The key for any new CISO or security leader is building the plan out and the basic roadmap to get going plus providing the confidence that things will move forward. Again, a good governance structure is important for this.
I've learnt that in getting the governance structure right it is able to build support across the business to achieve the agreed goals and the CISO is not the lone voice pushing an agenda but a collaborative individual understanding the business needs.
What's your view on the gap that Boards have around Cyber Security. Are there specific areas that they need to focus on?
The majority of Company Boards are becoming more cyber security savvy. Where a number of Boards can improve though, is often they list on the risk register Cyber Security as a risk but it isn't broken down to indicate what it actually means.
They don't have to be tech savvy but probing to understand the underlying risks and threats that make up the Cyber Security threat 'bubble' is key.
Boards should probe in three areas to begin with:
1) How is the governance structured and operating?
2) Is there an effective security awareness program in place and do people know what is expected?
3) Is incident management tested? That is, what are the gaps that can be pushed through governance to improve the capability? This forms a good feedback loop so the organisation can continually improve.
I'm interested to understand your view on Cyber Security Insurance. Is it critical or is this just a crutch?
Over the years I've done a lot of investigations regarding the need for Cyber Security Insurance speaking to Lloyds of London, Underwriters, legal professionals and non-executive Directors. My view is that the jury is still out. The challenge is what do you insure against, what is the amount of the claim/impact, what constitutes an incident (when does it stop and become a further event?) and finding an insurer that does not have a large number of 'get out' clauses that restrict a claim.
Cyber Security Insurance is simpler if it is focused on recovering costs associated with restoration of the business, for example getting a system rebuilt and forensic investigations. At the end of the day, every business has a risk decision to make regarding whether to self-insure or spread the risk through insurance. Previous businesses I've worked in have chosen to self-insure, others have taken out nominal insurance.
People have to remember that insurance will not save your business, but it may reduce the initial costs of the incident. It however may impose additional costs on the business to bring the environment up to a level that is acceptable to the insurer.
Sign up for CIO Asia eNewsletters.