Understanding security posture and cyber resilience is now a critical for boards of directors
The Cybersecurity Landscape for Companies
The global pandemic, a war in Ukraine, a banking crisis and high inflation have made this a tough time for companies all over the world. Boards of directors are charged with guiding their organizations through these difficulties. Decisions the board makes can mean the difference between the company failing and thriving. And to make the board’s job even more challenging, today they have to deal with increasing cybercrime.
In 2022 global cyberattacks increased 38% over the previous year. In the same period 18,828 exploitable vulnerabilities were published and the average large enterprise attack surface expanded to 8,500 IPs. The average cost of a data breach in 2022 was $4.35 million worldwide. In the US it was almost double at $9.44 million. And that’s only the monetary cost. Data breaches can also have substantial effects on company reputation and trustworthiness.
Because of this rise in cyber attacks, most boards believe that it’s only a matter of time before they experience a cyberattack.
Boards and Cybersecurity
Cybersecurity is a tech-heavy topic most board members are new to or uncomfortable with. This is understandable, and the good news for board members is you don’t have to become a cybersecurity expert to know where your company stands in the race against attackers.
CISOs and their security teams typically focus on prevention – how to protect the company’s assets and make it more resistant to a cyberattack. Protection, however, is only one component of a comprehensive cybersecurity process.
The goal is to have minimal, or even zero disruption from a cyber breach. Instead of focusing only on protection, companies should focus on resilience and plans for recovery and business continuation. This more holistic approach to cybersecurity falls directly under the board’s responsibilities as part of their fiduciary and oversight role.
The Securities and Exchange Commission (SEC) recognizes the board’s cybersecurity role and is developing regulations that will require companies to disclose their cybersecurity governance capabilities, including the board’s cybersecurity oversight regarding:
– Who on the board is responsible for oversight of cyber risks,
– How the board is informed about cyber risks, and
– Whether and how the board considers cyber risks in its business strategy.
What’s a Board To Do?
Today’s board of directors must recognize that it has an obligation to make its company cyber resilient by prioritizing cyber safety, or risk being held liable in the event of a cyberattack. This translates to overseeing cybersecurity policies that encompasses protection, recovery and business continuation.
Synack offers adversarial security testing that reveals security posture: What’s causing the same categories of exploitable vulnerabilities to keep cropping up in your environment? Which parts of your security program need extra attention to thwart real human attackers? Where can you most effectively spend on security in an era of tightening budgets?
A Modern View of Cybersecurity for Boards
To provide effective oversight regarding cybersecurity resiliency, boards need to implement and oversee a holistic strategy. If the existing cybersecurity culture is a check-the-box, compliance-based approach, the board should direct the company to a more holistic and risk-based approach.
Holistic Cybersecurity
A holistic approach encompasses the company’s entire attack surface, including not only all of the company’s assets, but also cloud service providers and any other third parties that could introduce vulnerabilities. Security teams should consider the risk level and valuation of each asset and attack point to determine which pentesting methodology is needed to 1) protect them and 2) to truly understand the company’s security posture.
Boards must also direct security teams to deploy a program that aligns cybersecurity with business objectives, including operations and processes that impact business continuity. If a company invests only in cyber protection, it is not managing the risk associated with recovering after a cyberattack. In addition to remediating exploitable vulnerabilities, security teams need to identify and examine the root cause of any issue or problem discovered to ensure that they are addressed completely.
Third-Party Penetration Testing as Part of a Holistic Cybersecurity Program
Penetration testing performed by a third party can help a board understand where the company stands regarding its cyber posture.
Synack testing can be an important tool for boards to deploy in a holistic cybersecurity program. The Synack platform offers a full range of penetration testing from point-in-time testing for assets that carry lower risk through continuous penetration testing for more valuable assets. The platform also provides tools to help confirm that identified problems are fixed or remediated properly and completely.