In February, at the World Economic Forum (WEF) in Davos, Switzerland, an expert working group issued the report Advancing Cyber Resilience: Principles and Tools for Boards. These principles and tools are designed to help strengthen an organization’s cyber practices by providing guidance for managing cyberrisks much in the same way that organizations manage enterprise risk.
The WEF report details best practices that boards of directors and the C-suite “can use to smoothly integrate cyberrisk and resilience into business strategy so that their companies can innovate and grow securely and sustainably.” It defines 10 principles for the board:
- The board shall take responsibility for the oversight of cybersecurity.
- Board members shall be required to be somewhat knowledgeable about cybersecurity.
- Boards shall ensure that one corporate officer is accountable for cybersecurity.
- Boards shall ensure that management integrates cyber resilience and risk assessment programs.
- Boards shall define the organization’s risk tolerance.
- Boards shall hold their management accountable for quantifying the organization’s cyberrisk exposure.
- Boards shall ensure that management supports the officer accountable in the implementation, testing and ongoing improvement of cyber resilience plans.
- Boards shall encourage inclusion of all stakeholders.
- Boards shall enforce an independent cyber resilience review on an annual basis.
- Boards shall review their own performance in the implementation of these principles.
These principles are supplemented by practical questions board members can use to evaluate their organization’s cyber practices. Additionally, the document outlines a variety of risk management frameworks that should be considered to manage and minimize cyberrisk exposure.
The WEF report’s framework and tools provide practical guidance on principles and steps to assist organizations in transitioning from a compliance-focused, check-the-box mentality to a proactive, risk-based approach to enterprise security.
Cyber and the C-Suite: New Cyberrisk Responsibilities for Chief Risk Officers
Chief risk officers (CROs) have significant responsibilities and access to the board and senior management that put them at the forefront of technological, operational and human resources challenges involved in implementing the 3LoD approach to cyberrisk management. Read more about six new cyberrisk responsibilities for CROs.
Establishing a proper oversight program can help companies streamline board reporting, integrate multi-department activities required to mitigate operational cyberrisks, and ensure that reasonable security protocols and procedures are in place. Furthermore, it can help all stakeholders gain a better understanding of which assets might be at risk, how to estimate potential losses, and how to best mitigate threats using new security practices, investments or cyber insurance.
The report also helps boards elevate cyberrisk management as an extension of traditional cybersecurity. Organizations can only focus on the biggest risks to their business when they contextualize internal security intelligence with external threat data, and then correlate the findings with business criticality. This helps assure timely orchestration of remediation efforts to decrease the window of opportunity for executing cyberattacks.
In addition, the WEF guidance includes some valuable building blocks for implementing better cybersecurity practices. It is not a silver bullet for preventing cyberattacks and data breaches, however, since guidelines and regulations are static and cannot evolve to detect and mitigate morphing threats. Meanwhile, regulatory compliance moves far too slowly to keep up with attackers.
Ultimately, proper security measures and best practices are just part of the solution. One of the biggest challenges facing organizations is managing the sheer volume, velocity and complexity of data feeds that must be analyzed, normalized and prioritized to even stand a chance of detecting a cyberattack.
To improve the odds of thwarting cyberattacks, organizations should implement the following three best practices:
- Given the shortage of qualified security professionals, leverage technology to automate as many security operations tasks as possible.
- Increase the frequency of security posture assessments as laid out in the National Institute of Standards and Technology’s guidelines on continuous monitoring and diagnostics.
- Extend protection measures to address today’s growing attack surface. This includes moving beyond the network layer and endpoints to include applications, databases, cloud environments and internet of things devices.
Given the sheer volume of security gaps that exist, it is no longer feasible to manage threats individually. A holistic, risk-based approach that considers both security posture and business impact can reduce attack surfaces and the dwell time during which vulnerabilities can be exploited. In turn, organizations should consider using technology to overcome the challenges of manually analyzing and extracting relevant threat intelligence from security feeds so they respond in a timely manner to the most critical risks to their business. The WEF principles and tools are an important first step in this process.