Cyber risk increasingly becoming a board-level issue

Kartik Shahani  
Country Manager, Tenable (India)  

Preparedness to face challenges of data security: 
Many security programmes do not effectively prioritise critical risks. It is also important to have visibility of all assets in the attack surface. This includes traditional IT devices, cloud infrastructure, and increasingly operational technology (OT), such as smart connected controllers or manufacturing controls.

A strong data protection programme should be based on three core tenets:

Focus on what matters most: Avoid trying to address every vulnerability. This consumes valuable resources on risks that have a low likelihood of being exploited. Utilise prioritisation and risk-based analysis to focus aggressively on critical risks that really matter.

Effectively measure your exposure: Obtain a clear view of all assets and your cyber risk exposure. Benchmark internally and externally. Create quantifiable measurements of risk reduction effectiveness that help you focus on what controls are really effective. 

Know “how secure or at risk are we?” 

Focus on identifying and reducing critical vulnerabilities that have the greatest likelihood of being exploited by an attacker. And it should be based on insights into the critical risks and assets within the business.

The best practices adopted for remote working: 
Security has moved from a focus on the network to the security of the endpoint. Since the Covid-19 pandemic, staff continues to work from their homes or begin the migration to a hybrid working model and this trend will continue.  
Home networks are untrusted.  Zero-trust network models are increasingly gaining popularity as a strategy to harden security. Authentication and authorisation of users, devices, and applications will become critical as organizations adapt to the remote work environment with unknown and untrusted connections.

Role of CISOs: 
Nearly every industry sector and business model in the world relies on technology. This reliance means cyber risk now equates to business risk. It also means that cyber risk is not a concern managed by the Chief Information Security Officer (CISO) alone but one that’s increasingly becoming a board-level issue. It is for this reason that CISOs are increasingly called upon to keep business leaders and board directors informed of their organization’s risk posture in a clear and understandable manner. By working together, CISOs and business leaders can narrow the cyber exposure gap and ultimately secure their organizations from increasing threats.