Is cyber security an IT issue? Well – yes and no. Sure, the technical understanding of what needs to be done, how and why will always ultimately lie with a technology specialist, but the strategic understanding of why it matters and how it fits into wider business operations and culture should always lie with senior management. Cyber security needs to be taken seriously in the boardroom in order for it to truly permeate throughout the business, and therefore to be effective. So yes – cyber security is an IT issue, but it’s bigger than that. Cyber security is a senior management issue.
Or at least, it should be. Last year, a major study concluded that 30% of UK boardrooms across a range of key sectors still viewed cyber security as an IT issue, and warned that this is not only placing those businesses at severe risk, but also means that non-executive directors are failing to fulfil their ‘constructive challenge’ remit. With recent events and investment such as the National Cybersecurity Center NCSC opening in the UK, one could argue that it is now a serious Government and State matter too.
With this in mind, new legislation has come into force in New York State in the US, focusing on the cyber security of financial services institutions. It sets out some specific technical and process-driven cyber security requirements, including the introduction of multi-factor or risk-based authentication, ‘encryption of non-public information both in transit and at rest’, and processes to protect data handled by third parties. Then, from a personnel and business structure point of view, the legislation demands that organisations introduce a Chief Information Security Officer (CISO) function, hire well-qualified, highly specialist cyber security personnel, and requires that their boards of directors get actively involved in the company’s cyber security strategy.
This, of course, is the point we’re most interested in here. What does it mean for a board of directors to show active involvement in the business’s approach to cyber security?
We think that it marks a broader shift away from viewing the targets of cyber attacks as pure victims of crime. Boards of directors can no longer – if they ever did – rely on a sympathetic reaction if they fall victim to cyber attacks that are viewed as common, well established, or the result of inadequate security practices. As such, senior managers need to take responsibility for educating themselves as to the broader cyber security landscape – which could, of course, mean greater collaboration with their IT and security staff.
The rapidly evolving Internet of Things (IoT) landscapes introduces particular challenges here, because it is so dynamic and can alter an organisations’ security posture so rapidly, including key partners in the supply chain. It is vital for senior directors to understand the practical implications of introducing new connected devices to the corporate network – and this may require very focused lines of communication and structured, regular meetings with IT and security managers.
There are two particularly useful strategies for helping boards of directors achieve this active involvement in cyber security and especially IoT security. First, cyber security should be a permanent installation on the boardroom agenda. It should not be an add-on or afterthought any more than the financial health of the company should be. Typically, discussions would be led by the CISO, and perhaps by the new role of CIoTO introducing current projects, the wider threat landscape and mentioning any challenges or problems from the previous month. It is only recently that the true impact of IoT threats is becoming better understood. Afterall IT+OT=IoT.
Second, cyber security tools and software should be chosen in part because of the clarity of their dashboards and how easily they enable non-technical senior directors to get a handle on overall security posture. For managers to be able to understand the evolving IoT security posture of their business, and the real-life implications on on-boarding a range of smart devices, they need to be able to have easy access to an overview of those devices and how they interact together.
For further insight on how to incorporate security into the design stages of an IoT project, read our blog.
If you’re utilising PKI certificates for IoT security, or interested in knowing how to do this easily and securely, sign up for our webinar with AWS and Comodo.