How to implement industrial security as a CEO
For many executives and board members, cyber security is a new area of risk management. Here are some suggestions for chief executives on how to communicate effectively with management about cyber security.
Remember the good old days when the control network stood on its own and no one but engineering could touch it? There were no connections to the enterprise network or the Internet.
In those days, cyber attackers were happy focusing on financial institutions, and the operations staff was free to just get on with making products.
Well, those days don't exist anymore.
The stories of reputable organizations falling victim to disastrous cyber attacks are regularly covered in the mainstream press. And, industry is not being spared. Attacks on manufacturers and energy providers are happening all too frequently.
There's no escaping the push to secure industrial applications. With the Industrial Internet of Things (IIoT) driving connections to more devices and more external people and systems, protecting control networks is more difficult than ever.
The challenge is how to go about ensuring industrial security. In particular, what are the roles of various groups such as IT, operations and top management in making sure your facility is protected and ready to act if there is a breach?
To help with one part of this challenge, let's take a look at how to communicate with non-technical executives about cyber security. The goal is to make you an effective cyber security leader in your organization.
Security from the CEO perspective
In order to communicate effectively with management about cyber security, you need to consider it from their perspective. Two years ago, US-CERT issued a document that still resonates today called Cyber Security Questions for CEOs. Here are the top five questions US-CERT suggested chief executives should be asking:
- How is our executive leadership informed about the current level and business impact of cyber risks to our company?
- What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks?
- How does our cyber security program apply industry standards and best practices?
- How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?
- How comprehensive is our cyber incident response plan? How often is it tested?
Cyber risk management concepts
For executives and board members, cyber security is a new area of risk management. Here are the key cyber risk management concepts they need to understand, again according to US-CERT:
Incorporate cyber risks into existing risk management and governance processes. Cyber security is not implementing a checklist of requirements; rather it is managing cyber risks to an acceptable level. Managing cyber security risk as part of an organization's governance, risk management, and business continuity practices provides the right strategic framework for it throughout the enterprise.
Elevate cyber risk management discussions to the chief executive. Chief executive engagement in defining the risk strategy and levels of acceptable risk enables more cost effective management of cyber risks aligned with the business needs of the organization. Regular communication between the chief executive and those held accountable for managing cyber risks provides awareness of current risks affecting their organization and associated business impact.
Implement industry standards and best practices; don't rely on compliance. A comprehensive cyber security program leverages industry standards and best practices to protect systems and detect potential problems. It also provides processes for understanding current threats and enabling timely response and recovery. Compliance requirements help to establish a good cyber security baseline to address known vulnerabilities but do not adequately address new and dynamic threats, or counter sophisticated adversaries. Using a risk-based approach to apply cyber security standards and practices allows for more comprehensive and cost effective management of cyber risks than compliance activities alone.
Evaluate and manage your organization's specific cyber risks. Identifying critical assets and associated impacts from cyber threats are critical to understanding a company's specific risk exposure—whether its financial, competitive, reputational, or regulatory. Risk assessment results are a key input to identify and prioritize specific protective measures, allocate resources, inform long-term investment decisions, and develop policies and strategies to manage cyber risks to an acceptable level.
Provide oversight and review. Executives are responsible to manage and oversee enterprise risk management. Cyber oversight activities include the regular evaluation of cyber security budgets, IT acquisition plans, IT outsourcing, cloud services, incident reports, risk assessment results, and top-level policies.
Develop and test incident response plans and procedures. Even a well-defended organization will experience a cyber incident at some point. When network defenses end up penetrated, a chief executive should be ready to answer, "What is our Plan B?" Documented cyber incident response plans exercised regularly help to enable timely response and minimize impacts.
Improving Security Dialogue with Executives. Additional tools for improving the cyber security dialogue with executives are available from Tripwire. Tripwire was recently acquired by Belden. Tripwire has some handy cyber literacy tools like:
- A workbook on how to communicate about cyber security to executives and board members. By answering the questions in this workbook and reading its tips you will be able to present your existing cyber security measures from an executive's point of view. The questions in this document are more extensive than the ones suggested by US-CERT and will aid in the thoroughness of your preparation.
- A white paper that explains the gaps in cyber literacy amongst executives and between executives and IT.