Uploaded bycentralohioissa
PPTX, PDF971 views

Bob West - Educating the Board of Directors

The document outlines the critical role of boards of directors in overseeing cybersecurity as a key organizational risk rather than solely an IT issue. It emphasizes the need for active engagement from directors, who should ask essential questions regarding cybersecurity frameworks, risk management, and employee awareness. Additionally, it stresses the importance of integrating security governance into enterprise-wide strategies and ensuring adequate expertise and resources for effective risk management.

Embed presentation

Downloaded 27 times
1 EducatingThe Board of Directors InfoSec Summit Central Ohio ISSA Bob West, Managing Director March 29, 2016
2 2 • Board of Directors Role • Historical Issues • Impact • CISO Role and Communication • Guiding Principles for The Board • Questions Boards of Directors Should Ask • Summary • Q&A
3 Board of Directors Role • “A primary responsibility of every board of directors is to secure the future of the organization. The very survival of the organization depends on the ability of the board and management not only to cope with future events but to anticipate the impact those events will have on both the company and the industry as a whole… • It is imperative that the board not relegate the cybersecurity topic to the IT department. Directors need to take an active role in the organization’s cybersecurity or face the possibility of potential shareholder lawsuits, and even the possibility of being removed from the board. ” Cybersecurity: What the Board of Directors Needs to Ask, Institute of Internal Auditors
4 4 • Reportinglevel • Business prevention unit • Lack of clear communication • Black magic • CSO dysfunction– target on their back
5 5 • Executive teams understand business value, impact to brand and image, how their investments relate to top and bottom line growth • For Security and Risk to be effective in their roles, they need to translate security and risk into business value • Similar to a general counsel, security and risk need to come to the table as partners and counsel the business on what risks are acceptable • All other parts of an organization are measured on their performance and yet security in many instances is still considered black magic • Mature security and risk organizations need to have clear metrics to help the executive team understand whether they are performing effectively or not • A comprehensive, enterprise approach is necessary for security and risk to align with business and technology strategy • Security and risk need to be integrated into fundamental business process
6 Guiding Principles for the Board • Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. • Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances. • Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda. • Directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget. • Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
7 SixQuestions the BoardShouldAsk Does the organization use a security framework? • ISO 27001, NIST Cybersecurity Framework or 800-53 (U.S. Federal Government comprehensive framework) COBIT framework (Governance, Risk, and Control) • HIPAA or HITRUST (for health-care industry) • PCI-DSS for credit card acceptance (retail industry, finance industry) • NERC, FERC (Electric Sector)
8 SixQuestions the BoardShouldAsk What are the top five risks the organization has related to cybersecurity? • Proliferation of BYOD and smart devices • Cloud computing • Outsourcing of critical business processes to a third party (and lack of controls around third-party services) • Disaster recovery and business continuity Periodic access reviews • Log reviews • Advanced persistent threats
9 SixQuestions the BoardShouldAsk How are employees made aware of their role related to cybersecurity? • The organization should have a security awareness training program, and each employee should be required to review the training and pass the test annually. The CEO (or other top executive) must communicate the importance of safeguarding the organization’s critical assets. • Project Managers • Infrastructure administration • Developers
10 SixQuestions the BoardShouldAsk Are external and internal threats considered when planning cybersecurity program activities? • Although external incidents tend to receive more media exposure, the likelihood of an internal incident causing a major cyber incident is actually greater than the external threat.
11 SixQuestions the BoardShouldAsk How is security governance managed within the organization? • Understanding the three lines of defense as they relate to the organization is important. There can be a gray area of security governance between the CISO and internal audit. It is important for the board to understand how the governance activities of the CISO complement those of internal audit.
12 SixQuestions the BoardShouldAsk In the event of a serious breach, has management developed a robust response protocol? • Incident response program • Crisis management program • Crisis management team and their responsibilities
13 1 • Cybersecurity: What the Board of Directors Needs to Ask, Institute of Internal Auditors • National Association of Corporate Directors • Information Security Governance: Guidance for Boards of Directors and Executive Management (ISBN 1-933284-29-3)
14 Q&A Thank You! bob.west@careworkstech.com 513.328.7430 www.careworkstech.com

More Related Content

PDF
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
bycentralohioissa
 
PDF
Cybersecurity for Energy: Moving Beyond Compliance
byEnergySec
 
PPTX
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
bycentralohioissa
 
PPTX
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
bycentralohioissa
 
PDF
Deral Heiland - Fail Now So I Don't Fail Later
bycentralohioissa
 
PPTX
Tre Smith - From Decision to Implementation: Who's On First?
bycentralohioissa
 
PDF
Building Human Intelligence – Pun Intended
byEnergySec
 
PPTX
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
bycentralohioissa
 
Mark Villinski - Top 10 Tips for Educating Employees about Cybersecurity
bycentralohioissa
 
Cybersecurity for Energy: Moving Beyond Compliance
byEnergySec
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
bycentralohioissa
 
Alex Hanway - Securing the Breach: Using a Holistic Data Protection Framework
bycentralohioissa
 
Deral Heiland - Fail Now So I Don't Fail Later
bycentralohioissa
 
Tre Smith - From Decision to Implementation: Who's On First?
bycentralohioissa
 
Building Human Intelligence – Pun Intended
byEnergySec
 
Jeffrey Sweet - Third Party Risk Governance - Why? and How?
bycentralohioissa
 

What's hot

PDF
Craft Your Cyber Incident Response Plan (Before It's Too Late)
byResilient Systems
 
PDF
Enumerating your shadow it attack surface
byPriyanka Aash
 
PDF
Internal Threats: The New Sources of Attack
byMekhi Da ‘Quay Daniels
 
PPTX
New CISO - The First 90 Days
byResilient Systems
 
PPTX
Art Hathaway - Artificial Intelligence - Real Threat Prevention
bycentralohioissa
 
PPTX
Tripwire Energy Working Group Session w/Dale Peterson
byTripwire
 
PDF
NESCO Town Hall Workforce Development Presentation
byEnergySec
 
PDF
Achieving Compliance Through Security
byEnergySec
 
PPTX
Helen Patton - Cross-Industry Collaboration
bycentralohioissa
 
PDF
Ruben Melendez - Economically Justifying IT Security Initiatives
bycentralohioissa
 
PDF
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
bySouth Tyrol Free Software Conference
 
PPTX
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
bycentralohioissa
 
PDF
Incident Response: How To Prepare
byResilient Systems
 
PDF
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
byEnergySec
 
PPTX
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
bycentralohioissa
 
PDF
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
bycentralohioissa
 
PDF
"Thinking diffrent" about your information security strategy
byJason Clark
 
PPTX
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
bycentralohioissa
 
Craft Your Cyber Incident Response Plan (Before It's Too Late)
byResilient Systems
 
Enumerating your shadow it attack surface
byPriyanka Aash
 
Internal Threats: The New Sources of Attack
byMekhi Da ‘Quay Daniels
 
New CISO - The First 90 Days
byResilient Systems
 
Art Hathaway - Artificial Intelligence - Real Threat Prevention
bycentralohioissa
 
Tripwire Energy Working Group Session w/Dale Peterson
byTripwire
 
NESCO Town Hall Workforce Development Presentation
byEnergySec
 
Achieving Compliance Through Security
byEnergySec
 
Helen Patton - Cross-Industry Collaboration
bycentralohioissa
 
Ruben Melendez - Economically Justifying IT Security Initiatives
bycentralohioissa
 
SFScon 21 - Matteo Falsetti - Cybersecurity Management in the Supply Chain
bySouth Tyrol Free Software Conference
 
Gabriel Gumbs - A Capability Maturity Model for Sustainable Data Loss Protection
bycentralohioissa
 
Incident Response: How To Prepare
byResilient Systems
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
byEnergySec
 
Steven Keil - BYODAWSCYW (Bring Your Own Device And Whatever Security Control...
bycentralohioissa
 
Oliver Schuermann - Integrated Software in Networking - the Mystery of SDN
bycentralohioissa
 
"Thinking diffrent" about your information security strategy
byJason Clark
 
Jake Williams - Navigating the FDA Recommendations on Medical Device Security...
bycentralohioissa
 

Viewers also liked

PDF
Cybersecurity in the Boardroom
byMarko Suswanto
 
PDF
Cyber security: Five leadership issues worthy of board and executive attention
byRamón Gómez de Olea y Bustinza
 
PPTX
RSA 2017 - CISO's 5 steps to Success
byGary Hayslip CISSP, CISA, CRISC, CCSK
 
PPTX
CRI Cyber Board Briefing
byOCTF Industry Engagement
 
PPSX
Board and Cyber Security
byLeon Fouche
 
PDF
7 cyber security questions for boards
byPaul McGillicuddy
 
PPTX
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
byPhil Agcaoili
 
PDF
Websense
byCMR WORLD TECH
 
PDF
Cybersecurity Goverence for Boards of Directors
byPaul Feldman
 
PDF
What CIOs Need To Tell Their Boards About Cyber Security
byKaryl Scott
 
PPTX
Cyber risk tips for boards and executive teams
byWynyard Group
 
PDF
10 Rules for Vendors - an Overview
byGary Hayslip CISSP, CISA, CRISC, CCSK
 
PDF
Bank Director List of Worries
byBank Director
 
PDF
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
byShawn Tuma
 
PDF
TSB Metadata CADI2 Briefing 24_march_v2
byCreative Industries KTN
 
PDF
Cybersecurity Issues All Lawyers Should Know -- Especially Litigators
byShawn Tuma
 
PPTX
Ed Rios - New ncc brief
byTrish McGinity, CCSK
 
PPTX
EISS Cybersecurity Briefing
byEnergySec
 
KEY
Tech briefing may 2011
bydking
 
PDF
LoR Hollywood & Vine
byBrian Moore
 
Cybersecurity in the Boardroom
byMarko Suswanto
 
Cyber security: Five leadership issues worthy of board and executive attention
byRamón Gómez de Olea y Bustinza
 
RSA 2017 - CISO's 5 steps to Success
byGary Hayslip CISSP, CISA, CRISC, CCSK
 
CRI Cyber Board Briefing
byOCTF Industry Engagement
 
Board and Cyber Security
byLeon Fouche
 
7 cyber security questions for boards
byPaul McGillicuddy
 
Cybersecurity for Board of Directors - CIO Perspectives Atlanta 2015
byPhil Agcaoili
 
Websense
byCMR WORLD TECH
 
Cybersecurity Goverence for Boards of Directors
byPaul Feldman
 
What CIOs Need To Tell Their Boards About Cyber Security
byKaryl Scott
 
Cyber risk tips for boards and executive teams
byWynyard Group
 
10 Rules for Vendors - an Overview
byGary Hayslip CISSP, CISA, CRISC, CCSK
 
Bank Director List of Worries
byBank Director
 
Leadership: Legal Counsel's Role in Guiding Through Cybersecurity and Data Loss
byShawn Tuma
 
TSB Metadata CADI2 Briefing 24_march_v2
byCreative Industries KTN
 
Cybersecurity Issues All Lawyers Should Know -- Especially Litigators
byShawn Tuma
 
Ed Rios - New ncc brief
byTrish McGinity, CCSK
 
EISS Cybersecurity Briefing
byEnergySec
 
Tech briefing may 2011
bydking
 
LoR Hollywood & Vine
byBrian Moore
 

Similar to Bob West - Educating the Board of Directors

PDF
Top Cybersecurity Concerns from Boards & Directors (Mid-2025)
byCybernetic Global Intelligence
 
PPTX
Balbix-New-CISO-Board-Deck.pptx
byjjvdneut
 
PDF
Leveraging Board Governance for Cybersecurity
byShareDocView.com
 
PPTX
How to present information security risks to Board)
byEduardoCostaVianna
 
PDF
Fdic ffiec cyber_security_assessments
byKen M. Shaurette
 
PDF
NACD Directorship Article - Cyber July:Aug 2015 published
byPrista Corporation
 
PDF
Improving Cyber Security Literacy in Boards & Executives
byTripwire
 
PDF
K Royal, JD, PhD for Top Cyber News MAGAZINE May 2025
byDr. Ludmila Morozova-Buss
 
PDF
A CIRO's-eye view of Digital Risk Management
byDaren Dunkel
 
PDF
For Corporate Boards, a Cyber Security Top 10
byDavid X Martin
 
PDF
10 Questions for the C-Suite in Assessing Cyber Risk
byMark Gibson
 
PDF
IREC165473PR RP 2017 Security Outlook
byChris Cornillie
 
PDF
Item46763
bymadunix
 
PDF
speaking-to-board-securiity-whitepaper
byBilha Diaz
 
PDF
Norman Broadbent Cybersecurity Report - How should boards respond
byLydia Shepherd
 
PDF
4th Digital Finance Forum, Simon Brady
byStarttech Ventures
 
PDF
Security Strategies for Success
byCitrix
 
PDF
Ask the Experts final
byDaren Dunkel
 
DOCX
Guidance for Boards of Directorsand Executive Manageme.docx
bywhittemorelucilla
 
PDF
Primer on cybersecurity for boards of directors
byDavid X Martin
 
Top Cybersecurity Concerns from Boards & Directors (Mid-2025)
byCybernetic Global Intelligence
 
Balbix-New-CISO-Board-Deck.pptx
byjjvdneut
 
Leveraging Board Governance for Cybersecurity
byShareDocView.com
 
How to present information security risks to Board)
byEduardoCostaVianna
 
Fdic ffiec cyber_security_assessments
byKen M. Shaurette
 
NACD Directorship Article - Cyber July:Aug 2015 published
byPrista Corporation
 
Improving Cyber Security Literacy in Boards & Executives
byTripwire
 
K Royal, JD, PhD for Top Cyber News MAGAZINE May 2025
byDr. Ludmila Morozova-Buss
 
A CIRO's-eye view of Digital Risk Management
byDaren Dunkel
 
For Corporate Boards, a Cyber Security Top 10
byDavid X Martin
 
10 Questions for the C-Suite in Assessing Cyber Risk
byMark Gibson
 
IREC165473PR RP 2017 Security Outlook
byChris Cornillie
 
Item46763
bymadunix
 
speaking-to-board-securiity-whitepaper
byBilha Diaz
 
Norman Broadbent Cybersecurity Report - How should boards respond
byLydia Shepherd
 
4th Digital Finance Forum, Simon Brady
byStarttech Ventures
 
Security Strategies for Success
byCitrix
 
Ask the Experts final
byDaren Dunkel
 
Guidance for Boards of Directorsand Executive Manageme.docx
bywhittemorelucilla
 
Primer on cybersecurity for boards of directors
byDavid X Martin
 

More from centralohioissa

PPTX
Jack Nichelson - Information Security Metrics - Practical Security Metrics
bycentralohioissa
 
PPTX
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
bycentralohioissa
 
PPTX
Jim Wojno: Incident Response - No Pain, No Gain!
bycentralohioissa
 
PDF
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
bycentralohioissa
 
PPTX
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
bycentralohioissa
 
PPTX
Mike Spaulding - Building an Application Security Program
bycentralohioissa
 
PDF
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
bycentralohioissa
 
PDF
Ofer Maor - Security Automation in the SDLC - Real World Cases
bycentralohioissa
 
PPTX
Sam Herath - Six Critical Criteria for Cloud Workload Security
bycentralohioissa
 
PDF
Robert Hurlbut - Threat Modeling for Secure Software Design
bycentralohioissa
 
PPTX
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
bycentralohioissa
 
PPTX
Ed McCabe - Putting the Intelligence back in Threat Intelligence
bycentralohioissa
 
PPTX
Jason Samide - State of Security & 2016 Predictions
bycentralohioissa
 
PPTX
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
bycentralohioissa
 
PPTX
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
bycentralohioissa
 
PDF
Rafeeq Rehman - Breaking the Phishing Attack Chain
bycentralohioissa
 
PPTX
Justin Harvey - Apple vs DOJ: Privacy in Today's Enterprise
bycentralohioissa
 
PPTX
Jim Libersky: Cyber Security - Super Bowl 50
bycentralohioissa
 
PPTX
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...
bycentralohioissa
 
PPTX
Sean Whalen - How to Hack a Hospital
bycentralohioissa
 
Jack Nichelson - Information Security Metrics - Practical Security Metrics
bycentralohioissa
 
Jessica Hebenstreit - Don't Try This At Home! (Things Not To Do When Securing...
bycentralohioissa
 
Jim Wojno: Incident Response - No Pain, No Gain!
bycentralohioissa
 
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
bycentralohioissa
 
Dino Tsibouris & Mehmet Munur - Legal Perspective on Data Security for 2016
bycentralohioissa
 
Mike Spaulding - Building an Application Security Program
bycentralohioissa
 
Carolyn Engstrom - IT Data Analytics: Why the Cobbler's Children Have No Shoes
bycentralohioissa
 
Ofer Maor - Security Automation in the SDLC - Real World Cases
bycentralohioissa
 
Sam Herath - Six Critical Criteria for Cloud Workload Security
bycentralohioissa
 
Robert Hurlbut - Threat Modeling for Secure Software Design
bycentralohioissa
 
Kevin Glavin - Continuous Integration, Continuous Delivery, and Deployment (C...
bycentralohioissa
 
Ed McCabe - Putting the Intelligence back in Threat Intelligence
bycentralohioissa
 
Jason Samide - State of Security & 2016 Predictions
bycentralohioissa
 
Valerie Thomas - All Your Door Belong to Me - Attacking Physical Access Systems
bycentralohioissa
 
Harry Regan - Disaster Recovery and Business Continuity - "It's never so bad ...
bycentralohioissa
 
Rafeeq Rehman - Breaking the Phishing Attack Chain
bycentralohioissa
 
Justin Harvey - Apple vs DOJ: Privacy in Today's Enterprise
bycentralohioissa
 
Jim Libersky: Cyber Security - Super Bowl 50
bycentralohioissa
 
Michael Woolard - Gamify Awareness Training: Failure to engage is failure to ...
bycentralohioissa
 
Sean Whalen - How to Hack a Hospital
bycentralohioissa
 

Recently uploaded

PDF
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
PPTX
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
PPTX
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PPTX
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PDF
What Is a Private LLM and Why Enterprises Need It
byAivada
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
PDF
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
PPTX
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
PPTX
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
PDF
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
PPTX
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
PPTX
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PDF
AI Powered Document Processing and Data Extraction
byRobert McDermott
 
PDF
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
Security Forum Sessions from Houston 2025 Event
byMark Simos
 
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Top _HR Technology Trends _for 2026_.pptx
byAutomationEdge Technologies
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
What Is a Private LLM and Why Enterprises Need It
byAivada
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
The State of the Gen AI economy - 2025 - The Meliora Company
byClive Dickens
 
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
Session 2 - Solving Unstructured & Complex Documents with UiPath IXP
byDianaGray10
 
API-First Architecture in Financial Systems
bycyy111112
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
Our Digital Tribe_ Cultivating Connection and Growth in Our Slack Community 🌿...
bysanjeetmishra30
 
Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]
byUiPathCommunity
 
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
AI Powered Document Processing and Data Extraction
byRobert McDermott
 
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 

Bob West - Educating the Board of Directors

  • 1.
    1 EducatingThe Board ofDirectors InfoSec Summit Central Ohio ISSA Bob West, Managing Director March 29, 2016
  • 2.
    2 2 • Board ofDirectors Role • Historical Issues • Impact • CISO Role and Communication • Guiding Principles for The Board • Questions Boards of Directors Should Ask • Summary • Q&A
  • 3.
    3 Board of DirectorsRole • “A primary responsibility of every board of directors is to secure the future of the organization. The very survival of the organization depends on the ability of the board and management not only to cope with future events but to anticipate the impact those events will have on both the company and the industry as a whole… • It is imperative that the board not relegate the cybersecurity topic to the IT department. Directors need to take an active role in the organization’s cybersecurity or face the possibility of potential shareholder lawsuits, and even the possibility of being removed from the board. ” Cybersecurity: What the Board of Directors Needs to Ask, Institute of Internal Auditors
  • 4.
    4 4 • Reportinglevel • Businessprevention unit • Lack of clear communication • Black magic • CSO dysfunction– target on their back
  • 5.
    5 5 • Executive teamsunderstand business value, impact to brand and image, how their investments relate to top and bottom line growth • For Security and Risk to be effective in their roles, they need to translate security and risk into business value • Similar to a general counsel, security and risk need to come to the table as partners and counsel the business on what risks are acceptable • All other parts of an organization are measured on their performance and yet security in many instances is still considered black magic • Mature security and risk organizations need to have clear metrics to help the executive team understand whether they are performing effectively or not • A comprehensive, enterprise approach is necessary for security and risk to align with business and technology strategy • Security and risk need to be integrated into fundamental business process
  • 6.
    6 Guiding Principles forthe Board • Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue. • Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances. • Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on the board meeting agenda. • Directors should set the expectation that management will establish an enterprise-wide risk management framework with adequate staffing and budget. • Board-management discussion of cyber risk should include identification of which risks to avoid, accept, mitigate, or transfer through insurance, as well as specific plans associated with each approach.
  • 7.
    7 SixQuestions the BoardShouldAsk Doesthe organization use a security framework? • ISO 27001, NIST Cybersecurity Framework or 800-53 (U.S. Federal Government comprehensive framework) COBIT framework (Governance, Risk, and Control) • HIPAA or HITRUST (for health-care industry) • PCI-DSS for credit card acceptance (retail industry, finance industry) • NERC, FERC (Electric Sector)
  • 8.
    8 SixQuestions the BoardShouldAsk Whatare the top five risks the organization has related to cybersecurity? • Proliferation of BYOD and smart devices • Cloud computing • Outsourcing of critical business processes to a third party (and lack of controls around third-party services) • Disaster recovery and business continuity Periodic access reviews • Log reviews • Advanced persistent threats
  • 9.
    9 SixQuestions the BoardShouldAsk Howare employees made aware of their role related to cybersecurity? • The organization should have a security awareness training program, and each employee should be required to review the training and pass the test annually. The CEO (or other top executive) must communicate the importance of safeguarding the organization’s critical assets. • Project Managers • Infrastructure administration • Developers
  • 10.
    10 SixQuestions the BoardShouldAsk Areexternal and internal threats considered when planning cybersecurity program activities? • Although external incidents tend to receive more media exposure, the likelihood of an internal incident causing a major cyber incident is actually greater than the external threat.
  • 11.
    11 SixQuestions the BoardShouldAsk Howis security governance managed within the organization? • Understanding the three lines of defense as they relate to the organization is important. There can be a gray area of security governance between the CISO and internal audit. It is important for the board to understand how the governance activities of the CISO complement those of internal audit.
  • 12.
    12 SixQuestions the BoardShouldAsk Inthe event of a serious breach, has management developed a robust response protocol? • Incident response program • Crisis management program • Crisis management team and their responsibilities
  • 13.
    13 1 • Cybersecurity: Whatthe Board of Directors Needs to Ask, Institute of Internal Auditors • National Association of Corporate Directors • Information Security Governance: Guidance for Boards of Directors and Executive Management (ISBN 1-933284-29-3)
  • 14.