For anyone working in Cybersecurity, it can be hard to convince your board to understand the issues, and to invest money or focus on Cyber Security issues. I have presented Cyber issues to multiple Boards, and here is my advice on how to get Boards to understand Cybersecurity issues – relate it to Work, Health & Safety (WHS or H&S or OHS).

Boards are often manned by white retired men, in their 60’s and often from an operational, legal, or financial background. Whilst they may have great skills in governance, audit, and strategy, their modern skills may be a little bit behind. Even though the concept of “information security” is over thirty years old, the new term (and threats) of Cybersecurity may frighten and confuse them. Boards may not appreciate the need for them to govern and approve Cybersecurity activities, as they often consider it to be an “IT issue” and therefore not give it the focus it requires.

However, Boards are often well versed with the concept of Risk, and comfortable with having reports of Work Health and Safety issues provided to them at a Board meeting. Commonly, WHS issues are reported to the Board, so that preventative or compliance activities can be approved and funded. So, my recommendation is to re-frame a report of Cybersecurity issues to use a similar approach and wording as WHS issues, which are already understood by the board.

WHS Analogy – safety on the office staircase

  • It has been identified that someone could fall on the staircase, as someone already stumbled
  • Using standard reporting processes, a ‘no fault’ near miss report has been made of the H&S risk
  • Under investigation, the handrail is possibly mounted too low to comply with standards
  • Closer inspection finds loose carpet and a missing section of grip on more than one step edge
  • A risk assessment identifies that the impact is “high”, and the likelihood is “possible”
  • The company Health and Safety representative arranges for remediation
    • Standards are investigated to establish the optimal height for the handrail
    • Quotes are obtained for the work from trusted suppliers
    • A budget is allocated for each component of the remediation work
  • It is a duty and responsibility of the business to take action and protect employees and visitors
  • Work is scheduled to be performed, with the staircase out of action to all staff during work
  • Staff are instructed to use the handrail at all times, and to walk (not run) on the stairs
  • After remediation, the risk assessment shows that impact is “high”, and likelihood is “unlikely”
READ ARTICLE:   Cybersecurity and Data Sovereignty

Cybersecurity analogy

  • Another company in the same industry and region has suffered a blended attack of social engineering – a link in an email was opened, resulting in data theft
  • Under a ‘no blame’ reporting mechanism, an employee reports a near miss of an email scam at your company
  • Investigation by the IT team also finds that there are reports that the current anti-virus software vendor is unable to protect from some new threat types that are “in the wild”, such as a new ransomware similar to as cryptolocker
  • Closer inspection finds that there are multiple file locations that are open to all staff, and at risk of data theft, file infection, or ransomware encryption
  • A risk assessment identifies that the impact is “severe”, and the likelihood is “almost certain”
  • The company cyber security / information security officer arranges for remediation
    • Best practice is established for how data should be handled
    • Quotes are obtained for replacing the anti-virus vendor, and the work to fix up security access to file locations – from trusted suppliers
    • A budget is allocated to purchase the licenses, implement the changes and to test afterwards
  • It is a duty and responsibility of the business to protect data and systems, so action is authorised
  • Work is scheduled to be done, with modifications planned and communicated to users
  • Users are given information on the change of anti-virus software, and new restricted access to file storage locations
  • After testing, the risk assessment shows that the impact is “severe” and the likelihood is “almost certain”

You may note that in the cybersecurity example, the risk impact and likelihood do not change. This is a fundamental of Cybersecurity that many people (and Boards) do not appreciate. With WH&S risks, you identify a threat, take remediative action, and then the risk decreases. However, with Cybersecurity as an overall whole, you cannot really decrease the risk – because the threat is always changing. You can reduce specific vulnerabilities, and prepare for response and remediation, but there is no guarantee that new vulnerabilities will not appear or be created. Your security is out of date, but it always will be.

READ ARTICLE:   Obvious PCI-DSS benefits

Related posts:

Get information the Louis Theroux way

Creating good policies and procedures

Microsoft StorSimple 8000 series review

Forecasting the demise of IaaS

Share this knowledge
         

Leave a Reply

Your email address will not be published. Required fields are marked *