Breach Detection and Response: A Board Director’s Guide to Cybersecurity Governance
Understanding the Breach Landscape
As noted in a previous article, board directors must first understand their organization’s cybersecurity threat landscape. Cyberattacks come in various forms, from sophisticated nation-state-sponsored attacks to common phishing scams. Knowing the types of threats your organization faces allows you to make informed decisions.
The Role of Penetration Tests
Penetration tests, also known as pen tests or ethical hacking, these are valuable tools for evaluating your organization’s defenses. These tests involve simulating cyberattacks to uncover weaknesses in your systems. They should be conducted regularly and focus on identifying vulnerabilities resulting from system configurations, hardware or software flaws, and operational blind spots.
Board directors should designate internal teams to perform ethical hacking on a regular basis. This approach allows for quicker detection of breaches by internal staff and cost savings compared to hiring external resources. However, when internal resources are insufficient, the board might consider engaging an independent cybersecurity company or units at major accounting firms. Keep in mind that there is a risk associated with third-party vendors which needs to be managed.
The Role of Security Ratings
After a penetration test, your organization can benefit from obtaining a security rating or cybersecurity rating. Security ratings are objective, data-driven measurements of your organization’s cybersecurity performance. They provide insight into your cybersecurity practices, which can be invaluable for assessing cyber risk.
Security ratings work similarly to credit ratings, offering a quantifiable measure of your organization’s cybersecurity performance. They assess factors such as cyber incident response time, breach impact mitigation, system restoration time, and data recovery time. By benchmarking your organization’s performance against peers and industry averages, board directors can gain a better understanding of your breach detection and vulnerability response capabilities.
Assessment Tools from Regulators
Many regulatory bodies have collaborated with industries to develop cyber-risk assessment frameworks. For instance, in the United States, the Federal Financial Institutions Examination Council (FFIEC) developed the Cybersecurity Assessment Tool to help institutions identify their risks and determine their preparedness.
The FFIEC Cybersecurity Assessment Tool classifies cybersecurity maturity into five levels, ranging from baseline to innovative. By leveraging these standardized tools, board directors not only support their organizations in self-assessment, but also gain insight into regulators’ expectations.
Assessing Cybersecurity Governance
Board directors play a crucial role in evaluating their organization’s capacity to detect cyber vulnerabilities and breaches. Here are key questions to consider:
- Cybersecurity Maturity: Where does your organization rank when using a tool like the FFIEC Cybersecurity Assessment Tool?
- Vulnerability Awareness: How vulnerable is your industry, and at what point would your organization recognize that it’s under attack?
- Penetration Test Results: How did your organization perform in the last penetration test? How often does your board authorize these tests?
- Resource Allocation: How does management allocate resources for breach and vulnerability detection?
- External Assessments: Do you hire external vendors for cybersecurity rating and regulator assessment tools? How does your cybersecurity score compare with peers and industry averages?
- Risk Awareness: Is your board aware of the risks associated with hiring external vendors, and do you have proper mitigation policies in place?
The Board’s Role in Breach Detection and Response
Your organization’s ability to detect a cyber incident promptly and respond effectively can significantly impact the outcomes of a cyber incident.
In the next article, we will examine various aspects of cyber response, including risk appetite, escalation of communication, damage recovery, loss mitigation, and tabletop exercises. By understanding and actively participating in these areas, board directors can ensure their organizations are well-prepared to face the challenges of today’s cyber landscape.
Larry Quinlan
Sources:
- IMD — (Board Oversight of Cyber Risks and Cybersecurity)
- HBR — (7 Pressing Cybersecurity Questions Boards Need to Ask)
- MIT — (Cybersecurity: Board Perspective)