In response to the rapidly evolving threat landscape, Boards of Directors (BoDs) and executives are now more aware of today’s cyber threats and how they might adversely affect their business. However, most executives are nonetheless limited in their knowledge of security and do not know what to ask their security teams.
It is therefore up to security professionals to help their executives become more cyber security literate and thereby assist in framing security considerations as an integral part of any risk/opportunity discussion, as well as a wider enterprise risk management strategy.
Acknowledging this responsibility on the part of information security personnel, Tripwire has asked a number of prominent experts in the field how security teams can improve their executives’ cyber security literacy.
3. “Rather than thinking of cyber as something
discussed in case of a breach, we need to locate
the cyber security issues within the business
decisions boards make—mergers acquisitions,
product launches etc. Cyber should intrinsic to
business decisions just as legal and
financial issues are.”
LARRY CLINTONPRESIDENT, CEO, INTERNET SECURITY ALLIANCE
@ISALLIANCE
4. “If you can tie it back to that breach they
already know about, give them a little bit of
the inside scoop, and say ‘yes, we know
how that happened, and that incident
points out just how important this one
security control is.’”
DAVID MELTZERCHIEF RESEARCH OFFICER, TRIPWIRE
@DAVIDJMELTZER
5. “Getting senior level representation from
the information security function into the
board and executive level of an
organisation itself is a more effective way
for them to understand cyber security much
as they understand the other functions of
the business.”
THOM LANGFORDDIRECTOR, GLOBAL SECURITY, SAPIENT
@THOMLANGFORD
6. “Seek out peer comparison, maturity
assessments and real world examples to
answer this question in as pragmatic a
manner as possible; tie your answers to
established business metrics and show how
your function not only protects their
investment but builds value, too.”
ANDREW ROSECISO, UK AIR TRAFFIC
@ANDYROSECISO
7. “A shake up is overdue. Shrug off the trivial or
tick box image of awareness. I suggest a new
role: Security Communications Manager.
Tasked with improving stakeholder
interactions from shop floor to boardroom.
Using proven marketing and psychology tools
to get it right.”
SARAH CLARKESECURITY GOVERNANCE, RISK & COMPLIANCE SPECIALIST
@S_CLARKE22
9. “The impact of a serious incident depends
not just on how a company handles it, but
on how the media, customers and
investors react to it, as well.”
ADRIAN SANABRIASECURITY ANALYST, 451 RESEARCH
@SAWABA
10. “Start with focus groups or surveys with
your customers. Your customers will tell
you their pain points and that can help
the Board and Executives best assess
where to start first.”
THERESA PAYTONCEO, FORTALICE
@FORTALICELLC
11. “Breaches come in all sorts of shapes and
sizes, but individual breaches usually aren't
catastrophic based on immediate cash
losses. Where breaches are catastrophic, it
is because of reputation damage.”
ALEX HUTTONVP INFORMATION SECURITY, FINANCIAL INSTITUTION
@ALEXHUTTON
12. “Ask the Corporate CIRT Director for the
annual security incident impact statement.
The statement details the security
incidents, their costs and impact to the
organization.”
BEN ROTHKEMANGER, IT SECURITY, WYNDHAM WORLDWIDE
@BENROTHKE
13. “The effective assessment of a security
incident begins long before any such event
ever occurs. Empowered to make an initial
assessment, the team will be able to work
through a pre-prepared incident response plan
that the board and executives will have been
key in shaping.”
LEE MUNSONCONTRIBUTING WRITER, NAKED SECURITY
@SECURITY_FAQS
14. FRAMEWORKSWHAT ARE MOST EFFECTIVE
SECURITY?
IN ASSESSSING WHETHER AN ORGANIZATION
IS ACTING PRUDENTLY OVER
15. “Over the years I’ve found that you cannot
depend upon using just one framework, but a
variety of frameworks that will help to fill the
gaps that each has. I like to use the following
in combination: ISO/IEC 27001 & ISO/IEC
27002; OECD Privacy Principles; COBIT5.”
REBECCA HEROLDCEO, PRIVACY PROFESSOR
@PRIVACYPROF
16. “In the same way that organizations
build their own frameworks of controls
to protect other assets, the information
asset deserves a level of effort beyond a
cookie cutter approach.”
JAMES ARLENDIRECTOR, RISK AND ADVISORY SERVICES, LEVIATHAN SECURITY GROUP
@MYRCURIAL
17. “A framework is only as valuable as
honest adoption, and is the principal
requirement here for senior leadership.
Given this truth, the most effective in
assessing security is ISO 27001:2013. “
JAMES J. DELUCCIASECURITY & COMPLIANCE PRACTITIONER, EY
@JDELUCCIA
18. “An effective framework should pool the
knowledge of a large community to
identify specific, highest priority actions
based on real data about threats. It must
allow for multiple implementation paths
and ‘tailoring.’”
TONY SAGERCTO, COUNCIL ON CYBERSECURITY
@COUNCILONCYBER
19. “Any approach that makes the Board of
Directors take it seriously, spend an
adequate amount of time debating, and
weighing options and risk.”
CLAUS C. HOUMANNHEAD OF IT, BANK OHMAN
@CLAUSHOUMANN
21. “As an executive, you should know that
managing cyber threats is no different from
managing other business risks.
Second, while you can skip the technical
details, you absolutely can’t skip
understanding how different threats
would affect your business.”
TIM ERLINDIRECTOR, PRODUCT MANAGEMENT, TRIPWIRE
@TERLIN
22. “The big change will be the technical savvy user
who will look to use various devices, apps, and
services. . . As such, CSOs will need to better
communicate and engage with users to make
them aware of the risks and provide secure
alternatives.”
BRIAN HONANCEO, BH CONSULTING
@BRIANHONAN
23. “IT and security managers need to shift from
the belief that the threat is ‘out there’, and
understand that no matter where the threat
originates, the net result will be suspicious
activity inside the network.
TONY BRADLEYEDITOR-IN-CHIEF, TECHSPECTIVE
@TONYBRADLEYBSG
24. “Securing legacy equipment and tomorrow’s
leading edge will push your limits. Regulation
can’t keep up. Your data will be your most
important asset. You will need to innovate
your business approach and risk profile to
embrace this or you will be consumed by this
new technology-centric world.”
PATRICK MILLERMANAGING PARTNER, ARCHER ENERGY SOLUTIONS
@PATRICKCMILLER
25. “It’s quite clear that threat actors are always
looking for the shortest path to the most
reward. Security professionals need to be
innovative thought leaders who share a
common vernacular with Boards and
Executives to advise them on these risks.”
NIKK GILBERTMANAGING DIRECTOR, PRIVACY & RISK PARTNERS
@ARCHANGELNIKK
26. “The threat landscapes are stratified and
each one requires different perspective and
response. We have to evaluate our specific
risk from each layer and act (and spend)
wisely.”
MARTIN FISHERCISO, NORTHSIDE HOSPITAL
@ARMORGUY
27. “The future threat landscape is now dictating
the need for a new breed of Security
Professional. . .this new breed requires
enhanced development of honed skill which
understands and appreciates the technical
nut's-and-bolts of new age threat,
such as APT.”
JOHN WALKERCTO, CYTELLIGENCE
@SBLTD