Executive Alliance Blog 2019

Top Nine Steps for Greater Cyber Resilience

Sep 6, 2019, 1:07:16 PM / by Joe DaPaul

depaul_300
*Highlights of Executive Panel Discussion at the 2019 New York Fall Security Leaders Summit
 
1. Baseline your organization’s cybersecurity maturity against either the NIST Cybersecurity Framework or ISO 27001.

Both NIST and ISO authorities have emerged as globally accepted baselines that provide roadmaps for building comprehensive cyber risk management programs. By using either or both of these industry best practices to assess where their cybersecurity is strong or needs improvement, organizations can make more informed decisions about where to allocate limited resources to ensure maximum security impact.

2. Develop a Cyber Risk Register and Action Plan that identifies your organization’s greatest cyber risks to inform your risk prevention, mitigation, and transfer strategies, to prioritize your cybersecurity spending.

Every organization should create its own register of cyber incident scenarios and cyber risks relevant to them and determine how existing and planned cyber risk controls work to reduce their occurrence. Organizations need to take into account their industry sector, the data they hold, the cyber incidents that they and their peers have experienced, and their own cybersecurity maturity in order to model cyber risk scenarios relevant to their operations. In so doing, organizations can strike a fully aligned and cost-effective balance among their risk prevention, risk mitigation, and risk transfer strategies that help boost true cyber resilience. Comparing and contrasting the likelihood and consequence information in a centralized Cyber Risk Register helps guide the development of a highly effective Action Plan and a defensible cybersecurity budget.

3. Ensure your organization’s cyber risk management activities are aligned to support your core business goals.

Effective cybersecurity can’t happen in a technical vacuum that isn’t aligned with overall business objectives. Organizations instead should identify their priority cyber risks by listening not only to CISOs and CIOs but also to other key leaders who know their businesses best – the CFO, the CRO, the General Counsel, the HR lead, and additional influencers in authority positions. By taking a cross-functional approach, organizations put their cybersecurity work into a more relatable “impact on operations” context, garner essential support across the enterprise, and increase an organization’s chances for lasting cybersecurity success.

4. Understand whether your organization’s executive leadership is setting the right cybersecurity “tone from the top”.

Human-caused cyber incidents proliferate in environments where leaders “talk the talk” about cybersecurity but don’t “walk the walk” themselves, fail to hold employees accountable for poor cyber hygiene, and neglect to set clear expectations for cybersecurity behavior. Organizations therefore should ask managers – at all levels – how they’re promoting cybersecurity across their teams and then check separately with those teams on the answers. Organizations should direct competency development, performance management, and other appropriate leadership investments to wherever disconnects between these two populations are consistently found.

5. Determine whether your cybersecurity training is effective and assess if your cybersecurity communication strategy resonates with your workforce.

As a first step, organizations should identify the subset of the workforce for whom the training is not working so customized content can be directed to that population specifically. Organizations should also work to understand what environmental factors – social, psychological, and otherwise – are preventing employees from gaining the cybersecurity knowledge they need. As such, many organizations run cybersecurity awareness campaigns that fail to make cyber risk management relevant to the day-to-day work of their employees. Organizations should ask themselves if the messages they’re sending are communicated in ways that ensure that different workers with different roles and responsibilities understand not only the dangers of cyber risks but also what they personally can do to prevent and/or mitigate them. Tailoring cybersecurity communications this way promotes both cybersecurity accountability among individuals and good cybersecurity behavior across the board.

6. Identify which of your employees represent your greatest source of cyber vulnerability and why.

61% of all cyber incidents are caused directly by an organization’s employees – either through negligence or intentional malicious activity. Boards of directors have become increasingly aware of this statistic and are adjusting their cybersecurity budgets in response to address this human element of the risk. To do so effectively, organizations need to pinpoint which of their workers are struggling most to do the “right cyber thing”. Once they’ve identified those populations, HR leaders can pursue targeted solutions that bring them into the fold while improving the overall cyber risk culture for everyone.

7. Remove organizational obstacles that prevent your employees from being good cyber citizens.

If an organization’s cybersecurity policies, procedures, and technologies aren’t easy to apply and/or use, employees invariably will find work-arounds so they can get their jobs done. Those work-arounds, however, often open up entirely new and unforeseen cyber vulnerabilities. Organizations must strive to strike the right balance between protecting their sensitive data, systems, and other assets while enabling their employees to successfully complete their daily duties.

8. Win the war for cybersecurity talent.

In today’s job market, there simply aren’t enough talented cybersecurity professionals available to meet demand. Without them, organizations face cyber losses that are likely to be exponentially worse than if they had the right people with the right skills on staff. Organizations should develop a clear sense of what job functions and skill sets are most critical to address their particular cyber risk circumstances – now and into the future – so they can develop the targeted recruitment and retention strategies they need for their protection.

9. Make an informed purchase of cybersecurity insurance.

Cybersecurity insurance is an essential part of any comprehensive cyber risk management program. Organizations should be smart consumers of such policies by first determining their cybersecurity gaps and then taking responsive prevention and mitigation steps that make economic sense. For the residual cyber risk that remains, customized insurance policies serve as powerful transfer mechanisms that help impacted organizations not only survive serious incidents but also thrive in their aftermath.


 

Topics: Leadership, Security Leaders Summit, cybersecurity, New York Fall 2019, Threats, Risk

Joe DaPaul

Joe DaPaul

Head of Cyber/E&O FINEX North America - Joe is a 25-year veteran in the insurance industry, with a focus on the cyber sector for the last 16 years. He began his career underwriting and broking Management Liability and Errors & Omissions solutions, gained further expertise working with M&A Transactional Risk Products and most recently, Cyber. He has held senior management and executive positions in underwriting, retail and wholesale brokerage and MGA operations. - As the North American Head of Cyber/E&O, Joe is responsible for the vision, strategy, and business goals for Willis Towers Watson’s Cyber Practice. He leads the cyber business’ growth objectives and serves as a thought leader in the space. - Joe has served in leadership roles within many organizations throughout his career, he is a frequent author and speaker, and is recognized as an expert in the area of Cyber Liability. He is a fellow for the Claims and Litigation Management Alliance and served as past chair for the Claims and Litigation Management Alliance’s Cyber Committee, and Professional Liability Committee. Additionally, Joe has served as an Advisor to NetDiligence, Advisen, and many other organizations and conferences within the industry.