Cyberprotection is no longer a technical issue; it is a business issue requiring board attention, and cybersecurity needs to be approached in a holistic manner. So says a new report from the US-based IT association ISACA, titled “The Cyberresilient Enterprise: What the Board of Directors Needs to Ask”.
The paper describes the need for governance over critical cyber events to help reduce the impact of cyber incidents and restore normal business. Included are 19 key questions board members should ask to create a resilient enterprise that connects protection and recovery to the goals of the organization, and implements programs for the sustainability of essential services.
Ron Hale, Ph.D., CISM, chief knowledge officer of ISACA, said: “Today’s attacks on enterprises are persistent and advanced, and no enterprise is 100% secure. It is no longer sufficient to only focus on prevention and detection. As the paper points out, board members need to evaluate the operational risk inherent in today’s digital business and direct management to ensure that the enterprise is more than just protected—it is resilient. This guide offers key questions boards should be asking to become a resilient enterprise and continue its mission of value creation.”
According to the paper, to be cyberresilient the enterprise must understand and prioritize stakeholder needs, identify the core business processes needed to meet the mission and goals of the enterprise, and understand the potential impact a cyberevent will have on the business. Key questions boards should ask include:
Is sufficient attention given to the ability to defend against intrusions as well as the ability to recover and restore essential functions and services?
Is the board routinely informed about the potential material operational risk and risk mitigation strategies as well as incidents that could impact the brand?
To what extent have essential services and functions been identified and programs implemented to provide for their resilience in the event of a disruption or cyberincident?
The paper also spells out ways enterprises can maximize business continuity and sustainability by:
Responding when an incident is detected.
Having an integrated capability that connects protection with detection, response, recovery the continuance of core services and functions.
“Incident response is crisis management,” said Hale. “Enterprises need to consider cybersecurity from this standpoint and be part of an integrated and holistic, enterprisewide approach.”
Download the free paper at www.isaca.org/cyberresilient.
