Proactive vs. Reactive: Boards’ Role in Cybersecurity

A comprehensive cybersecurity program focuses on more than compliance.

To truly protect their organizations, boards must use their oversight role to move the focus on cybersecurity past regulatory compliance and toward the goals of identifying threats before they happen and being able to respond quickly should an incident occur.

High-profile cyberattacks and increased consumer expectations regarding the protection of their information have resulted in corresponding cybersecurity-focused regulation across the globe. From rules proposed by the SEC to the upcoming European Cyber Resilience Act to China’s Personal Information Protection Law, legislation created to tackle cybersecurity issues is growing. But organizations that prioritize compliance ahead of threat intelligence will continue to face significant cyber risk.

An increased focus on cybersecurity and the protections an organization has, or lacks, should lead to an improvement in resilience across the board. By forcing organizations to improve their cybersecurity programs and processes in order to be compliant, the collective bar will be raised. The importance of proper protections and incident response capabilities is apparent based on the global trend toward cybersecurity legislation, but how should organizations respond to the growing regulatory demands?

Simply put, compliance does not equal protection. Organizations that build their cybersecurity programs based on achieving compliance as a priority will remain at risk to cyberattacks and evolving threats. Further, threat actors are often sophisticated organizations that monitor regulatory compliance and actively prioritize vulnerabilities to their advantage. Instead, organizations should determine their cybersecurity program objectives from intelligence-driven cyber risk assessments, while adhering to compliance requirements.

A risk-based program will ensure relevant and appropriate protections are implemented, while also allowing for compliance to be met. Focusing solely on compliance can overlook the threat side of the equation. Boards of directors are familiar with managing risk, and mitigating or transferring risk is often a high priority. Cybersecurity risk is arguably the greatest risk facing boards today, both from an operational and reputational perspective, and the threat will not be properly managed through compliance alone.

A cybersecurity program should be rooted in a commitment to strategic communication, which accounts for key concerns around internal and external correspondence. An incident response communications plan, crafted around the unique threat profile of the organization, is essential to mitigating reputational risk and will also ensure compliance disclosures are properly addressed.
Threat intelligence reduces risk and uncertainty

The National Institute of Standards and Technology defines threat intelligence as “threat information that has been aggregated, transformed, analyzed, interpreted or enriched to provide the necessary context for decision-making processes.” The value of intelligence to an organization’s board of directors is that it can reduce uncertainty, prevent strategic surprise and enable decision advantages. Applied in the cyber domain, intelligence can be utilized to predict the adversarial capabilities and intentions most likely to target a specific industry, while also providing boards leverage to enhance decision-making on the most appropriate courses of action to protect an organization’s assets.

The intelligence process is often initiated using an automated solution (e.g., machine learning) to collect data and enrich the information with indicators of compromise and behavioral tactics, techniques and procedures used by threat actors. By utilizing this process to inform cyber risk assessments, threat intelligence helps achieve a goal desired by all boards of directors: reduced risk.

Threat intelligence can be thought of as a compass. Boards of directors and organizations face an immense amount of data to react to when building a cybersecurity plan. Threat intelligence provides direction and helps prioritize decisions based on evidence, guiding organizations’ cybersecurity programs along the right path.

Intelligence-driven cyber risk management

Boards of directors are likely to be most concerned with mitigation and remediation costs, business disruption and the level of exposure that can result from a cyberattack. Achieving regulatory compliance can help lessen some of the damages in the aftermath of an incident but will not adequately address these considerations in the same manner that leveraging threat intelligence allows.
By prioritizing threat intelligence in the foundation of a cybersecurity program, threats that pose the greatest material risk are identified. Alternatively, focusing on the controls and disclosure requirements of a particular regulation can cause organizations to become too reliant on compliance and overlook the threats that pose the most likely organizational risk.

Operationalizing threat intelligence positions leadership to best determine the intentions and capabilities of threat actors targeting their networks and more appropriately assess material risk to their organizations. This allows for a more tailored defense to be established through altering the allocation of resources and changing what requires the most protection, such as critical assets or proprietary information.

Threat intelligence also helps identify those behind the cyberattack and how they are gaining entry. This is important in keeping pace with threat actors, as it allows cybersecurity teams to ensure the most relevant gaps are prioritized in advance, potentially preventing an incident from occurring. This process can be taken a step further by building a threat profile of sorts, helping boards of directors better predict the appropriate risk an organization faces. Such a step allows organizations to preemptively implement defensive measures or immediately respond to an attack, lessening damages.

For example, if threat actors known to target a specific industry usually extort victims via phone calls, organizations can anticipate this threat and prepare communications ahead of time to preview this tactic. When an employee receives a suspicious phone call, they will know to be on guard and how to properly respond, as opposed to being confused or scared by the message, potentially allowing the attack to be successful.

Optimize the communications plan

Just as threat intelligence can be leveraged to strengthen cyber risk management, it can also be used to improve, or create, a crisis communications plan. Having a plan in place ahead of an incident is essential for immediate response, especially since every moment that passes without action is a benefit to the threat actor. By knowing how attacks occur, a crisis communications plan can be tailored to these threats.

Testing a crisis communications plan to account for new risks identified through threat intelligence will better position the organization to respond effectively, both with stakeholders and regarding disclosure requirements. Relying on a crisis communications plan that focuses only on meeting compliance needs can result in costly regulatory, brand and reputational damage. Using the stress-test results, the crisis communications plan should be altered and continually updated based on new threat intelligence and the potential impacts to critical assets.

A compliance-focused approach leaves boards and organizations in a stagnant mindset, which is a losing strategy against cyber actors who regularly adapt and identify alternative ways to successfully infiltrate organizations with poor cyber risk management. This evolution has already changed how cyber actors extort victims, with threats of disclosing their attacks via public shaming websites, instant messaging tools or direct outreach to stakeholders (employees, family members or customers). This tactic can allow attackers to control the public discourse, further emphasizing the need for a proper crisis communications response plan to regain control of the narrative, something that complying with regulation alone is not going to do.

Organizations that fail to be transparent during a cybersecurity incident are often punished for not being forthcoming. The ability to communicate the organization’s understanding of an event and willingness to share information with key stakeholders as necessary is key to taking control and instilling confidence in the ability to navigate and recover.

What’s next?

Regulation is an important element of working toward improved cybersecurity across the board and should not be dismissed or discounted. Some of the low-hanging fruit that appeals to threat actors will be removed through the course of regulation compliance. However, relying on compliance alone to minimize risk and increase cybersecurity protections is not enough, especially since tactics and the threat landscape quickly evolve. Boards must keep pace by helping leadership move beyond compliance and use threat intelligence as the basis for a cyber risk management program.