It’s that time of year again – no not time to break out the eggnog for the last week celebrations before you break for the holidays. It’s “break out in sweat” time, as you plan what to present to The Board for the perennial, beginning of the year, “Let’s Take Stock” session.
Number One on Business Leaders’ Minds When It Comes to IT: Security. Our own research, as well as all studies consulted for this article, show that executives responsible for the bottom line, which means also being responsible for the company/brand reputation, do not want or need to know all network-related details.
Why is that?
20 years ago, around the time most of your board members likely started their careers (perhaps longer, for some), most of them worked in an environment where there was a data centre, to which branch offices, and remote workers (though there were far fewer as a percentage of employees and other stakeholders) through a VPN – and there was the Internet, though it was used more for far fewer business functions than is the case today. Non-IT people then, typically only learned as much as they needed to learn in order to perform their jobs.
Fast forward to today. You’ll be briefing the board about 2024’s far more complex business environment. You’re not only dealing with data centres, remote and hybrid workers (in greater numbers and percentages, too), branch offices and the Internet, but have added in SaaS, application programming interfaces (APIs), more use of container technologies and quantum computing, public, private and multi-cloud, IoT and IoT Cloud, not to mention how AI and ML will impact the organisation.
It’s a lot for your team to manage. It’s almost insurmountable for most people without a tech background to keep a handle on all this.
What Board Members Want to Know
Instead of all the nitty-gritty details, senior executives and board members need to know that their main concerns have been addressed. Specifically, they want to know:
- Will we be able to keep our business running if attacked? In other words, is our mission-critical infrastructure well-protected? Are there redundancies in place, just in case?
- Will we be able to safeguard our proprietary intellectual property, client lists
- Are we doing everything we can/enough to protect all personal data in our safekeeping?
- Are we fully compliant with all cyber-insurance requirements, so that we are fully-protected if we are breached?
- Will our IT support our business strategies and growth moving forward?
Unfortunately, the first five items on the list relate to protecting the corporate reputation – which is needed, of course, for the business to grow. Three years ago, what is now #6, was #1.
So, what do you need to tell board member so they sleep at night, and you can, too?
What Board Members NEED to Know
Obviously, you must address the above items, but CISOs also have an obligation to share other details, too.
The top 10 Categories:
- Expanding Digital Footprints Increase Vulnerability
- Data and Data Lake Segmentation
- People, Phishing and Policies
- Stakeholder Security, including digital supply chain security and third-party risk management
- Incident Detection and Response + Testing Protocols and Practices
- Infrastructure – State of Current Architecture and Equipment +Future Needs Assessment
- New Technologies, including Enterprise -Wide and Department-Level Applications as well as use of IoT, ML and AI
- Investment Levels and Efficacy + Regulatory Compliance and Insurance Coverage
- Vendors and Portfolio Management
- Financial Asset Risks + ROI and Losses
In our first installment, we’ll discuss the first two.
- Larger Digital Footprint Makes Firms More Vulnerable
It’s a double-edged sword. As companies expand, move more applications to the cloud, while simultaneously using more cloud-based apps, and pursue their overall digital strategies, product productivity increases. Unfortunately, as you know, so does the attack surface.
This means less understand that if a virus does not worm its way in (pun intended – sorry), it can spread at warp speed if proper access protocols and zero trust aren’t adopted, and that the damage will impact the entire organisation, and the bottom line.
This is the first item on our list because, unfortunately, despite all the scary headlines, some firms are becoming increasingly complacent. They have heard the phrase, “It’s not a matter of if, but when” so many times, that they have started to ignore the warning. It is a little like smokers disregarding health warnings on cigarette packages.
- Data and Data Lake Segmentation
Data Lakes?
Most executives will be familiar with centralized data warehouses, or simple databases. A data lake, however, can store, secure and process all kinds of data, including unstructured and semi-structured data such as photos, graphic images, audio and video. Machine learning, advanced analytics and, to a certain degree AI, all you/need a data lake.
Whether using a simple database or data Lake, board reassurance will be enhanced if you communicate that you are tracking:
- What percentage of data is encrypted, and if you are encryption programs meet your most current insurance standards – not to mention industry ones, too, of course to
- What percentage of data is centralized, and how you monitor/control data that is in use, or being used by satellite offices and remote stakeholders.
It is also important to provide details on…
- What data is being backed up, for how long and why, along with the attendant costs.
- Back-up frequencies, methods and redundancies.
- How long it will take for data recovery and restoration in the event of a malicious or internal breach.
- What happens to data collection if operations are able to carry on while the network is down – and how that gets incorporated later on.
Please check back with us in late January, for the next installment. In the meantime, we wish you happy holidays – ones that are cyber incident free!
