Today’s cyberattacks on enterprises are persistent and advanced—no enterprise is 100 percent secure. It is no longer sufficient to only focus on prevention and detection. Enterprises need to consider cybersecurity from this standpoint and be part of an integrated and holistic, enterprise-wide approach.
With cyber incidents increasing, it is important for businesses to become cyberresilient; anticipating, withstanding and recovering from attacks. At the rapid evolving rate of cybercrime, it is more than an issue for the IT department—it is an issue for everyone in the business. The National Association of Corporate Directors, for example, encourages boards of directors to have a role ensuring that management is fully engaged in developing response plans .
The engagement must include understanding and prioritizing stakeholder needs, identifying the core business processes and understanding the potential impact of a cyberincident on the business. To help businesses approach cyber security holistically, ISACA recently released a new guide, The Cyberresilient Enterprise: What the Board of Directors Needs to Ask.
The 19 key questions boards should ask include:
- Is sufficient attention given to the ability to defend against intrusions as well as the ability to recover and restore essential functions and services?
- Is the board routinely informed about the potential material operational risk and risk mitigation strategies as well as incidents that could impact the brand?
- To what extent have essential services and functions been identified and programs implemented to provide for their resilience in the event of a disruption or cyberincident?
As the paper points out, board members need to evaluate the operational risk inherent in today’s digital business and direct management so the enterprise is more than just protected—it is resilient. If boards dig deep and receive appropriate answers to these questions, they can help the resiliency of the enterprise as it continues its mission of value creation.
Ron Hale, Ph.D., CISM
Chief Knowledge Officer of ISACA
For the full list of questions and to download The Cyberresilient Enterprise: What the Board of Directors Needs to Ask, visitwww.isaca.org/cyberresilient.