Everyone can relate to being on a long road trip and wondering, "Are we there yet?" In fact, I am quite sure that many of us feel this way about the journey towards a strong cybersecurity program. The FFIEC has stressed, and continues to stress, the importance of a top-down approach to cybersecurity risk management, meaning executiv
es and board members are not only involved in the cybersecurity program, they are responsible for it. Below are four questions that board members and executives should consider.
What cybersecurity-related information is making it to the top?
The financial industry has been providing cybersecurity-related information via GLBA information security reports to the board for a long time, but is the information adequate or presented in a meaningful way? Have a discussion to determine the top cybersecurity threats to your organization. Once defined, evaluate previous meetings and determine if adequate consideration and time were dedicated to discussing and developing mitigation strategies for these threats. Walking through this exercise is a quick way to discover potential holes in the cybersecurity information that is being presented at the meetings.
Does our existing cybersecurity program expand outside of the IT department?
Technology provides a good deal of protection to cybersecurity-related threats. However, it is not foolproof. Every employee in an organization needs to be aware of his or her personal responsibilities to protecting sensitive information. Security awareness training is great, but not nearly as effective as providing employees a sense of ownership in the cybersecurity program. Work to create an organization-wide culture of active involvement in the security program. Encourage employees to ask questions, point out security weaknesses and to provide ideas on how to strengthen the overall security program.
Are our security testing processes adequate?
Relying solely on external annual security testing is not an adequate strategy. When critical security vulnerabilities, specifically ones that are easy to exploit, are revealed, security testing needs to be performed to determine which, if any, systems in your organization are affected. While it isn't feasible to discuss every critical security vulnerability, board members and executives should generally understand the security testing framework.
Is there an adequate response plan in place if a cybersecurity incident were to happen?
The FFIEC Cybersecurity Assessment General Observations suggests two questions that should be considered regarding incident response plans. First, in the event of a cybersecurity incident, how will your institution respond internally, to your customers, third parties (vendors), regulators and law enforcement? Has a plan been developed and formally approved that defines what responses are required when specific events occur? Secondly, is the cybersecurity response plan incorporated in the existing business continuity and disaster recovery plan and have the plans been adequately tested recently?
Since the cybersecurity threat landscape is constantly changing and evolving, perhaps asking "Are we on the right track?" might be more appropriate than "Are we there yet?"