The Big 8: How to heighten cybersecurity governance

Cyber defenders worldwide can all agree that 2020 was a transformational year. Both CISOs and security teams battled increased attack volumes and data breaches as attack techniques including island hopping continued to grow in frequency and sophistication. In its annual risk index, the World Economic Forum stated that cyberattacks are one of the most significant risks posed to corporations. The potential threats associated with these attacks have gone well beyond monetary and data loss, as falling victim can lead to attacks on customers, reputation damage, and regulatory fines that can have a grave impact on businesses.

The daunting threats and attack techniques from 2020 are expected to continue into this year. And while 2021 offers a fresh start, cybercriminals will continue to become increasingly savvy, deploying a wide range of techniques to extort, disrupt, and infiltrate organizations. Now more than ever, government and corporate leaders and consumers must become engaged in ensuring effective cybersecurity strategies are in place. Below are eight steps organizations can implement to heighten cybersecurity governance:

Recognize that the worst-case scenario has escalated - It’s no longer just about your network being under siege. Enterprise digital transformation is being commandeered via island hopping 55 percent of the time according to a recent report from VMware Carbon Black. Websites, shared folders, applications, and mail servers can all be used to attack your customers and partners, causing irreversible damage.
Empower the CISO to directly report to the CEO - This demonstrates the strategic importance of cybersecurity within the organization. CISOs must be in lock-step alignment with the Board of Directors and the C-suite when it comes to cybersecurity strategy and plans. CISOs should participate actively in board meetings and provide regular status updates on threats, crisis preparedness, and response plans.
Conduct reviews of internal cybersecurity policy - An independent, unbiased assessment must be conducted to ensure the right cyber policies and measures are in place. This should include participation from the board and internal key stakeholders to guarantee full alignment and an adequate response plan should a crisis arise.
Confirm your processes and controls are bulletproof – Are your security controls integrated and has your company complied with the NIST Cybersecurity Framework? Following this type of third-party guidance can be helpful for organizations to follow and to ensure adherence to industry-leading practices.
Stay up to date on regulations - Depending on jurisdictions your company is dealing with – US-only or international for example – be sure to tap an in-house or external General Counsel for advice on regulations such as GDPR or the California Consumer Privacy Act. It’s best to have these conversations proactively versus after an attack takes place.
Allocate at least 10 percent of your IT budget to cybersecurity - The board must be cognizant of today’s cybersecurity landscape and growing threats to ensure they understand the importance of budgeting for cybersecurity plans and response. As the risks grow, so does the need for more budget and attention on cybersecurity within an organization.
Develop and regularly update a comprehensive incident response strategy - A proactive approach is always best. This will demonstrate an understanding that incidents will happen, and by being prepared and training for crisis response, organizations will be better armed when the real crisis occurs. Ensuring that team members from marketing, legal, and HR are involved is also critical to align about incident response plans.
Communicate with customers and suppliers – Provide your customers and suppliers with best practices for cybersecurity and mandate that they comply with these regulations. This will prevent issues down the line and keep everyone involved in the supply chain better protected.

Today, all organizations are navigating digital transformation looking to accelerate their businesses. At the same time, Boards of Directors, CISOs, and executives alike must strike a balance between innovation and cybersecurity. A proactive cybersecurity strategy is a must to help organizations secure their most critical assets. Digital transformation and cybersecurity go hand-in-hand. In order to mitigate the threat posed by cybercrime cartels, organizations must become vigilant and ensure these eight fundamentals of cybersecurity governance are in place.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.

Tom Kellermann is the head cybersecurity strategist at VMware Carbon Black. Prior to joining VMware Carbon Black, Tom was the CEO and founder of Strategic Cyber Ventures. In January 2017, Tom was appointed the Wilson Center's Global Fellow for Cyber Policy. Tom previously held the positions of chief cybersecurity officer for Trend Micro, VP of security for Core Security, and deputy CISO for the World Bank Treasury.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.