arthead - stock.adobe.com
It's all too common to hear of a security breach in the news. Cybercriminals are attacking and looking for ways to access sensitive data, and they can be relentless.
As companies prepare to keep their information safe, there is always the question of whether they are doing enough. In November 2023, the SEC charged SolarWinds and CISO Timothy Brown for hiding known cybersecurity risks and security failings leading up to the SolarWinds supply chain attack. In 2020, SolarWinds was compromised through an Orion software update containing malicious code named Sunburst. This attack was one of the biggest security breaches in the 21st century.
To help companies prepare for cyber threats, Cybersecurity: Seven Steps for Boards of Directors, is a comprehensive guide written by a team with a deep understanding of cybersecurity, aiming to help board members navigate the complexities of the security world.
"The scope, sophistication and strategy of cyberattackers evolve more rapidly than many organizations' defense capabilities," Authors Andy Brown and Helmuth Ludwig wrote, showing just how crucial security measures are for a company.
Brown and Helmuth have years of experience on both sides, with expertise in cybersecurity protection and experience on several boards for large companies. They discuss how a company can take the right steps at the top leadership positions for a company's security in seven crucial steps.
Editor's note: This Q&A has been edited for length and clarity.
What is the premise of your book?
Helmuth Ludwig: This book is for board members by board members. Cybersecurity is becoming mission critical for more companies. It means companies are enhancing not only their internal processes but also the development of digital transformation, augmenting traditional physical products with software enhancements and incorporating data analytics to optimize these products.
Companies are also improving their internal backbones to harmonize their systems by going more into software as a service, such as offerings from Salesforce, Microsoft or Workday. Not everything runs on the company's premises, and these systems are outside the direct control of the company. Data streams and managing this data become more important, making IT mission-critical with cybersecurity.
This book is written by a team that deeply understands cybersecurity. We have background discussing critical IT components in the boardroom and can help translate the 'gibberish of the language' so board members can understand, which is one of the most critical elements. Even with specialists on the board, the whole board needs to be able to translate complex cyber situations into real-life business situations. I feel our book shines in this area to give everyone a true understanding of how to address critical elements of cybersecurity for the safety of the organization.
Why is cybersecurity important to the board of directors?
Ludwig: The board of directors has an oversight role, but they are not in the daily business, and they're not the executives. The CEO and leadership team are the executives, and the people inside the company manage the business. Now this oversight role includes that they have certain fiduciary duties, which includes having the right processes in place and being aware of any red flags.
The board needs to know that the company is on the right track and is prepared for any cybersecurity red flags. They need to know how management will handle these red flags.
Talk about your seven steps for corporate boards to manage cyber risks.
Andy Brown: The first step is called get on board, which means engaging with the board to understand technical capabilities and processes within the business. The board needs to know what the process is for any security problem, such as a data breach. Questions should be addressed, including, "When does the board find out?" and "How do they get involved?" There needs to be a connectedness between the board and organization to set accountabilities, such as meeting with the CIO or establishing a risk committee.
The organization also needs to be aware of any breadth of risk exposure, and the executives and board should have a dialogue on this set of risks. These risks can include physical security, internal framework and external vendors.
Step 2: prioritize. Prioritizing is about understanding. Companies need to determine critical assets and how to protect them. The company needs to determine the number of exposure points and how they can reduce the risk surface area through prioritization.
Step 3: assess. This step determines a company's susceptibility to being breached. It also determines the cyber readiness and maturity level for risk programs. The assessment couples cyber risk assessment with financial impact analysis.
Step 4: understand the technology. This step involves understanding issues with legal architecture and out-of-date servers. This also includes evaluating desktops that need to be patched. This step determines if any assets can no longer be protected due to vulnerabilities.
There are several techniques from an architectural perspective. One model is called castle and moat. This means as soon as a company lets the drawbridge down to let someone in, there could be a bad actor entering the building, which can be physically or through the network. This is why it's important to understand any gaps in legacy applications and architecture. The same notion applies to connecting users to applications versus a network, which gives them access to the entire castle.
Step 5: address nontechnology factors. This step applies to culture and mindset. Companies need to have a change program or communication explaining employees' expectations. Discuss security issues. Educate employees about the importance of changing passwords, identifying a phishing attack or setting limits on what information they can share with sensitive information, such as personally identifiable information or usernames.
Attackers will find a way to sound like someone who can be trusted and expose a company through one interaction.
Step 6: overcome obstacles. Most boards do not have cyber expertise, but they need some way to have someone with cyber knowledge on the board. Boards have brought in third-party experts as advisers.
Step 7: measure and repeat. Now it's time to reassess and go back to see how security programs are performing and if all gaps have been filled. Cybercrimes change, so organizations can never be complacent.
Learn more about why software updates are important.
Amanda Hetler is a senior editor and writer for WhatIs, where she writes technology explainer articles and works with freelancers.