Ensure the organization has proper monitoring and detection capabilities in place. If monitoring and detection solutions are not in place, invest in monitoring and detection tools. Make sure that the monitoring and detection tools are properly implemented, configured, and tested.
Compliance Is Not a Replacement for Cybersecurity
Your organization probably has a compliance program that ensures the organization passes regulatory audits. Often times, leadership confuses being compliant with being protected. Compliance is not a replacement for cybersecurity.
Store Data Securely
Storing more information than you need and storing data for longer than you need could result in higher risk. Determine if you are storing data securely and ask the following questions.
- Are you storing more information that you should?
- Are you storing information for longer than you should?
- Is the information stored securely?
- Is the information encrypted at rest?
- Is the information segmented off from other areas of the network?
Require Vulnerability Scanning & Vulnerability Assessments
Require routine vulnerability scans to be performed. Consider weekly and/or monthly vulnerability scans to proactively identify vulnerabilities. Vulnerability assessments may help you determine the vulnerabilities that have higher risk to the organization. This type of assessment could help direct your focus and remediation efforts.
Require Penetration Testing from a Third-Party
Verify that routine penetration testing is being performed to identify potential security vulnerabilities. Annual penetration tests are not enough. Monthly or quarterly penetration tests, along with weekly or monthly vulnerability scanning can be much more effective at improving your overall security posture.
Include External Penetration Testing & Web Application Penetration Testing
We often see companies state that they already require penetration tests be performed. Then we find out that the penetration tests being performed only focus on one area such as the internal network and completely miss testing the external network, web applications, mobile applications, wireless network, physical security, employee awareness, and more. While testing the internal network is extremely important, other areas including the external network, web applications, and social engineering could be argued to be just as important, if not more important, to test.
Free Consultation with Central InfoSec
Central InfoSec specializes in a variety of professional security services to help you test, measure, and improve your overall security posture. Security services offered include red teaming, penetration testing, vulnerability assessments, web application testing, managed phishing, and other tailored security services to help you reduce risk to your organization.