Having a clear governance and leadership model, translating that into a real risk management program and understanding what happened after a cyberattack are the three key strategies for eliminating or reducing your cybersecurity risk. “If you have no feedback loops, if you don’t understand what happened operationally, if you are not seeing attacks and the way you are handling them, are you really understanding what is happening in those systems in real time?” Coleman said in the Journal blog.
“The volume of security incidents increases every year, they’re getting more complex, and data breaches are more frequent and costly than ever. That’s why businesses are turning to cyber resilience – accept that security breaches are inevitable and develop the ability to efficiently handle them and move on, just like any other business challenge,” John Bruce, CEO of Resilient Systems, which sponsored the latest Ponemon Institute report on cyber threats, told SCMagazine.com recently.
Data breaches that get reported are just the tip of the iceberg, the Ponemon Institute says. Ponemon notes that as part of everyday business, there are exponentially more security incidents than data breaches. Under federal law, all security incidents need to be assessed to determine if they are data breaches that require reporting. The study’s findings indicate that organizations are not thoroughly assessing their security incidents. In fact, one-third of the respondents do not have an incident response process in place.
Coleman advises that cybersecurity teams use common language to keep the board and the C-suite up to date. “Generally, organizations that embrace it understand the conversation, they don’t just keep it in the technical area,” he said. “That is one thing that is still emerging, those reporting mechanisms and how to get the board to see the overall risk management in a way that translates the technical risk into showing how it relates to the business.
In a recent conversation Coleman had, a board director relayed to an IT person that his company had been talking about a digital transformation of the board for two years, but the conversation never involved the security team. It’s critical that companies close the loop on keeping everything informed and involved.