By Cheryl McGrath, ICD.D; Area Vice President and Canadian Country Manager, Optiv Security | James Turgal, Vice President Cyber Risk, Strategy & Transformation, Optiv Security
This is the whole game. Cyber security is an enterprise-wide risk management issue, not just an IT issue.
Boards need to constantly be looking beyond the headlines that detail the latest breach and consider how they can learn from attackers’ latest methodologies and strategies and ensure the organizations they oversee are prepared. Board and management discussions should include identification of which risks must absolutely be prevented and which to mitigate or transfer through insurance, as well as what specific roadmap and plans are in the company’s detailed cyber plan.
What are the current top 10 cyber preparedness questions boards of directors need to ask management? We should number the questions as we’ve stated there are 10.
1) What are the organization’s high value assets? How does the company protect both Information Technology and Operational Technology?
Working with Optiv to understand the threats facing your critical assets (including Information Technology and Operational Technology) and closing vulnerability gaps within and between these ecosystems will allow you to gain competitive advantages, greater efficiencies and new market opportunities. We help you through rapid threat assessment, penetration testing, deployment and managed tooling and beyond.
2) Does the organization have a relationship with local police jurisdictions, RCMP, CCCS (Canadian Centre for Cyber Security) and/or reporting thresholds for notifying the police/RCMP/regulators?
Working with law enforcement is a vital component of the cybersecurity world. Threat actors come from all backgrounds and locations and working with the local police force, RCMP and regulators means you have support when attacks happen. Tapping into Optiv’s deep well of expertise and industry connections helps to impart the importance of working with law enforcement and we can help with the necessary connections.
3) How does management evaluate the effectiveness of the organization’s cyber security program? Is the IT infrastructure focused on, and are they investing in the right things?
Organizations need to consistently take the pulse of the cybersecurity world and use that awareness and thought leadership to be up to date on the bleeding-edge tools to keep your organization safe. Optiv leads the charge in fields like Zero Trust – solutions that protect networks, applications and data based on the concept of “never trust, always verify” – and MXDR – a unified platform that automates incident investigation. Join us on the frontier.
4) Do we have established cyber focused business continuity plans?
Think of business continuity plans as “future-proofing” your business. Insights need to be established on how your organization operates under stress by implementing programs such as: a cyber incident response retainer; cyber table top exercises; developing cyber business impact analysis; and data fabric for security and business frameworks to improves your cybersecurity and data analysis. Optiv offers extensive programs to build and maintain continuity plans.
5) What has management done to protect the organization against third-party cyber risks, both upstream and downstream from the organization?
The sheer volume of third parties to interface with is an overwhelming responsibility for any organization. You need to build business resilience by expanding your cyber protection to include third parties in your operating ecosystem. Optiv can assist with managing third party risk via either managing this for you as a service or providing expertise and programs for your organization to implement including industry-speciﬁc compliance standards, powerful assessment tools and logical workﬂows, among other relevant solutions.
6) Can we rapidly contain damage to networks & industrial control systems and mobilize response resources when a cyber incident occurs?
Time is of the essence when responding to breaches, particularly for C-Suite and boards that must quickly report to regulatory bodies or their customers. For more than two decades, experts at Optiv have been at the forefront of preventing and responding to large-scale attacks and intrusions of all types, so our incident responders, investigators and malware reverse engineers can use that experience to guide you in both preparation and recovery.
7) What are the top vulnerabilities / gaps to our business-critical systems and applications and how are we mitigating those risks?
Risk management is the cost of doing business in the modern world, which makes awareness of gaps in business-critical systems and applications vital. You can’t fortify problems you don’t know about. The volume and velocity of change make it extra challenging, but Optiv’s multiple risk offerings provide a full bench of services, including Risk Management, Automation and Compliance. You need a strategy to be ready and we can ensure it focuses on what matters most to your organization.
8) What has management done to mitigate insider threats?
Not all cyber threats come from external sources. Many more examples of cyber breaches are being initiated from within organizations. Boards need to ask management how key functions within the organization such as legal, HR, IT, governance, audit and compliance are working together to develop policies, establish whistleblower protocols and monitor operational controls. Optiv’s Zero Trust program protects networks, applications and data by “assuming breach,” because any user or device is a potential threat actor.
9) Do we have Cyber focused training and awareness programs?
Cybersecurity is an everybody problem, and as a result, your employees need to know what to do and avoid doing to keep your environment secure. Luckily, we have an expert for that. With Optiv’s array of learning opportunities, including eLearning and video courses, we can ensure your employees are cybersecurity-fluent and armed with the knowledge and skills they need to protect their organization.
10) The most critical role for a board is to ensure you have the right leadership and organizational talent in place.
Optiv’s thought leadership makes us one of the go-to sources for assistance and a path forward in a rapidly changing world. Use us as a resource to make certain your organization’s leaders can keep a cool head, ask the right questions and inspire employees to be leaders themselves. That way your defenses are as adaptable as the threats.
If you are concerned about any gaps in your organization’s cyber program, reach out to us at www.optiv.com and we can help!