Back to school time for chief information security officers (CISOs) means one thing: being prepared to explain your cyber risk management strategy to the company board at the upcoming Q3 board meeting. As a key security leader in an organization, you have great insights into the efficacy of the controls in place. CISOs know the number of attacks the organization has experienced and cyber security trends impacting the industry. Therefore, you should come prepared to face the question of how you’re planning to tackle third-party cyber risk.
Third-party cyber risk arises from vendors, partners and suppliers who have access to your sensitive data, system or network, or all. That risk is magnified by a lack of clarity around how they may be protecting your sensitive data. As the original receiver or custodian of the data, it is up to you to ensure specific controls are in place to protect it. That responsibility continues even if you entrust it to someone else. Unfortunately, while most CISOs can recite chapter and verse on their incident response plan, they are often unable to confirm that the vendors they work with have an incident response plan themselves.
Savvy board members are aware of the changing cyber risk landscape and increasingly asking questions of company CISOs. What has caused this shift?
For many, recent news headlines about breaches – like Target, Quest Diagnostics and others impacted due to a third party (or fourth party in some cases) – are unavoidable. Second, cyber security regulations like those from the New York State Department of Financial Services specifically require organizations to have a program that mandates third parties meet specific security controls. This regulation has extra sensitivity for boards, as they must certify that these controls are in place. The Securities and Exchange Commission (SEC) has also released guidance encouraging companies to focus on this, as have other federal regulators. Finally, most boards already have risk or audit committees that consider third-party risks in other areas, so focusing on cyber risk is a natural next step.
Your challenge, as a security leader, is two-fold when it comes to the board. You must not only be able to answer their questions honestly and accurately, but also explain how your organization is evolving to face this risk. It may seem daunting, but the below suggestions can help you have a better conversation with your leadership:
Preparing for a board meeting can be stressful for anyone, and those in security leadership often face additional challenges explaining technical concepts to a non-technical audience. However, by hitting the books and following the guidance above, you can be ready for the inevitable questions on third-party cyber risk and turn a tough topic into an enlightening conversation for everyone involved.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Manage risk, not spreadsheets. Identify and remediate cybersecurity risks inherent in third-party relationships, helping achieve compliance with regulations such as NYDFS, FARS, GDPR, etc.
Ensure that your cyber security policy has the appropriate controls needed to keep your organization's information secure with a remediation plan in place in the event of an incident.
Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.