Cyber Future Foundation

Chapter 3
Charting the Board's Course of Action in a Cyber Crisis

Chapter Overview

The chapter “Charting the Board’s Course of Action in a Cyber Crisis” covers key aspects like informing the board about cyber incidents, handling scenarios such as cyberattacks and ransomware payouts, the board’s role, asking pertinent questions, delegation, assessing strategic implications, post-incident assessment, learning from incidents, and establishing resilient strategies. It emphasizes effective decision-making, response, analysis, and long-term cybersecurity planning.

Contributors

Chapter 3

Charting the Board's Course of Action in a Cyber Crisis

To address one of the major challenges in today’s business world – cyber resilience – we saw that it was critical to implement and maintain a regular channel of communication between the management, cybersecurity leadership and the Board, especially specific committees that have formal oversight over cyber risk along other risk areas. Establishing a direct connect between the CISO and the Board and ensuring that each has direct access to the other is paramount to the practice of cyber risk reduction.


We also saw through our discussions how the Board is best informed through clear, concise documentation and reporting that covers the threat landscape of the previous quarter, updates and initiatives, and cybersecurity recommendations. Training and education, both internal and industry wide training, helps the Board be cyber aware and enable them to advice on appropriate issues and incidents with knowledge gained from such trainings and applying them in the context of the organization’s business.


But when is a good time to inform the Board? What is the framework to follow to get the best value out of cyber board engagement? And once informed, how can the Board act?

Cyber Incidents: When to Inform the Board?

In the previous chapter, we discussed how to keep the Board informed and updated about cyber program operations on a regular basis – through full board update cadence based on board meetings, and regular cybersecurity committee meeting updates. In this chapter, we treat a focused scenario of informing the Board related to incident response and work our way into actions the board can take with such information at hand.


To uphold transparency and accountability, the Board must be kept informed about significant cyber incidents that have the potential to impact the company. Assessing the criticality of the breach in order to inform the Board is a task for the CISO and their team. Does the breach have significant impact on the organization? Does it require the intervention of the Board? Or can it be contained and resolved by the CISO and the team?


The best way to assess the criticality of the breach is to conduct ‘The New York Times Headline Test.’ It is a rather simple test that involves asking a rather simple question.


“Is the breach critical enough to become a headline in The New York Times?”


For example, if the financial or personal data of thousands of corporate customers has been breached, it is a headline-worthy incident. On the other hand, if the personal information of a few individuals has been exposed, not so much. It is a risk-based decision and a previously agreed upon model as such should be put in place, and practiced through Table Top exercises. The impact of the breach will be different for each organization and for each industry. But The New York Times Headline Test will act as a great starting point for organizations to make an accurate assessment. Among many that may arise, there are three particular scenarios where informing the Board will play a critical role in strengthening the organization’s cybersecurity program management and incident response through informed decision making.

Scenario 1: When a Cyberattack/Incident Occurs

Prompt and accurate communication to the Board in the event of a cybersecurity incident will empower them to analyze the threat, measure its organizational impact, and devise the steps to remediate the incident. This timely communication should be in the form of a well-structured incident report that includes:

1. A concise overview of the incident, the affected assets and the immediate response followed.

2. An assessment of the impact including potential consequences on the organization’s operations, financial health, brand reputation, and customer trust.

3. An analysis of the effectiveness of the incident response efforts.

4. An action plan outlining future steps recommended to mitigate further damage.

Scenario 2: When a Ransomware Payout is Unavoidable

With ransomware attacks becoming more prevalent and sophisticated, more and more organizations are being exposed to a ransom situation. The general guidance from law enforcement as well as the experts is not to pay ransom. However, there may be cases where it is not possible for organizations to circumvent the situation and regain control of critical data and applications. When a ransomware payout becomes unavoidable, it is essential to inform the Board without any delay. This communication should include:

1. A clear explanation of the particular ransomware and the extent of its impact on the organization.

2. The rationale behind the need to make the ransomware payout, justifying and highlighting the potential risks of not doing so.

3. A step-by-step process of mitigation strategies to prevent further ransomware attacks.

Scenario 3: When a Public Disclosure Must be Made About the Breach

Publicly disclosing a cybersecurity breach and its impact on the organization is an extremely sensitive issue. It has the potential to significantly affect the organization’s reputation and the trust of customers, investors, and other stakeholders. However, there will be unavoidable circumstances when such a public disclosure becomes absolutely necessary. It might be because of legal necessity or when customer data is the subject of the attack.

When informing the Board about the need for a public disclosure of a data breach, the communication must include:

1. The legal and regulatory implications on the organization while making the disclosure.

2. A strategic communication plan to inform various stakeholders about the breach.

3. A comprehensive plan to address the breach and implement a post-breach action plan.

How Does the Board Act?

Cybersecurity discussions among the Board of Directors have to focus on understanding the organization’s risk exposure, existing security measures, and potential vulnerabilities. As we discussed in a previous chapter, the cybersecurity committee and experts can rely on visual aids, data-driven insights, and real-world examples to help the Board grasp the implications of the threat, the risk the organization is exposed to, and the strategic measures the team is suggesting.


And to make these informed decisions, the Board must ask relevant questions to the CISO and the cybersecurity team to gain a comprehensive understanding of the situation. This will help the Board fulfil their primary responsibility – providing valuable guidance.

Asking Relevant Questions

Cybersecurity discussions among the Board of Directors have to focus on understanding the organization’s risk exposure, existing security measures, and potential vulnerabilities. As we discussed in a previous chapter, the cybersecurity committee and experts can rely on visual aids, data-driven insights, and real-world examples to help the Board grasp the implications of the threat, the risk the organization is exposed to, and the strategic measures the team is suggesting.

And to make these informed decisions, the Board must ask relevant questions to the CISO and the cybersecurity team to gain a comprehensive understanding of the situation. This will help the Board fulfil their primary responsibility – providing valuable guidance.

Delegating Issue Resolution

While the Board plays a pivotal role in providing feedback to the management’s strategy for mitigating cybersecurity issues and brainstorming remediation, it is important to understand that their role is not to fix these issues directly. Instead, their expertise and their duty lie in ensuring that the organization is adequately structured to handle cybersecurity challenges effectively. This involves ensuring resource allocation – financial, infrastructural, and talent – as well as empowering the CISO and the cybersecurity committee with adequate authority for issue resolution.


The Board must hold themselves responsible for evaluating the cybersecurity competencies of the committee and its extended members and the strength of the workforce dedicated to cybersecurity issues.

Assessing the Implications of Strategic Decisions

The Board plays a key role in aligning cybersecurity with the organization’s overall strategic direction. Any strategic guidance the Board takes must be evaluated for its financial, legal, and business implications. This involves evaluating how each decision impacts the organization’s security posture, data protection, and cyber threat resilience.

At the risk of repetition, let us reiterate that integrating cybersecurity into the strategic decision-making process will help the Board ensure that the organization’s future is safeguarded against potential threats.

The Post Incident Scene

In the aftermath of a breach, it is crucial for the Board of Directors to play a proactive role in addressing the incident, learning from it, and fortifying the organization’s security posture to prevent future threats.

Conducting a post-incident review is imperative once the breach has been contained. Making post-incident reviews a standing procedure will help enhance the organization’s cyber resilience as the time to deal with cyber threats on a case-by-case scenario is now a thing of the past. Delving into a post-incident review will help in analyzing the root causes of the breach and the vulnerabilities in the organization’s security infrastructure. This will help the Board gather insights into what went wrong and why, enabling them to record their security weaknesses and learn from them.

Analyzing the Incident

As simple as it may seem, the following questions will help analyze the cybersecurity breach and its mitigating measures:

1. How did the incident occur?

2. What were the vulnerabilities in the organization’s existing infrastructure that the incident exploited?

3. What were the critical data and systems that the incident compromise/contaminate?

4. How effective were the organization’s containment and mitigating measures to contain the incident and lessen its impact?

5. What improvements can be made in the organization’s cybersecurity strategies to ensure that such incidents do not occur in the future?

Identifying the Lessons Learned

The answers to the above questions will lead to a comprehensive understanding about the root causes of the breach and the subsequent lessons learned. This analysis will shed light on all technical shortcomings in the organization’s software infrastructure such as firewall configurations or intrusion detecting systems.

The Board will also gain insights on requirements from a human resource perspective, like enhancing cybersecurity training for employees, establishing cybersecurity best practices, and promoting a strong security culture throughout the organization.

The Board’s involvement in identifying the lessons learned plays a vital role in ensuring the implementation of these lessons on an organizational level, leading to detecting and eliminating those shortcomings which contribute to further security breaches.

Establishing Resilient Strategies

The lessons learned in post-incident reviews will enable the Board to work in collaboration with the cybersecurity committee and the CXOs to make the necessary revisions to existing security policies. While the implementation details are decided by the management, board should periodically check the status of foundational policies and implementing processes designed specifically to strengthen the organization’s security infrastructure can include many factors, from a micro and a macro level:

1. Implementing strong access controls for every employee across the organization like 2FA or MFA.

2. Setting up privileged access and role-based access where applicable.

3. Regularly updating systems and software to address potential vulnerabilities.

4. Conducting periodic cybersecurity awareness training on an organization level.

5. Conducting educational sessions every quarter on a different aspect of cybersecurity for the Board members and the CXOs.

6. Establishing an incident response plan with clearly defined roles and responsibilities.

 

In today’s unfortunate reality of frequent and more powerful cybersecurity threats, strong communication and collaboration between the Board, the CXOs, and the cybersecurity committee is a crucial success factor in the organization’s cyber defense policies. In the aftermath of a breach, how the Board is informed and how the Board acts will determine how the organization is able to withstand future breaches. The company’s post-incident behavior will set the foundation for a more secure and resilient future to safeguard its assets and its reputation.

3 thoughts on “chapter-3

Your email address will not be published. Required fields are marked *

Sponsorship, Membership and Contact Information

All Program Inquiries: Mail to Program Director
Register at: CFF Eventbrite Page
Foundation Website: www.cyberfuturefoundation.org
General Queries: info@cyberfuturefoundation.org

NEWSLETTER SIGNUP

Stay tuned with our always evolving Programs and Initiatives!
Please subscribe our channel