When cybersecurity initiatives originate with the board of directors, people pay attention. So what are some steps a board can take to keep their charges ahead of the hackers?
As industrial cybersecurity and critical infrastructure breaches mount, senior information security officers (SISOs), information technology (IT) directors, heads of engineering and others who lead cybersecurity initiatives are being called on to present their situation and solutions to their boards. A recent study conducted by the Ponemon Institute suggests that this may still be the exception rather than the rule.
The Ponemon Institute surveyed 603 IT security and operational technology (OT) security practitioners at the C-level, managerial and director level in the United States, all of whom were familiar with cybersecurity initiatives and ICS and OT security practices within their organizations. Only 35% of respondents reported directly to the board of directors. Of them, 41% said they report only when a security incident occurs while 59% reported annually, bi-annually or quarterly. OT risk assessments and changes to the ICS and OT threat landscape were the topic of more than half the reports, with vulnerabilities and protection practices covered by just under half of the respondents.
“If management executives, the board and the IT teams aren’t sharing the same information, it will be nearly impossible for companies to stay ahead of fast-evolving cyber threats,” writes Matthew Scott, commenting on the study in Chief Executive magazine. Scott recommends that boards “conduct a comprehensive review of the cybersecurity measures currently being implemented by all IT teams” and create a cybersecurity or IT committee that reports to the board or appoint a cybersecurity expert to the board.
In its recent report, The Changing Role of the Board in Cybersecurity, Deloitte suggests the following additional steps the board might take:
Adopt a cybersecurity framework
Deloitte recommends that boards consider adopting the Framework for Improving Critical Infrastructure Cybersecurity, released by the National Institute of Standards and Technology (NIST).
“Most cybersecurity strategies have moved from the flawed castle-and-moat security model to a zero-trust model, as the world perimeter becomes nonexistent in this cloud-dominated, mobile-driven and work from anywhere world. The board should be up to date on these changing cybersecurity models and strategies, so that they can make more informed decisions when a cyberattack takes place,” they write.
Take a holistic enterprise level security approach
The Deloitte authors call for proactive enterprise-wide security solutions, focusing on the overall cyber resiliency of the organization. This includes ensuring that third parties such as business partners, contractors and other vendors who interact with them also maintain an acceptable level of cybersecurity. Also, as industrial systems become more digital as part of Industry 4.0, they also call for attention to IT/OT integration.
“With the advent of advanced adversaries, there will always be gaps in cybersecurity controls, which makes it impossible to protect everything. The best practice is to look at key assets or crown jewels … and have risk or value-based governance mechanisms around it.”
Protect the crown jewels
“With the advent of advanced adversaries, there will always be gaps in cybersecurity controls, which makes it impossible to protect everything. The best practice is to look at key assets or crown jewels (which may differ from one organization to another according to industry-based regulations) and have risk or value-based governance mechanisms around it,” write the authors of the Deloitte report cited above.
Certainly, for oil and gas, energy, water and other key infrastructure components, those crown jewels are the automation systems that impact production, safety and sustainable operations.
Create cyber talent
The board can also help ensure that the management has the requisite skills, resources and approaches in place to reduce the likelihood of a cyberattack and mitigate any damages that may occur. Like Chief Executive magazine’s Matthew Scott said, this might include separating IT and information security teams, as well as having a cyber expert on the board.
“A cyber expert will also be able to understand the overall cyber landscape and probe the organization’s cyber compliance posture. While talking to the management about talent, it is also imperative for the board to ask about human layer security (HLS), which is often overlooked.
Robust reporting mechanisms
Deloitte further recommends quarterly or biannual reporting, as well as cyber gaming exercises that can help the board identify possible vulnerabilities and measure the overall resilience of the system.
Turning the table
How cybersecurity is presented to the board is also critical in eliciting support for cybersecurity initiatives. Here are some tips for anyone who must present cybersecurity to board.
– Bedrock Automation is a CFE Media content partner.