Cyber from the Break Room to the Board Room
February 25, 2017
The theme for this year’s FBI National Cyber Security Awareness Month (NCSAM) is “Our Shared Responsibility”. All too often, cyber security is viewed as an “IT problem”; however, the most effective cyber security programs rely on much more than technical solutions to protect an organization’s information. In today’s environment, cyber security is truly a shared responsibility, across all people, processes and technology controls. Everyone in the organization, from the break room to the board room, has a critical role to play.
Board Room Roles
According to a recent report from Taniam & Nasdaq only 10% of the high vulnerable board members felt that they were regularly updated on cyber security risks for their business. (http://offers.tanium.com/The_Accountability_Gap_Report.html). The list of risks and concerns for a board seem endless; however, it is important to understand the proper roles for a board in managing cyber security risk:
- Prioritize – Directing management to give cyber security the appropriate attention sets the tone for the entire organization.
- Assess – Expect the organization to complete a formal assessment of cyber security risks, utilizing outside experts and following guidance from a proven risk assessment framework. (Examples: NIST 800-53 or SANS 20 Critical Controls)
- Monitor – Establish expectations that the board will be updated on cyber security risk management updates on a regular basis.
Executive management plays a critical role in establishing day-to-day priorities for an organization’s cyber security efforts. Establishing cyber security as a critical function within the organization and assigning appropriate resources (people and budget) are critical first steps for executive management. Specifically, executive management should take responsibility for the following in their cyber security risk management program:
- Organize – Assign responsibility for coordinating your cyber security efforts and build security into your day-to-day processes.
- Communicate – Act as a champion for your organization’s cyber security efforts. When staff see that executive management has made cyber security a priority, it will naturally become a priority for everyone.
- Prepare – Cyber security risk management programs are not complete if you don’t have plans in place to respond to an incident or breach in your environment.
The list of cyber security threats targeting people (not technology) vulnerabilities is growing. Everyone in an organization need to do their part to reduce the risks against phishing emails, spyware, ransomware and every other threat to an organization’s critical information assets. Key strategies for reducing social engineering and staff-related risks across your organization include:
- Training – Attend all available staff training events on acceptable use of company computers and resources.
- Awareness – Pay attention to news stories about cyber-crime. Often times just simply knowing about the latest attack methods can change an individual’s behavior and reduce risk.
- Confirm – Think before opening attachments or clicking on links in emails, especially when they are from unsolicited sources.
As you can see, everyone in an organization plays a critical role in the cyber security risk management strategy. Cyber security is not simply an “IT problem” and, as the NCSAM theme says cyber security is clearly “our shared responsibility”. The best risk management programs take into account the right roles & responsibilities for everyone in your organization.