Cybersecurity Governance

Подробнее о видео

Corporate Cybersecurity Governance E051 2025 01 08
A Bit of Security for January 8, 2025
I had the pleasure of speaking with a group of Board of Directors members earlier this week on Cybersecurity Governance. It comes down to four basic principles. But before we get into that, I’d like to address the larger question, which is, who cares?
If you are in a public company, or if you advise a public company, you should have these measures in place. What if you are not in a public company? Consider your business’s future. Do you have an exit strategy? If you are running a lifestyle company, then carry on. But if you expect to go through an IPO or if you expect to be acquired or merged into a public company, you will receive a lower valuation by not having these measures in place.
The Board governs cyber security by making sure that a comprehensive information security program is in place, and that they are regularly updated as to its effectiveness. When the CISO reports to the Board, the one chart he or she shows would include the current threat landscape (what are the biggest problems out there that could harm the business), the state of the enterprise’s protections and remediations, and how the budget should be most effectively deployed to maintain or improve those measures. Some level of quantification is important, but do not risk your credibility by going too far dollarizing threat scenarios.
The kinds of questions the board should ask the CISO include: Are we compliant with relevant laws and regulations governing our activities in all jurisdictions where we operate? What is the status of remediation of the findings and notes from our last audit/PCIDSS exam/FEDRamp initiative/ business continuity exercise/incident response plan desktop exercise? Are you on target to complete the due diligence evaluation of the IT component of the organization we are considering acquiring? How is the morale of the incident response team in light of the recent incident? Could we schedule a review of our Consolidated Incident Response Plan in the next six months?
These questions require that the CISO work with the audit committee, the legal team, the CIO, and other units across the business. Having solid, verified plans to deal with interruptions in service, cyberattacks, and upcoming audits are a part of the governance function. Think about how you would respond to those questions if you were the CISO, and what you might need to know if you were a Board member.
And that’s our Bit of Security for January 8, 2025. Be safe.
References:
The D&O Guide to Cyber Governance, Jody Westby
Corporate Cybersecurity Governance E051 2025 01 08
A Bit of Security for January 8, 2025
How does the Board of Directors govern cybersecurity risk? Listen to this -
Let me know what you think in the comments below or at wjmalik@noc.social
#cybersecuritytips #BoD #governance #cybersecuritygovernance #CISO #BitofSec