It is not the mountain we conquer but ourselves.
– Edmund Hillary
Ferdinand Magellan. Marco Polo. Leif Ericson. Sir Francis Drake. Vasco de Gama. Roald Amundsen. Christopher Columbus. Thor Heyerdahl. Dora. Intrepid souls one and all. Their insatiable quest to explore the unknown enriched the world and carved their places in history. They exhibited a particular behavior characteristic that will serve executives well in learning about the cyber world. They demanded to know more about the mysteries of the world and they spent the time and effort necessary to learn.
The same ethic will well serve executives with oversight responsibility for cybersecurity. There are five core areas executives with oversight responsibility for cybersecurity practices need to explore.
The first is Risk Identification and Assessment. Every institution should have a process in place for identifying threats to data or information systems, in order to calculate the likelihood of the occurrence of the threat and to identify internal vulnerabilities. A risk assessment should include the classification of critical information assets, as well as identifying threats and vulnerabilities. The process should include the initial assessment of threats; identifying and prioritizing the closing of gaps in current policies, plans, procedures, and controls; and updating and testing plans, procedures, and controls on a recurring basis.
The second core cybersecurity function is Asset and Data Protection — working to ensure your business has the appropriate safeguards or controls in place to defend against and mitigate the damage from the various threats to your company. Here you need to inventory all the devices on your network and look at how your data is protected including assessing access control measures, data encryption, and employee education.
The third core function is Intrusion Detection Measures. Business systems are under continuing attack as cyber threats probe for weaknesses and seek to identify and exploit vulnerabilities that they find. Businesses must not only employ tools that prevent or limit unauthorized access to computer networks, systems, or information, but quickly identify intrusions so that damage can be contained. Do you know what you are using to detect anomalies? Are intrusions regularly reported and used in incident response planning?
Next is Response Planning. It is a virtual certainty that at some point a business will be breached and its data will be compromised. How effectively it responds to the breach will directly affect the amount of damage it suffers. Therefore, an incident response plan is a critical element of cybersecurity preparation. So, do you have a multi-disciplinary incident response team in place? Have you created an incident response plan? Used it or practiced it? Trained people in their response roles?
Finally, in a bit of a catch-all, there is Post-incident Recovery and Review. If you have a business continuity plan (and you should), ask how it contemplates recovering from a data breach. What mechanical processes exist to restore data, rebuild servers, databases, devices? Do you have procedures for restoring confidence in your recovered systems and data? Can you assure customers of your reliability? And, if you had an incident, have you reviewed your response and adjusted your plans and procedures based on what you learned?
The cyber world is wild and wooly. There is much to be learned and it changes rapidly. You can be forgiven for not knowing that world intimately. But the mistake that cannot be forgiven is failing to explore what your own business is doing to protect itself.
By Tom Davis, SDI Cyber Risk Practice
January 19, 2016