Understanding Cybersecurity Responsibilities

In an article last year for Foreign Affairs Magazine (https://lnkd.in/ggFTEU3z) on how to catalyze a sustainable approach to cybersecurity, Eric Goldstein & I emphasized that in every business the responsibility for cybersecurity must be elevated from the IT department to the CEO and the Board. As we noted, the trend is moving in the right direction: In a survey conducted by NACD (National Association of Corporate Directors), 79% of public company directors indicated that their Board’s understanding of cyber risk had significantly improved over the past two years. The same study, however, found that only 64% believed their Board’s understanding of cyber risk was strong enough that they could provide effective oversight. To improve those numbers, CEOs & Boards must take ownership of cyber risk as a matter of good governance. This is largely a cultural change: where cybersecurity is considered a niche IT issue, accountability will inevitably fall on the CISO; when cybersecurity is considered a core business risk, it will be owned by the CEO and Board. Recognizing that Board members in particular have special power to drive a culture of "Corporate Cyber Responsibility," I asked my Advisory Committee to make recommendations on how to advance such a culture. The effort, led by Dave DeWalt, highlighted several key points: Board members should be continuously educated on cyber risk, with cybersecurity considerations appropriately prioritized in every business and technology decision, and decisions to accept cyber risk scrutinized and revisited often. Boards should also ensure that the thresholds for reporting potential malicious activity to senior management are not set too high; “near misses” should be reported along with successful intrusion attempts, as much can be learned from them. In addition, Boards should ensure that adequate long-term security investments are available to address the safety consequences of antiquated technology with new investments focused on technology that is #SecureByDesign. Finally, Board members should ensure that CISO's have the influence & resources necessary to make essential decisions on cybersecurity, with decisions to prioritize profits over security made both rarely and transparently. The Committee also recommended developing a Cybersecurity Academy for Board Directors & set about establishing a pilot program, which was held yesterday at the U.S. Secret Service Training Center (https://lnkd.in/eVSzP_sx). Huge thanks to my teammate Kimberly C. for her partnership, as well as the awesome Ron Green for driving this effort with Dave & Katherine Hennessey Gronberg, and the great NACD team, led by Peter Gleason. Am super grateful to the Board Directors who participated in this inaugural effort and look forward to their feedback so we can further scale the program.

Aligning Cybersecurity Oversight: A Look at NYDFS and SEC Regulations Recent amendments to the New York State Department of Financial Services (NYDFS) cybersecurity regulation, 23 NYCRR 500, provide updated guidelines on the roles of the Chief Information Security Officer (CISO) and board responsibilities. These changes show similarities to the new SEC rules that will become effective later this year. CISO Role under NYDFS: - Definition: The CISO is responsible for overseeing, implementing, and enforcing the firm's cybersecurity program and policy. - Oversight: CISOs must actively manage cybersecurity risks and cannot delegate this duty entirely. Role of the Board under NYDFS: - Oversight Responsibility: The senior governing body must oversee cybersecurity risk management effectively. - Expertise Requirement: Board members should have adequate understanding of cybersecurity to offer oversight, with the option to consult advisors. Comparison with Role of the Board under SEC Rules: - Board Oversight: Both the SEC and NYDFS highlight the need for board oversight of cybersecurity risks. - Information Flow: Both regulations specify how the board or board committees should be informed about cybersecurity risks. - Management Roles: SEC additionally requires firms to disclose who in management is responsible for cybersecurity, and their expertise. How Companies Can Prepare: - Define Roles: Clearly outline the responsibilities of the senior governing body and the CISO, and ensure efficient interaction between the two. - Conduct Assessments: Carry out annual risk assessments, including evaluations of the company's mission and reputation. - Update Policies: Establish guidelines to keep the senior governing body informed about important cybersecurity issues, in alignment with both NYDFS and SEC regulations. Companies should evaluate their cybersecurity controls and governance to align with these revised guidelines, ensuring clarity in roles and procedures for continuous risk management. #cybersecurity #regulation #risk

Cybersecurity: It’s Not Just an IT Role: When people think about cybersecurity, they often imagine IT departments crowded with monitors, buzzing servers, and tech-savvy professionals fighting off hackers. While IT plays a critical role in safeguarding digital infrastructure, the reality is that cybersecurity extends far beyond the IT team. In today’s interconnected world, cybersecurity is a shared responsibility, requiring engagement from every employee, department, and even external partners. Here’s why cybersecurity isn’t just an IT role—and why everyone in your organization has a part to play. Cyber Threats Exploit Human Behavior The most sophisticated firewalls and anti-malware tools can’t protect a company if a single employee clicks on a phishing email. Cybercriminals are increasingly targeting individuals rather than systems, using tactics like social engineering, credential theft, and phishing scams to gain access. Cybersecurity Impacts Business Operations A cyberattack doesn’t just affect IT systems—it can disrupt entire business operations.  Legal and Compliance Obligations Regulatory requirements like GDPR, CCPA, and HIPAA demand stringent data protection measures. While IT is responsible for implementing technical controls, compliance involves organization-wide participation. The Role of Leadership in Cybersecurity Leadership teams set the tone for a company’s cybersecurity culture. When executives prioritize cybersecurity, it sends a clear message that protecting the organization’s assets is a collective goal. External Partners and Third-Party Risks Vendors and third-party partners can be the weakest link in your cybersecurity chain. IT teams can assess technical vulnerabilities, but procurement and legal teams play a crucial role in vetting and managing vendor relationships. Cybersecurity is not just an IT responsibility—it’s an organizational imperative. By breaking down silos and fostering a culture of security awareness, companies can better protect themselves from evolving threats. When everyone—from the CEO to the newest intern—recognizes their role in cybersecurity, organizations can build stronger, more resilient defenses.

As technology becomes the backbone of modern business, understanding cybersecurity fundamentals has shifted from a specialized skill to a critical competency for all IT professionals. Here’s an overview of the critical areas IT professionals need to master:  Phishing Attacks   - What it is: Deceptive emails designed to trick users into sharing sensitive information or downloading malicious files.   - Why it matters: Phishing accounts for over 90% of cyberattacks globally.   - How to prevent it: Implement email filtering, educate users, and enforce multi-factor authentication (MFA).  Ransomware   - What it is: Malware that encrypts data and demands payment for its release.   - Why it matters: The average ransomware attack costs organizations millions in downtime and recovery.   - How to prevent it: Regular backups, endpoint protection, and a robust incident response plan.  Denial-of-Service (DoS) Attacks   - What it is: Overwhelming systems with traffic to disrupt service availability.   - Why it matters: DoS attacks can cripple mission-critical systems.   - How to prevent it: Use load balancers, rate limiting, and cloud-based mitigation solutions.  Man-in-the-Middle (MitM) Attacks   - What it is: Interception and manipulation of data between two parties.   - Why it matters: These attacks compromise data confidentiality and integrity.   - How to prevent it: Use end-to-end encryption and secure protocols like HTTPS.  SQL Injection   - What it is: Exploitation of database vulnerabilities to gain unauthorized access or manipulate data.   - Why it matters: It’s one of the most common web application vulnerabilities.   - How to prevent it: Validate input and use parameterized queries.  Cross-Site Scripting (XSS)   - What it is: Injection of malicious scripts into web applications to execute on users’ browsers.   - Why it matters: XSS compromises user sessions and data.   - How to prevent it: Sanitize user inputs and use content security policies (CSP).  Zero-Day Exploits   - What it is: Attacks that exploit unknown or unpatched vulnerabilities.   - Why it matters: These attacks are highly targeted and difficult to detect.   - How to prevent it: Regular patching and leveraging threat intelligence tools.  DNS Spoofing   - What it is: Manipulating DNS records to redirect users to malicious sites.   - Why it matters: It compromises user trust and security.   - How to prevent it: Use DNSSEC (Domain Name System Security Extensions) and monitor DNS traffic.  Why Mastering Cybersecurity Matters   - Risk Mitigation: Proactive knowledge minimizes exposure to threats.   - Organizational Resilience: Strong security measures ensure business continuity.   - Stakeholder Trust: Protecting digital assets fosters confidence among customers and partners.  The cybersecurity landscape evolves rapidly. Staying ahead requires regular training, and keeping pace with the latest trends and technologies.