Browse Definitions :

arthead - stock.adobe.com

Board preparedness: 7 steps to combat cybersecurity threats

In the face of security breaches, organization board members must urgently tackle real-world cyber threats. These seven steps offer crucial preparedness for companies.

It's all too common to hear of a security breach in the news. Cybercriminals are attacking and looking for ways to access sensitive data, and they can be relentless.

As companies prepare to keep their information safe, there is always the question of whether they are doing enough. In November 2023, the SEC charged SolarWinds and CISO Timothy Brown for hiding known cybersecurity risks and security failings leading up to the SolarWinds supply chain attack. In 2020, SolarWinds was compromised through an Orion software update containing malicious code named Sunburst. This attack was one of the biggest security breaches in the 21st century.

To help companies prepare for cyber threats, Cybersecurity: Seven Steps for Boards of Directors, is a comprehensive guide written by a team with a deep understanding of cybersecurity, aiming to help board members navigate the complexities of the security world.

"The scope, sophistication and strategy of cyberattackers evolve more rapidly than many organizations' defense capabilities," Authors Andy Brown and Helmuth Ludwig wrote, showing just how crucial security measures are for a company.

Brown and Helmuth have years of experience on both sides, with expertise in cybersecurity protection and experience on several boards for large companies. They discuss how a company can take the right steps at the top leadership positions for a company's security in seven crucial steps.

Editor's note: This Q&A has been edited for length and clarity.

What is the premise of your book?

Book cover of 'Cybersecurity: Seven Steps for Boards of Directors.'Click here to download
a free copy of this
book.

Helmuth Ludwig: This book is for board members by board members. Cybersecurity is becoming mission critical for more companies. It means companies are enhancing not only their internal processes but also the development of digital transformation, augmenting traditional physical products with software enhancements and incorporating data analytics to optimize these products.

Companies are also improving their internal backbones to harmonize their systems by going more into software as a service, such as offerings from Salesforce, Microsoft or Workday. Not everything runs on the company's premises, and these systems are outside the direct control of the company. Data streams and managing this data become more important, making IT mission-critical with cybersecurity.

This book is written by a team that deeply understands cybersecurity. We have background discussing critical IT components in the boardroom and can help translate the 'gibberish of the language' so board members can understand, which is one of the most critical elements. Even with specialists on the board, the whole board needs to be able to translate complex cyber situations into real-life business situations. I feel our book shines in this area to give everyone a true understanding of how to address critical elements of cybersecurity for the safety of the organization.

Why is cybersecurity important to the board of directors?

Helmuth Ludwig, professor of practice for strategy and entrepreneurship, Southern Methodist UniversityHelmuth Ludwig

Ludwig: The board of directors has an oversight role, but they are not in the daily business, and they're not the executives. The CEO and leadership team are the executives, and the people inside the company manage the business. Now this oversight role includes that they have certain fiduciary duties, which includes having the right processes in place and being aware of any red flags.

The board needs to know that the company is on the right track and is prepared for any cybersecurity red flags. They need to know how management will handle these red flags.

Talk about your seven steps for corporate boards to manage cyber risks.

Andy Brown, CEO, Sand Hill EastAndy Brown

Andy Brown: The first step is called get on board, which means engaging with the board to understand technical capabilities and processes within the business. The board needs to know what the process is for any security problem, such as a data breach. Questions should be addressed, including, "When does the board find out?" and "How do they get involved?" There needs to be a connectedness between the board and organization to set accountabilities, such as meeting with the CIO or establishing a risk committee.

The organization also needs to be aware of any breadth of risk exposure, and the executives and board should have a dialogue on this set of risks. These risks can include physical security, internal framework and external vendors.

Step 2: prioritize. Prioritizing is about understanding. Companies need to determine critical assets and how to protect them. The company needs to determine the number of exposure points and how they can reduce the risk surface area through prioritization.

Step 3: assess. This step determines a company's susceptibility to being breached. It also determines the cyber readiness and maturity level for risk programs. The assessment couples cyber risk assessment with financial impact analysis.

Step 4: understand the technology. This step involves understanding issues with legal architecture and out-of-date servers. This also includes evaluating desktops that need to be patched. This step determines if any assets can no longer be protected due to vulnerabilities.

There are several techniques from an architectural perspective. One model is called castle and moat. This means as soon as a company lets the drawbridge down to let someone in, there could be a bad actor entering the building, which can be physically or through the network. This is why it's important to understand any gaps in legacy applications and architecture. The same notion applies to connecting users to applications versus a network, which gives them access to the entire castle.

Step 5: address nontechnology factors. This step applies to culture and mindset. Companies need to have a change program or communication explaining employees' expectations. Discuss security issues. Educate employees about the importance of changing passwords, identifying a phishing attack or setting limits on what information they can share with sensitive information, such as personally identifiable information or usernames.

Attackers will find a way to sound like someone who can be trusted and expose a company through one interaction.

Step 6: overcome obstacles. Most boards do not have cyber expertise, but they need some way to have someone with cyber knowledge on the board. Boards have brought in third-party experts as advisers.

Step 7: measure and repeat. Now it's time to reassess and go back to see how security programs are performing and if all gaps have been filled. Cybercrimes change, so organizations can never be complacent.

Learn more about why software updates are important.

Amanda Hetler is a senior editor and writer for WhatIs, where she writes technology explainer articles and works with freelancers.

Dig Deeper on Threat management

Networking
  • top-of-rack switching

    Top-of-rack switching is a data center architecture design in which computing equipment like servers, appliances and other ...

  • edge device

    An edge device is any piece of hardware that controls data flow at the boundary between two networks.

  • Transmission Control Protocol (TCP)

    Transmission Control Protocol (TCP) is a standard that defines how to establish and maintain a network conversation by which ...

Security
  • Zoombombing

    Zoombombing is a type of cyber-harassment in which an unwanted and uninvited user or group of such users interrupts online ...

  • CISO (chief information security officer)

    The CISO (chief information security officer) is a senior-level executive responsible for developing and implementing an ...

  • cyber attack

    A cyber attack is any malicious attempt to gain unauthorized access to a computer, computing system or computer network with the ...

CIO
  • globalization

    Globalization is the process by which ideas, knowledge, information, goods and services spread around the world.

  • business process outsourcing (BPO)

    Business process outsourcing (BPO) is a business practice in which an organization contracts with an external service provider to...

  • localization

    Localization is the process of adapting and customizing a product to meet the needs of a specific market, as identified by its ...

HRSoftware
  • employee resource group (ERG)

    An employee resource group is a workplace club or more formally realized affinity group organized around a shared interest or ...

  • employee training and development

    Employee training and development is a set of activities and programs designed to enhance the knowledge, skills and abilities of ...

  • employee sentiment analysis

    Employee sentiment analysis is the use of natural language processing and other AI techniques to automatically analyze employee ...

Customer Experience
  • customer profiling

    Customer profiling is the detailed and systematic process of constructing a clear portrait of a company's ideal customer by ...

  • customer insight (consumer insight)

    Customer insight, also known as consumer insight, is the understanding and interpretation of customer data, behaviors and ...

  • buyer persona

    A buyer persona is a composite representation of a specific type of customer in a market segment.

Close