Browse Definitions :

arthead -

Board preparedness: 7 steps to combat cybersecurity threats

In the face of security breaches, organization board members must urgently tackle real-world cyber threats. These seven steps offer crucial preparedness for companies.

It's all too common to hear of a security breach in the news. Cybercriminals are attacking and looking for ways to access sensitive data, and they can be relentless.

As companies prepare to keep their information safe, there is always the question of whether they are doing enough. In November 2023, the SEC charged SolarWinds and CISO Timothy Brown for hiding known cybersecurity risks and security failings leading up to the SolarWinds supply chain attack. In 2020, SolarWinds was compromised through an Orion software update containing malicious code named Sunburst. This attack was one of the biggest security breaches in the 21st century.

To help companies prepare for cyber threats, Cybersecurity: Seven Steps for Boards of Directors, is a comprehensive guide written by a team with a deep understanding of cybersecurity, aiming to help board members navigate the complexities of the security world.

"The scope, sophistication and strategy of cyberattackers evolve more rapidly than many organizations' defense capabilities," Authors Andy Brown and Helmuth Ludwig wrote, showing just how crucial security measures are for a company.

Brown and Helmuth have years of experience on both sides, with expertise in cybersecurity protection and experience on several boards for large companies. They discuss how a company can take the right steps at the top leadership positions for a company's security in seven crucial steps.

Editor's note: This Q&A has been edited for length and clarity.

What is the premise of your book?

Book cover of 'Cybersecurity: Seven Steps for Boards of Directors.'Click here to download
a free copy of this

Helmuth Ludwig: This book is for board members by board members. Cybersecurity is becoming mission critical for more companies. It means companies are enhancing not only their internal processes but also the development of digital transformation, augmenting traditional physical products with software enhancements and incorporating data analytics to optimize these products.

Companies are also improving their internal backbones to harmonize their systems by going more into software as a service, such as offerings from Salesforce, Microsoft or Workday. Not everything runs on the company's premises, and these systems are outside the direct control of the company. Data streams and managing this data become more important, making IT mission-critical with cybersecurity.

This book is written by a team that deeply understands cybersecurity. We have background discussing critical IT components in the boardroom and can help translate the 'gibberish of the language' so board members can understand, which is one of the most critical elements. Even with specialists on the board, the whole board needs to be able to translate complex cyber situations into real-life business situations. I feel our book shines in this area to give everyone a true understanding of how to address critical elements of cybersecurity for the safety of the organization.

Why is cybersecurity important to the board of directors?

Helmuth Ludwig, professor of practice for strategy and entrepreneurship, Southern Methodist UniversityHelmuth Ludwig

Ludwig: The board of directors has an oversight role, but they are not in the daily business, and they're not the executives. The CEO and leadership team are the executives, and the people inside the company manage the business. Now this oversight role includes that they have certain fiduciary duties, which includes having the right processes in place and being aware of any red flags.

The board needs to know that the company is on the right track and is prepared for any cybersecurity red flags. They need to know how management will handle these red flags.

Talk about your seven steps for corporate boards to manage cyber risks.

Andy Brown, CEO, Sand Hill EastAndy Brown

Andy Brown: The first step is called get on board, which means engaging with the board to understand technical capabilities and processes within the business. The board needs to know what the process is for any security problem, such as a data breach. Questions should be addressed, including, "When does the board find out?" and "How do they get involved?" There needs to be a connectedness between the board and organization to set accountabilities, such as meeting with the CIO or establishing a risk committee.

The organization also needs to be aware of any breadth of risk exposure, and the executives and board should have a dialogue on this set of risks. These risks can include physical security, internal framework and external vendors.

Step 2: prioritize. Prioritizing is about understanding. Companies need to determine critical assets and how to protect them. The company needs to determine the number of exposure points and how they can reduce the risk surface area through prioritization.

Step 3: assess. This step determines a company's susceptibility to being breached. It also determines the cyber readiness and maturity level for risk programs. The assessment couples cyber risk assessment with financial impact analysis.

Step 4: understand the technology. This step involves understanding issues with legal architecture and out-of-date servers. This also includes evaluating desktops that need to be patched. This step determines if any assets can no longer be protected due to vulnerabilities.

There are several techniques from an architectural perspective. One model is called castle and moat. This means as soon as a company lets the drawbridge down to let someone in, there could be a bad actor entering the building, which can be physically or through the network. This is why it's important to understand any gaps in legacy applications and architecture. The same notion applies to connecting users to applications versus a network, which gives them access to the entire castle.

Step 5: address nontechnology factors. This step applies to culture and mindset. Companies need to have a change program or communication explaining employees' expectations. Discuss security issues. Educate employees about the importance of changing passwords, identifying a phishing attack or setting limits on what information they can share with sensitive information, such as personally identifiable information or usernames.

Attackers will find a way to sound like someone who can be trusted and expose a company through one interaction.

Step 6: overcome obstacles. Most boards do not have cyber expertise, but they need some way to have someone with cyber knowledge on the board. Boards have brought in third-party experts as advisers.

Step 7: measure and repeat. Now it's time to reassess and go back to see how security programs are performing and if all gaps have been filled. Cybercrimes change, so organizations can never be complacent.

Learn more about why software updates are important.

Amanda Hetler is a senior editor and writer for WhatIs, where she writes technology explainer articles and works with freelancers.

Dig Deeper on Threat management

  • cloud security

    Cloud security, also known as 'cloud computing security,' is a set of policies, practices and controls deployed to protect ...

  • privacy impact assessment (PIA)

    A privacy impact assessment (PIA) is a method for identifying and assessing privacy risks throughout the development lifecycle of...

  • proof of concept (PoC) exploit

    A proof of concept (PoC) exploit is a nonharmful attack against a computer or network. PoC exploits are not meant to cause harm, ...

  • data collection

    Data collection is the process of gathering data for use in business decision-making, strategic planning, research and other ...

  • chief trust officer

    A chief trust officer (CTrO) in the IT industry is an executive job title given to the person responsible for building confidence...

  • green IT (green information technology)

    Green IT (green information technology) is the practice of creating and using environmentally sustainable computing resources.

  • diversity, equity and inclusion (DEI)

    Diversity, equity and inclusion is a term used to describe policies and programs that promote the representation and ...

  • ADP Mobile Solutions

    ADP Mobile Solutions is a self-service mobile app that enables employees to access work records such as pay, schedules, timecards...

  • director of employee engagement

    Director of employee engagement is one of the job titles for a human resources (HR) manager who is responsible for an ...

Customer Experience
  • digital marketing

    Digital marketing is the promotion and marketing of goods and services to consumers through digital channels and electronic ...

  • contact center schedule adherence

    Contact center schedule adherence is a standard metric used in business contact centers to determine whether contact center ...

  • customer retention

    Customer retention is a metric that measures customer loyalty, or an organization's ability to retain customers over time.