Cybersecurity is not an area which businesses can ignore, but with budgets being squeezed, it is important to know you are getting a return on your investment. One way to ensure this is to form an oversight committee focusing on investments in cybersecurity. Raghu Nandakumara, Head of Industry Solutions at Illumio, explains how an oversight committee can help you optimise cybersecurity.
Enterprises are caught between a rock and a hard place when it comes to cybersecurity. The average global cost of a data breach increased to US$4.35 million in 2022, so we can’t afford to take cyberdefences lightly. Yet in a recession, budgets in all areas will be squeezed, including cybersecurity.
It will be more important than ever to ensure that every penny invested in cybersecurity counts. Forming an oversight committee is one effective way to ensure that investments in cybersecurity capabilities are delivering a tangible return on investment (ROI).
Having a specialist committee help to set baseline expectations and deliver accountability can ensure a move towards best-in-class security practices.
Such committees are a longstanding practice for other business areas but a relatively new approach for cyber. So, how can an oversight committee help improve your security and deliver significant ROI, and importantly, how can you start forming your own?
How oversight committees enhance cyber-resilience
Oversight committees are a common component of most organisations once they reach a certain size. Different areas, such as risk management and legal, will have subcommittees headed by various board members, other senior leaders and potentially external consultants. The committee’s priority is to ensure that their specific business area is achieving the expected results and delivering a good return on investment for the company.
When it comes to a cybersecurity committee, the main remit is to ensure that the company’s security strategy and capabilities align with its overall business objectives. Increasingly this means delivering cyber-resilience.
Cybersecurity’s core function is to protect the value of the business by mitigating cyber-risk, but it’s also vital that it is a business enabler. The committee should be monitoring whether your cybersecurity strategy and supporting security stack are delivering maximum ROI – a good strategy should support multiple business value pillars.
A cyberattack can damage your organisation through operational downtime, data loss, regulatory fines and loss of customer trust. These in turn affect profitability and therefore decrease value for the company’s shareholders. The cybersecurity oversight committee helps ensure that all security investments and activity are directly aligned to this core objective of improving resilience to protect and enable business value.
The need for more actionable security data
When establishing a cybersecurity oversight committee, use it as an opportunity to implement a more objective, results-driven approach to security.
There is a tendency to pair security with compliance. Many firms base their strategies around complying with regulations like GDPR and frameworks like NIST. This is an attractively straightforward approach, providing a list of tools and processes to tick off. However, security is never a case of one size fits all, and these frameworks cannot cater to individual organisations’ distinctive risk profiles and infrastructures.
Often what looks good on paper will not hold up against a real threat. Meeting a self-established security standard is meaningless if the standard itself is flawed, and a risk audit may simply fail to find vulnerabilities because it is looking in the wrong places.
To drive real value from your cybersecurity programme, you must go beyond ticking boxes and look at risks unique to your operations instead. Start with the most significant dangers facing your business. What are your biggest threats? What assets are most at risk if an attacker gets into the environment? How prepared are you for this happening?
The oversight committee will want answers to all these questions. This means going through each stage, from the initial compromise to the fallout of a full-blown incident. It is important to test the security controls themselves, rather than just the configurations behind them.
Proactive measures such as red teaming exercises are valuable here. Having a team of professionals acting as a threat actor determines how effective your defences are against a skilled and determined adversary. Further, it will help to highlight any overlooked gaps and vulnerabilities.
Quantifying threat data to achieve the best ROI
Quantifiable threat data is also essential in helping your committee make the right decisions in shaping security policy. Alongside determining which assets could cause the greatest harm if they are compromised in a breach, you need to consider how threat actors will try to reach them.
Attackers look for low-cost ways of realising high value pay outs. They will always take the easy road to reach their goal. Elite, nation-state-backed threat groups with bottomless resources and elaborate plans are very much the exception. Unless you’re in one of the highest-risk sectors, you should be focusing on more commonplace threats from opportunistic criminals.
Next, assess how likely it is that any existing vulnerabilities will be exploited and how severe the impact will be in that scenario. The best approach is establishing a Cyber-risk Score (CRS) that quantifies each potential threat. NIST has an established framework here, and multiple solutions are available to assist with measurements.
For example, a software vulnerability might potentially lead to a serious incident but requires a very high skill level to discover and exploit. Or an easily exploited issue might pose a minimal risk in isolation.
This exercise will enable you to develop a risk exposure score for each scenario, which in turn will enable the impact of additional security measures to be more accurately tracked. For example, you may choose to implement more network segmentation or multi-factor authentication across core systems to strengthen your defences.
Crucially, it also becomes easier to determine which security investments will deliver the greatest ROI. Solutions that can address multiple issues will provide a bigger bang for their buck, especially if they have a proven track record of delivering results. An example is Zero Trust Segmentation which can both improve the visibility of threats within the network and help to contain and limit the impact if a breach occurs. The technology has also been found to stop ransomware four times faster than detection and response alone.
With the rising cost of security incidents, cyber-resilience must be a top business priority in the year ahead. Cybersecurity oversight committees have an important role in ensuring your strategies and solutions are making a real difference to your security standing. Arming the committee with accurate and relevant data will help it to identify gaps and vulnerabilities you must address to boost your resilience.