Julie Cullivan, CIO, Fire Eye
'Are we vulnerable to a cyber attack?'
This question may be top of mind for today's Board member, but it's the wrong one to ask. The conversation really needs to begin with two questions - 'How can we decrease our risk of attack?' and 'What should we have in place to manage an attack if it occurs?'
This approach better suits the cyber security environment today, because as we see time & again, breaches will happen despite the best cyber security tools. Boards need to understand that it is simply a matter of time before an attacker gets into their network. With that, they must also recognize cyber security is now an enterprise security issue, and the CIO is often the person who needs to convince them. A breach can do serious damage to an enterprise's reputation, brand, and bottom line - the sooner everyone realizes the entire organization is at risk, the better.
Board members don't need to understand all of the technology behind the defenses; it's not about training them to become engineers. But CIOs and executive staff together need to help Boards understand that there are significant issues from a cyber perspective and that today's sophisticated attackers require enterprises to be proactive rather than reactive.
CIOs and Boards - The Conversation
The idea is to determine where your enterprise is, where you want it to be, and how long it will take for you to get it there. This requires agreement on what the priorities are. When a CIO is addressing this with the Board, there are three considerations to get the conversation underway:
1. How secure do we need to be? Is it good enough just to meet the requirements that mean we're compliant, or do we need to ensure we've done all we can to keep cyber criminals from getting in and stealing PII? The answer will determine a great deal about the strategies that need to put in place. It also begs the question: without being 100% secure (which is impossible), what tradeoffs are we willing to make?
2. How can we truly measure and make decisions about risk? The CIO needs to help the Board truly understand the risk implications of a breach. Preparing for an attack is absolutely crucial, and it requires thinking through everything from remediation to loss mitigation. These aren't things to consider after you discover someone's been inside your network; they are strategic considerations that need to be dealt with beforehand.
3. What plans do we have in place? It's a matter of time before your enterprise is targeted if it hasn't already been breached - 97% of organizations have already been attacked. With that in mind, a CIO needs to have a plan ready to share with the Board.
Things to consider: Who gets called immediately (consider the security experts, the executive staff, the legal team, and the communications people); how to isolate the infected devices; what your disclosure and liability exposure is; and how to release the information to your stakeholders. Of course there are plenty of other considerations - these are just a few of them. The main thing is to think about them now, before a breach, and have a written playbook in place to make it easier after an attack.
With those questions answered, it's up to the CIO to implement a risk strategy. They certainly need to make sure that their security program aligns with what the executive team & the Board decides is appropriate for the enterprise.
That requires making sure the budget is adequate to cover the desired risk profile, which can be a huge disconnect. All too often, a CIO is expected to deliver a robust security program with a budget that can't support it. It's up to the CIO to educate the executives and the Board about the liabilities, how to measure and rate risk, and what it will take to protect the enterprise. That education needs to include a cold, hard look at the costs associated with cyber security - a difficult, but necessary, conversation to have with the organization's leadership.
As more executives begin to understand that accounting for cyber risk can't rest solely with IT and it is an enterprise-wide issue, they are better prepared to help the company prevent, detect, analyze and respond to a cyber incident. From having a communications strategy in place to an incident response plan, today's cyber landscape poses an enterprise risk that goes far beyond IT. The sooner an organization recognizes that, the better prepared it can be for the inevitable.