Cyber Due Diligence: Boards Top Questions for CISOs
This is part three of a four-part series that offers guidance on proactive communication strategies for CISOs, including ways to translate key information and express your actions in executive language, so you can remain focused on the important work of responding to incidents, events and threats equally, in order to mitigate organizational impacts.
In the event of a cyberattack, your board will look to you for answers and insights. It can be a lonely position, but it doesn’t mean you’re all alone. In fact, if you can demonstrate that your plans and actions are backed by industry best practices and follow all applicable guidelines and requirements, you can put yourself in good company. Better yet, having third-party experts validate what you’ve done can go a long way to reassure stakeholders that you have covered your bases and done the work expected to protect the business.
Once the board has understood your cyber risk exposure and cyber risk mitigation, they are likely to inquire, "What cybersecurity due diligence and assurances have we conducted?"
Subtext questions to consider:
- Have we undertaken any independent validation of the work?
- Who delivered it, and what was the nature and extent of validation (e.g., threat hunting, compromise assessment, etc.)?
- If we did work internally, how did we ensure we were robust in our approach?
Cybersecurity Due Diligence: How Do We Know We Did It Right?
The key here is to provide the board and other key stakeholders assurance that there is objectivity in previously conducted analysis. This analysis should not only prove that the vulnerability or attack has been mitigated but also that the operating environment is not open to follow-up exploits that have subsequently been created in the wild.
Organizations that frequently utilize open source software and span geographic borders are under increased regulatory scrutiny (e.g., CCPA, GDPR, etc.). For these organizations, it’s recommended to engage a second set of objective eyes to confirm that risks have been mitigated and that the environment is not susceptible to a subsequent follow-up attack.
There are tools and services (e.g., breach simulation platforms, independent experts) that enable organizations to replicate exploits and validate that their environment is not open to a particular vulnerability. These tools can help provide additional assurance to the board by demonstrating extra due diligence and validating a “clean bill of health.”
Why Is It Important in Cybersecurity?
The concepts of SASE, much like the principles of Zero Trust, look to move security closer to the actual assets being protected.
SASE calls for delivering services from a single platform. It simplifies the tech stack, administration, and policies while ensuring consistency for all access. This simply can’t be achieved with an approach using several disparate products, even from the same vendor.
As companies start to adopt a SASE strategy, particularly during the current vast shift we’ve seen to a remote/hybrid workforce, many organizations are encountering a gap in understanding their workers’ day-to-day experiences. Complaints of slowness or bad connectivity have grown exponentially, leading to more need for in-depth visibility at every step along the path. This is typically referred to as digital experience management or user experience management.
Managing the Risk Assessment Data: It’s a Lot to Unpack
Being able to unpack your answers with solid data sources and insights can help you demonstrate that you've done the right things. It’s critically important but no easy feat. Think about something as simple as a compromise assessment. How do you show that you've undertaken a compromise assessment across the right scope for the enterprise? You may have to describe the way you prioritized assets, which could be based on certain criticality levels, which in turn may be based on a robust business impact analysis and data classification scheme—it’s easy to fall down a rabbit hole.
The key is to have clear ties to the decision hierarchy that you followed, so you can demonstrate due diligence and provide evidence for why you chose to embark down a certain security roadmap path. For instance, you will need to be able to show why you scoped tasks in a certain way and what work was actually completed.
Check out part four of this series, which looks at how to answer the question, “How are we going to reply to regulatory or other compliance inquiries?”
Learn more about how to talk to your board about cybersecurity due diligence by watching this video:
Get in Touch
Remember to ask for Unit 42 by name with your cyber insurance carriers if you need incident response services.
If you think you may have been impacted by the Log4j vulnerability or any other major attacks, please contact Unit 42 to connect with a team member. The Unit 42 Incident Response team is available 24/7/365. You can also take preventative steps by requesting a Proactive Assessment.