All leadership in business has a fiduciary responsibility to protect their company, its shareholders, employees and customers. Part of this responsibility includes detecting cyber-risks and mitigating those risks. To protect your organization, you must take a proactive and comprehensive approach to this quickly increasing risk.
At ISC West, a panel discussion led by PSA’s Cybersecurity Committee will address the top seven questions end users and system integrators make sure they have addressed to reduce the risk of cyberattacks.
Paul Boucherle, Principal/Founder of Matterhorn Consulting, will moderate the session on April 5, 2017, from 7:30-8:30 a.m.
Register here for ISC West! Choose this and other education sessions at www.iscwest.com/education.
Are the C-suites of enterprises are completely understanding cyber-risks?
I would say there are two main categories of C-Suite perspectives a) those that have been hacked and are painfully aware of consequences and therefore take these threats very seriously and b) Those that have not had a major incident and therefore may have a passing knowledge but do not make it a priority. To the larger question of complete understanding, I would say in general, no for many market segments and certainly yes for market segments that are in the technology, government, financial services and software businesses.
If a C-suite is not on board with a cybermitigation policy, what is a security executive to do?
Be persistent; identify the gap analysis frequently in reports to those that have the C-suite ears, and by all means build a much stronger relationship with their IT leadership peers. Two voices are better than one any day of the week. Share the impact on the operational P & L side of the business, like revenue impact, and make it three voices! Last, do some homework on the impact of a cyberattack and company stock prices. Nothing gets C-suite attention like a falling stock (option) price. Everybody pays attention to their paycheck no matter how many zeros it has.
Are penetration tests an effective way to mitigate cyber-risk?
Mitigate no, plan for and defend against, yes. Penetration testing is a valuable tool for testing for professional bias and blind spots as well as new attack vectors. If you don’t want to honestly look deeply into the mirror, you will miss unsightly warts that should be surgically removed. The skill level and experience of penetration testing should be carefully vetted before you select the right supplier to help. This should be done by a third party to again, avoid bias blindness.
How can manufacturers help an enterprise with cyber-risk mitigation?
Build good hardware, firmware and software through excellent engineering. Short cuts in engineering disciplines to focus instead on market growth through pricing advantages are a fool’s errand. Being the weak link in an attack will have an immeasurable impact on brand and reputation. Ensure your hardware eliminates common short cuts in system implementation, such as forced password changes, etc.
What’s the number one take away that attendees of this session will leave with?
That we have an extraordinarily talented and experienced panel that will share so much more that I simply do not want to steal their thunder. So come to our session; I assure you that takeaways will be new perspectives and questions they should be asking themselves!