Directors Need to Set the Standards and Expectations for Management to Establish Well-Staffed and Well-Funded Cyber-Risk Framework
Much like any response plan, a cybersecurity framework is only successful if it is well-staffed and well-funded. Otherwise, it simply will not be able to adequately handle the stresses caused by a breach. In a world where malware and ransomware are increasing both in frequency and severity – Wannacry, for example, affected 200,000 computers in […]
Boards Need Access to Adequate Cybersecurity Expertise – And Need to Give it Adequate Time on Meeting Agendas
Cyber literacy can be considered similar to financial literacy – not everyone on the board is an auditor, but everyone should be able to read a financial statement and understand the financial language of business. As we all know, cybersecurity is very much a moving target. The threats and vulnerabilities change almost daily, and the […]
Boards Need to Be Aware of Evolving Cyber-Legal Landscape
Boards of directors face several versions of risk from cyber breaches. Obviously, there is the risk of loss or manipulation of the data. There is also a risk of reputational loss. However, regardless of the actual data or reputational impacts boards need to be concerned about legal risks that can occur unrelated to the other […]
HHS Points The Way Forward For Improved Cybersecurity
Last month President Trump issued an Executive Order on cybersecurity that called on all federal agencies to assess their status on information security and for the leadership to take steps required to mediate threats. Last week the Department of Health and Human Services (HHS) released its Healthcare Industry Cybersecurity Task Force report, which provides a […]
Cybersecurity Principle Number 1 for Boards – It’s Not Just About “IT”
It has now become clear that cyber-risk needs oversight at the board of directors level. The problem is that most corporate boards are comprised of “digital immigrants” — people not born into the digital world they now inhabit — and therefore need to learn how to understand cyber-risk. That educational process has been undertaken by […]
Metrics? What Metrics? Finding the Missing Link to the NIST Cybersecurity Framework
The NIST Cybersecurity Framework (NIST CSF) is one of the cornerstones – and most popular features – of US government policy to strengthen our nation’s cybersecurity. The hottest topic at the recent NIST workshop aimed at updating and refining the CSF was the development of metrics. Many experts believe that for the CSF to properly […]
Reform the Defense Supply Chain to Face the Realities of Conflict in the Digital Age
For centuries, we’ve operated under the principle that nations are sovereign within their own borders, with traditional rules of war clearly stating that combatants need to be identifiable military targets. Acting on this principle, a functioning government has traditionally had to raise a force more powerful than any potential rival, either internally or externally, when […]
Why Isn’t There An Academy Awards Ceremony for Cybersecurity
Let me spare you the suspense, because we don’t deserve one. Most people who have become aware of cybersecurity in the past few years think we are talking about credit cards, passwords, and firewalls. Really? I give these rookies a pass. The real fault lies which those of us, including myself, who have been toiling […]
Seven Basic Cybersecurity Measures As Revealed By Wisdom Of The Crowd
Individual experts offer good advice, but when many people agree on practical steps necessary for better cybersecurity, their consensus carries more weight, at least so long as cybersecurity lacks outcome-based, objective metrics. Accordingly, here are the most important things small and medium-sized organizations should do, according to a survey the Internet Security Alliance did of […]
Movement in the Right Direction on Cyber Security
While the bulk of mainstream news coverage on cyber issues has been focused on macro issues such as Russian involvement in our electoral process, there have been less noted initial signs of progress on the more traditional cyber concerns such as the protection of critical infrastructure, theft of intellectual property and securing of personal data. […]
