Leaders from the SEC, Cyber Threat Alliance, and National Association of Corporate Directors recently joined with SecurityScorecard to share their insights on the state of cybersecurity risk management today.
Earlier this month, the New York Department of Financial Services (NY DFS) announced efforts to modernize their supervision process, with the creation of the Cybersecurity and Information Technology Baseline Risk Questionnaire (CIBRQ). In addition, as part of the modernization effort, NY DFS is leveragingSecurityScorecard’s cybersecurity and analysis (based on publicly available data and open-source information) to provide a systematic approach to assessing the strength of the cybersecurity programs of nearly 3,000 regulated entities.
NY DFS is not the only oversight or advisory body digging deep into the questions of modernizing an approach to cyber risk.
Recently, SecurityScorecard’s Chief Business and Legal Officer, Sachin Bansal, Kristy Littman, Chief of the Crypto Assets and Cyber Unit at the United States Securities and Exchange Commission (SEC), Michael Daniel, President and CEO of the Cyber Threat Alliance (CTA), and Friso van der Oord, Senior Vice President of Content for the National Association of Corporate Directors (NACD) came together to talk about the rapidly evolving cybersecurity landscape and what businesses, boards and agencies all need to be looking to in order to secure the future.
Protecting Investors and Funds
Cybersecurity is a priority for the SEC and other related agencies because their job is to protect investors and funds. Poor security posture puts more than just operations at risk, it transfers risk to those who have trusted, invested in, and supported a company.
NACD echoed this, and emphasized the role that Boards of Directors play in the cybersecurity equation. Boards are now seen as having responsibilities across a variety of topics facing companies today–climate, diversity, cybersecurity, and more. Today’s boards receive intense scrutiny and are expected to drive accountability across the entire organization.
This means that cybersecurity is no longer an issue just for IT departments, but involves the entire board. It touches many areas of oversight beyond the day-to-day course of business, including: strategic planning, capital acquisition, and mergers and acquisitions, to name a few. It is not just a factor of risk, but can be an important driver for brand health–because negative cybersecurity headlines can surely damage a company’s reputation with employees, investors, and the general public.
A board must ensure that CISOs are truly independent, well-funded, and have established proper reporting mechanisms. They must know with certainty that they have created accountability across the full organization without turning governance into a mere check-the-box exercise.
What is the Baseline?
But from SecurityScorecard’s viewpoint, there is no standard of care for cybersecurity governance. For financial health, the bottom line is the balance sheet. The same type of standard baseline is not yet ubiquitous for cybersecurity.
There is a need for controls which are adaptive to the context of both the situation and the needs of the enterprise, according to the NACD. The cyber threat landscape is a dynamic environment and threat actors are constantly evolving their tactics, tools, and procedures.
A drawback to the current approach to cybersecurity is that it is heavily reliant on historical data and largely is derived from a snapshot in time. Today’s governance and approach is largely not forward-looking, adaptive, or updated in real time.
Organizations must stop treating cybersecurity as a problem to be solved with one more piece of technology and an IT staff, said the Cyber Threat Alliance. Today’s emphasis is on technology, not process, but that simply isn’t good enough any longer.
A challenge to modernizing the approach to today’s cyber challenges is that organizations do not know the denominator–there is no quantification of how many cybersecurity incidents are occurring.
But government directives, like the “Shields Up” initiative from the U.S. Cybersecurity and Infrastructure Agency (CISA), are beginning to pull back the curtain on the landscape and help assign metrics that organizations and boards can build upon. The important thing, all panel members agreed, is that any such exercises must help companies evaluate cybersecurity risk and outcomes. The time for check-the-box exercises is in the past.
Cybersecurity is Everyone’s Risk
As Michael Daniel from the Cyber Threat Alliance pointed out, in the past, it was one thing if a spreadsheet was corrupted or hacked. With the global increase in IoT and how that interconnects so many things, it is now quite another thing if electric grids go down or a car manufacturer’s systems are breached, causing vehicles to crash.
More than a decade since Dodd-Frank, the NACD believes cybersecurity is now everyone’s risk. Companies must ensure that employees understand what’s at stake and they need to know how to act. Cybersecurity is no longer limited to technology and IT controls–corporations must integrate it into their culture, and boards must ensure accountability at all levels.
Is the Future of Cybersecurity Bright? Yes.
All four panelists concluded the chat with optimism about the future. From her perspective at the SEC, Kristy Littman closed the session by encouraging organizations to re-examine their plans and to be completely sure they are following them. Regulators, boards, leaders, and employees all have a role to play as cybersecurity moves from a formulaic exercise to an active assessment of risk intelligence.
How Can SecurityScorecard Help Secure Your Cyber Future?
Much like NY-DFS and other regulators and related supervisory agencies, organizations can begin their risk intelligence journey today with SecurityScorecard. Security Scorecard is currently rating more than 12 million entities globally, and uses non-intrusive proprietary methods to monitor against 10 risk categories (such as network security, application security, patching cadence, and more) to instantly deliver an easy-to-understand “A” through “F” rating. On a daily basis, these ratings are updated based on objective, publicly available data that, similar to credit ratings, provides an “outside-in” view of an entity’s security posture.
SecurityScorecard believes in making the world a safer place by transforming the way organizations understand, improve, and communicate cybersecurity risk to their boards, employees, and vendors. All organizations are encouraged to receive their free SecurityScorecard rating by visiting Instant SecurityScorecard, which is also a CISA free tool (specifically a tool listed under its “Reducing the Likelihood of a Damaging Cyber Incident”). And to find out more about how DFS and SecurityScorecard work together, review our earlier blog recap.
For more information about SecurityScorecard, visit securityscorecard.com or connect with us on LinkedIn.