Executives Take Notice

In recent years it has become quite evident that a cyberattack can rear its ugly head at any time, affecting organizations of all sizes. It has been said that 60% of small to mid-sized businesses will fail within 6 months if certain risks are ignored. This should most certainly be an executive-level concern considering that a successful cyberattack can result in the loss of valuable data, leading to financial losses, fines, reputational damage, and legal liabilities.

 

Governance

Cybersecurity Governance is a process whereby senior leadership oversees strategic control over business processes, and functions through policy and delegation of authority, ensuring an organization’s cybersecurity program aligns with the business mission, goals, and objectives while maintaining compliance with laws and regulatory standards.

 

NIST CSF 2.0 (GOVERN)

The organization’s cybersecurity risk management strategy, expectations, and policy are established, communicated, and monitored.

Understand and assess specific cybersecurity needs.
Every organization has a unique risk profile defined by industry and organizational people, processes, and technology. It is important to understand the specific cybersecurity needs, and to discuss the current and predicted risk across the organization collaboratively determining the level of risk to which the organization is willing to accept (Risk Appetite).

Develop a tailored cybersecurity risk strategy.
Developing a tailored cybersecurity risk strategy should be based on the organization’s specific cybersecurity objectives, the risk environment, and obtaining feedback from industry peers. The risk strategy should be managed, updated, and discussed at regular intervals. As the environment changes and new processes and technologies are adopted, so does the risk profile. All roles and responsibilities must be clear, maintaining consistency with messaging and delivery.

Establish defined risk management policies.
Policies have always been hit or miss with many organizations we’ve been a strategic partner with.  Some are missing key policies, and some have drastically outdated policies. It is important to establish and maintain risk management policies.  Policies should be easy to read and understood by everyone in the organization. Policies should align with the current threat environment, risk profile, and mission objectives. As the risk profile changes, the policies should be updated, and disseminated by leadership throughout the organization.

Develop and communicate organizational cybersecurity practices.
Communicating cybersecurity practices is vital to adherence through continuous and straightforward communication. This includes policy dissemination acknowledgement and acceptance, and periodic user awareness training.

Establish and monitor cybersecurity supply chain risk management.
Supply chain risk has gained increased attention over the past few years so it’s important to establish strategy, policy, and roles and responsibilities. Incorporate cybersecurity requirements into contracts that are monitored throughout the life of the relationship. Involve partners and suppliers in planning, response, and recovery.

Implement continuous oversight and checkpoints.
Implement continuous oversight and maintain checkpoints for continuous monitoring of changes to the risk profile that may need to be included, updated, or redacted.

 

Conclusion

Every organization struggles to appropriately address cybersecurity risk while keeping up with regulatory compliance mandates. By understanding organizational context, developing a risk management strategy, defining roles and responsibilities, policy development, oversight, and addressing supply chain risk, you can begin to identify, define, and implement a risk treatment plan. All levels of the organization should be involved in the risk treatment discussion.  Determining whether to mitigate, accept, avoid, or transfer risk may be the difference between longevity or failure of the organization.

 

By: Brett Price – Lead Cybersecurity Consultant – C|CISO, CISSP, CISM, CISA

Contact us for more information about our cybersecurity solutions.