How to speak to your board about cybersecurity.
Welcome to Cyber Security Today. It’s Monday October 5th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com. To hear the podcast click on the arrow below:
As part of Cybersecurity Awareness Month I’ve been talking to security leaders about problems organizations face and how to solve them. One of them was Frank Downs, senior director of cybersecurity advisory solutions for ISACA, an association that offers information security and risk management training to IT professionals. We chatted about how to talk to managers and boards about cybersecurity. You can hear more from him tomorrow at the MapleSec online cybersecurity conference being hosted by IT World Canada. The conference starts at 11 am today and registration is still open. But here’s a summary of what he told me:
Boards and management need to know what risks the organization faces. Cyber attacks are one of those risks. But to understand the cyber risks the IT department has to first do a risk assessment of the firm’s security controls. That helps everyone understand where the organization is weak, what it will take to make it stronger in those areas, how much money is needed and how long it will take. That creates a cybersecurity risk profile of the company. It may say the firewall is OK but the routers need replacing. Or the identity and access control system needs to be honed. Or staff doesn’t understand how to safely use a capability.
Some assessments create a colour-coded report that’s easy to digest — red is for bad, orange is for warning, green is this security control is good for the time being. Or there could be a numeric score of 1 to 5.
ISACA has a framework for creating a risk or maturity profile. So do others, like the U.S. National Institute for Technology and Standards, known as NIST. The Canadian Centre for Cyber Security has a simple framework for small and medium businesses on its website. Some frameworks are free. Some cost money. But armed with a profile an IT manager can go to a board and say, ‘Here’s what needs to be fixed, here’s how long it will take, and this is what could happen if this vulnerability isn’t plugged.’
Remember also this will be a continuous effort. Cyber risks change. What was once green on the risk assessment can change to orange or red as attackers adopt new tactics or new attackers emerge.
What’s vital, said Frank Downs, is that IT keeps metrics to show the entire organization if there’s progress on meeting the goals of the plan.
Small organizations may feel that a cybersecurity maturity plan is beyond them, that their IT staff is too small. But Frank Downs says trying is better than doing nothing.
You can hear more of his advice tomorrow at 1:30 Eastern when he talks to Robert Gordon of the Canadian Cyber Threat Exchange.
Today’s sessions, which start at 11 am Eastern, look at the overall cyber threat landscape. Tomorrow focuses on cyber awareness training, while Wednesday’s sessions look at privacy and emerging technologies. Registration is free.
That’s it for Cyber Security Today. This podcast can be heard on Mondays, Wednesdays and Fridays. Subscribe on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.