Cybersecurity is one of the most urgent topics on the agendas of company leaders and boards of directors. Almost every week, there are new stories about data breaches affecting millions of customer records, payment card data and loss of trade secrets. The sources of cyber threats are growing in sophistication and nefarious intent. Professionals dealing with cybersecurity not only need to focus on thwarting hackers that intend to disrupt your organization or deface your website, but must also be prepared to address threats from professional cyber-espionage groups or sponsored foreign government intrusion. The latter are often organizations with sustained intent and the capability to cause real harm to your organization.
In fact, attacks have been so common in recent years that the conventional wisdom within the cybersecurity community has shifted from a mindset of IF we are hacked to WHEN we are hacked. The best-prepared companies are shifting their cybersecurity strategies from focusing on outright prevention to implementing techniques to quickly detect breaches and limit the damage once a breach has been confirmed.
This article focuses on describing the effective components of a sustainable cybersecurity management program which should be evaluated and discussed with senior management, the audit committee and the board of directors. We consider five main components when working with companies to improve cybersecurity effectiveness. Within your own organization, it is important to think about your level of maturity and preparedness with regard to these components.
It’s easy for many security departments to turn into the department of no. This happens when an organization has not developed a clear understanding of the types and locations of information assets it maintains and, instead, tries to protect all data without regard to importance. By completing a data classification process, an organization can determine how much effort and cost is required to properly secure the most critical information assets. Once an organization has completed a data classification initiative, managerial decisions can be made to balance security expenditures with the real value of the data the organization is trying to protect.
Most of us by now are greatly familiar with general computer controls, which include the IT controls tested during a financial statement audit, but real cybersecurity controls go beyond simple change management and user access reviews.
Hackers aren’t filling out user access request forms or submitting change requests, so how are you making sure your control environment is prepared to deal with unknown and unseen threats? There are numerous cybersecurity control frameworks your organization can implement. We don’t recommend one specific framework over another, but three of the most common frameworks include:
Security and Privacy Controls for Federal Information Systems and Organizations (NIST 800-53):
One of the most comprehensive frameworks, this is the standard for security controls used by organizations doing business with the United States Government. Categorized in terms of system impact, the control catalog specifies control baselines for high, moderate, and low impact systems. The core of the framework groups control activities in terms of functions within the cybersecurity lifecycle: identify, protect, detect, respond, and recover.
This international standard defines “requirements for establishing, implementing, maintaining, and continually improving an information security management system.” The ISO standard sets out the process that an organization should follow when managing information security. Annex A of the standard provides detailed control objectives and controls for information security. The ISO 27001 certification only verifies the information security management system, it does not provide assurance on the implementation of controls specified within Annex A.
SANS Critical Security Controls:
The SANS Institute prioritizes security functions with an emphasis on “What Works” and defines the top twenty control areas for enhancing cybersecurity. Each of the twenty control areas includes over 100 implementation activities organized into “Quick Win,” “Visibility/Attribution,” “Configuration/Hygiene,” and “Advanced” categories. For organizations getting started with a formal cybersecurity program, the “Quick Win” controls throughout the framework are a great place to begin.
While most leading cybersecurity control frameworks include verification controls, we call special attention to this as part of the process of managing cybersecurity. Periodically, organizations should evaluate their security controls to obtain assurance over cybersecurity control effectiveness and determine whether the cybersecurity controls are operating as intended within the organizations. We often see organizations with internal audit departments that focus extensively on internal controls over financial reporting. Evaluating cybersecurity controls (through a combination of control testing and penetration testing) is also a great way for internal audit departments to continue to add value by enhancing the overall security posture of the organization.
Based on the premise that cybersecurity professionals now expect their organizations to be hacked, it logically follows that the organizations should have breach response procedures in place. Breach preparedness begins with defining the activities an organization should follow when invoking the plan. Specifically related to cybersecurity incidents and active breach scenarios, a response plan includes critical activities like:
As recent, high-profile breaches demonstrate, even with robust security processes in place, organizations can suffer a breach. When security measures fail, financial impacts (e.g., credit monitoring for affected customers, increased transaction processing costs, or fines assessed by regulatory agencies) may occur. Organizations must understand their financial exposure relative to a compromised dataset. At that point, the organization can evaluate the overall effectiveness of its cybersecurity process and decide whether to accept that risk or transfer that risk through a cyber-liability policy. Insurance carriers are quickly evolving cyber policies and coverage. Underwriters are taking closer looks at how companies assess and manage their cybersecurity risks. By implementing effective cybersecurity management programs, organizations may be able to receive reduced premiums or more favorable policy limits.
Cybersecurity management is a complex topic that requires substantial organizational attention to be effective. This is not solely the responsibility of the IT department. By working collaboratively across an organization, it is possible to more effectively manage cybersecurity risks and maintain a sustainable program in order to reduce the likelihood of an exposure, limit the extent and impact of an exposure and be prepared to recover from the damages of a breach.
For more information on this topic, or to learn how Baker Tilly risk specialists can help, contact our team.