Best practices for communicating cybersecurity risks and efficiency
One of the most difficult challenges encountered within risk management in today’s ever-changing cybersecurity environment is the ability to communicate the risks posed to an organization effectively. Security executives expect communication to be in their own language, focusing on the financial implications regarding gain, loss, and risk, and the difficulty of translating traditional security terms and nomenclature into risk statements expected by business executives poses a serious challenge. Therefore, it is the responsibility of a cybersecurity professional to ensure that security risks are communicated to all levels of the organization using language that can be easily understood.
The communication of security metrics plays a crucial role in ensuring the effectiveness of a cybersecurity program. When disseminating information on cyber risks, several aspects of communication should be considered. For example, a security professional should be cognizant of the credibility of the information’s source, the targeted audience and how to place the risk into perspective. We firmly believe that the success of a business today is directly related to the success of its cybersecurity program. This is largely due to the fact that all organizations depend on technology. Specifically, the interconnectedness of digital technologies translates to a significant potential for damage to an organization’s operational integrity and brand credibility, if its digital assets are not meticulously safeguarded. We only need to look at the recent Equifax breach for an illustrative example of this. Considering the potential impact of cyber attacks and data breaches, organizations must improve how they communicate cybersecurity risk.
The first step to ensuring effective communication of cyber risks involves a comprehensive business impact assessment. This must consider the organization’s business goals and objectives. Business impact assessments focus on how the loss of critical data and operational integrity of core services and infrastructure will impact a business. Furthermore, it acts as a basis for evaluating business continuity and disaster recovery strategies.
The second step is the identification of key stakeholders and their responsibilities. According to experts, this step plays a significant role in being prepared to mitigate the impact of cyber risks. Stakeholders are directly affected by a breach and have the most skin in the game. Identifying stakeholders should not be a one-off exercise but must be conducted regularly. An important consideration is that the more stakeholders there are, the greater the scope for miscommunication. Failure to identify the responsible stakeholders will increase the probability that risk is miscommunicated. In the case of a breach, it means that the response will be ineffective.
The third and most critical step is the identification of Key Risk Indicators (KRIs) tied to your program’s Key Performance Indicators (KPIs). Doing this correctly will mean communicating cyber risks to executives in a way that allows them to make informed decisions. As an example, the amount or the severity of vulnerabilities on a critical system is meaningless to non-technical executives. Stating that a critical system that processes credit card data is vulnerable to data loss is more meaningful. Once business impacts have been assessed, stakeholders have been identified, and meaningful security metrics have been determined, regular communication to various stakeholders can take place.
Different stakeholders have unique needs. This must be considered when communicating KRIs and KPIs. When delivering information, we must accommodate both the stakeholders that prefer summaries and those that prefer reviewing data to make their conclusions. DFLabs’ IncMan generates customizable KPI and incident reports designed to cater to both audiences. Cybersecurity program metrics1 must also focus on costs in time and money to fulfill business needs. The ability to track these metrics is a key differentiator for DFLabs IncMan.
DFLabs’ IncMan is designed to not only provide the best in class incident orchestration and response capabilities but also provides the ability to generate customizable KPI reports that accurately reflect up-to-the-minute metrics on the health of your cybersecurity infrastructure. If your organization needs to get a true, customizable view that incorporates all stakeholders please contact us at [email protected] for a free, no-obligation demonstration of how we can truly keep your cyber incidents under control.
Back in September, 2016, the New York State Department of Financial Services proposed a set of cyber security rules aimed at improving security among financial institutions. If accepted, the proposed rules will make it mandatory for banks and other financial institutions, as well as insurance providers, to develop a cyber security plan, and appoint a CISO (Chief Information Security Officer), who would enforce that plan in case of a cyber security incident.
While the state’s intention with the proposal of these rules is to help protect financial institutions from cybercrime, with many of the affected organizations provisionally stating that they are in favor of them, there were many institutions that didn’t seem to welcome the new requirements. Smaller institutions were concerned that these requirements would become an unnecessary additional financial burden for them. However, there are solutions that could help make the implementation of these requirements more cost effective for all organizations, including the smaller providers of financial services.
Cybersecurity Programs and Policies at the Center of the Requirements
There are a few main areas encompassed in New York State’s Proposed Cybersecurity Requirements for Financial Services Companies:
● Establishment of a Cybersecurity Program
● Adoption of a Cybersecurity Policy
● Designation of a CISO, (Chief Information Security Officer)
● Third-Party Service Providers
There are some additional requirements for the cyber security programs that are supposed to include – among other things – written incident response plans for response to and recovery from cyber security events, and annual risk assessments of the integrity, confidentiality, and availability of information systems.
Incident Response Platforms
Though the proposed requirements appear to be too cumbersome, expensive, and difficult to implement for small financial institutions at first glance, there are affordable solutions on the market that can be adopted to address all the above cyber security rules. There are platforms providing an automated incident response and assist organizations in recovering from cyber security events quickly and efficiently. Incident response platforms are the most cost-effective solution that all regulated entities can adopt in order to adhere with the proposed requirements.
Such platforms are all-in-one solutions allowing for the identification of cyber risks and cyber security events, enabling recovery to normal operations, by performing automated forensics. Other capabilities include – determining the exact number of incidents that have occurred within a certain period of time and what has caused them. Additionally, there are incident response platforms capable of performing predictive analytics, allowing an organization to prioritize its response, resulting in reduced reaction time and significant financial savings.
Another important feature of an incident response platform is the ability to track digital evidence and create automated incident reports. They can be sent to an organization’s cyber security team.
Considering that every new state or federal requirement presents an additional burden for small banks and other financial services providers, these types of platforms are one of the rare solutions that will allow them to comply with those requirements without having to spend substantial amounts of money. These platforms automate the entire cybersecurity incident response and recovery process, effectively streamlining an organization’s cybersecurity plan in the most cost-effective manner.