How We Can Help Corporate Boards with Cybersecurity

Originally published by RegScale.

Recently the Wall Street Journal featured an article titled Why Corporate Boards Need More Cybersecurity Experience, and it got me thinking about what we can do to help them; we can do a lot. What’s the situation you ask? According to the WSJ, “Directors currently don’t have the knowledge they need to effectively fulfill their oversight role”, and that’s a big deal.

The reality is that most executives lack deep security backgrounds, and although Cybersecurity is a business issue, it’s highly technical and complicated by the relationship between people and processes and the numerous controls and technologies needed to secure organizations today. It’s further exacerbated by the alphabet soup of security vernacular, you know, “we prioritized the VMs based on the CMDB ranking but the SIEM is getting false negatives on the WAF in the DMZ…”.

The stakes are huge, everything from Reputation to Brand, Customer Confidence to Legal Responsibility, and ultimately the ability to generate revenue and avoid costly remediation, all demand comprehensive security programs and effective Governance, Risk, and Compliance execution. And if this isn’t enough incentive, let’s not overlook the ever-increasing regulatory requirements that continue to demand more cybersecurity attention, most recently exemplified by the latest moves from the SEC and NYDFS which continue to raise accountability for Executives and Directors.

This is where we, the industry, can step up our game. First, we can better educate Directors. We already do it for our employees, customers, and partners, with varying degrees of success, and Boards, are a natural extension of these efforts. Second, we must provide tools to easily and effectively automate as many processes as possible. Automation needs to include:

• Collection through simple and scalable API integration with the controls and tools already in place.
• Automation and Closed loop remediation to remove the manual processes and leverage the workflow capabilities of ticketing systems and configuration management tools.
• Reporting for multiple constituents: for operators to better perform their security management activities; for compliance teams to fulfill their regulatory responsibilities; for audit teams who have a thankless job requiring an inordinate amount of data and control framework mapping; and finally for executive management to see compliance and security posture in risk denominated terms they can relate to. Boards would benefit greatly from this as well. Executive management would be able to make informed decisions about how much residual risk to accept while allowing the board to perform its oversight role.

Modern cloud architectures allow us to deliver on these automation elements in ways legacy platforms just can’t. The ability to deploy quickly in public or private clouds delivering value in days and weeks as opposed to months and years; to quickly digitize control frameworks and mappings and leverage machine-to-machine communication to gather and process data and workflows; and the ability to scale up and down as demand requires, delivering technical scale with maximum cost efficiency.

These are the things we need to bring to our customer community to help them free experts from data collection and manual tasks and allow them to spend the bulk of their time doing what they are uniquely qualified to do, i.e., to manage risk effectively and enable the success of their core organizational missions. Give practitioners the business context to translate the highly specialized language of security and compliance into risk-based, business terms that all executives and boards can consume and act upon. Executives care about Muchness, Soonest, and Sureness…at the end of the day, we’re just trying to answer the questions, “what do I care most about, how much do I care, and where are we now?”.