What makes a solid cybersecurity/information risk management program?

This is a difficult question, and one that can and has spanned numerous books.

But for the sake of a starting point, I would recommend that all CISOs follow a three-pronged approach that incorporates your relationship with business leaders, interactions with colleagues, and implementation of technology.

Internal support needed

First and foremost, you need support from your business leaders including the CEO and the board of directors. They need to understand the topic of information risk management and their associated responsibility.

Just like any other risk, the executives and board need to discuss this topic on a regular basis. They should be asking questions about the information security/risk management program, it soundness, its completeness, and its adherence to state and country regulations such as the N.Y. State Department of Financial Services Cybersecurity regulation and the European Union Data Privacy Directive.

These new and expanding regulations have very specific requirements that must be met and certification that must be earned (sometimes on annual basis, in writing), and approved by the board or a senior officer.

You need to establish regular dialogue with your senior executives, and you should ensure that the topic is regularly covered at various risk meetings such as Operational Risk and Emerging Risk. You can use these meetings to present the overall cybersecurity/information risk management program, risk assessments undertaken, gaps found against known risks, roadmaps to ensure currency and approval of risk acceptances if deemed warranted.

Business leaders must also understand that the company's information security/cybersecurity program extends to all business partners. The same level of compliance must be enforced if the business will allow third parties to access, maintain or store information that the company is required to protect. The company is still accountable and responsible for this information whether maintained by the company or the third-party business partner.

Awareness of risks

Next, and just as important, are training all colleagues, ensuring their awareness of the risks and their associated responsibilities. There needs to be continuous, ongoing training on multiple fronts using various media. Colleagues must understand that they are the first line of defense when it comes to protecting the company, its assets and its customers.

This starts with publishing an Information Security policy and requiring colleague compliance. You must establish consistent standards for using and accessing the company's technology and devices. You should have a requirement that all colleagues acknowledge the policy and standards and know the consequences of non-compliance.

You then need to reinforce these requirements through training and awareness programs. These include online training modules, posters, emails, bulletins, blogs and videos. To stay fresh and relevant, they should be concise, continuous and meaningful. One of the most important topics must be email security. Educating colleagues on how to identify phishing emails and not become a victim of malware is a front-line defense for any company and budget well spent.

Manage relationship between IT & IS

The third step is managing the relationship between Information Technology (IT) and Information Security (IS). This is a huge responsibility. You must deploy all the usual tools required (such as anti-malware, data loss protection, vulnerability scanning or firewalls) but first you need to understand your entire environment. This includes the network architecture, applications deployed, third party providers, outsourced arrangements and any and all vectors that must be protected to ensure an effective information security program.

This requires an ironclad partnership between the Information Security and the IT teams. Information Security must be able to provide leadership to IT on where the risks points are located, which ones are adequately protected and where there are gaps that must be addressed and when. Knowing where the gaps are and risks associated with these gaps must be a priority.

This, of course, brings us to the topic of patching. The IS team must scan on a continuous basis, identify and prioritize required patches, and communicate with the IT team. Just read the headlines to fully understand the importance of this requirement.

Learn from mistakes

Finally, you must learn from mistakes. Not a day goes by where we don't hear about another security breach. When a breach is communicated, quickly analyze the information provided and determine the underlying root cause. Recent stories list lack of patching, malware attacks, phishing, misconfigured servers and colleague error. This information allows you to determine if the same vulnerability exists within your environment.

Armed with the data, you can review the risk and ensure that you have mitigated it within your organization. If the risk still exists with your company, you can use the details of the breach to create a plan for mitigation, accelerate your current plan, or enhance your program.

Tom Dunbar has over 20 years experience in cybersecurity/information risk management and recently retired from XL Catlin.

NOT FOR REPRINT

© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.