In appreciation for Cyber Security Awareness Month during October, we are excited to provide a three-part article series on Cyber Security Risk Management for Critical Infrastructure Executives and Board Directors. This series will cover the following topics:
- The Increasingly Threatening Cyber Threat Landscape for Critical Infrastructure Operators
- Guidelines on How to Build an Effective Cyber Security Risk Management Programs
- Proven Techniques on How to Implement Effective Cyber Security Governance Practices for Your Program
The first part in the series provided high level context on the cyber security threat landscape and key risks for critical infrastructure operators. The second part in the series provided practical guidance on how to build an effective cyber security risk management program. This last part provides a great deal of knowledge on the topic of governance within cyber security risk management. Governance is critical – without effective governance, any cyber security program will fail.
Enjoy the series, and we hope this will assist you in your cyber security risk management initiatives!
Alignment with your Enterprise Risk Management Program
It is important to emphasize the notion that cyber security is not an IT issue, but rather it is a risk management and governance issue that company executives and Boards need to tightly oversee, manage, and support in their organizations. Cyber security risk management should not be a standalone initiative – it should be integrated into your overall Enterprise Risk Management (ERM) program. For a list of guidelines to follow when building an effective cyber security risk management program, read the second article of our series here.
Include cyber and physical security as an area of risk in your ERM, just as you would include other risk areas (such as major weather events and labor relations). Use the same risk register that you use for all risks. Part of this risk register can include cyber security program audits, third party vulnerabilities, assessments and penetration tests conducted by either your organization or a third party. Patching should be a priority and continuously done as part of your risk register since delays in patching creates vulnerable systems.
Role of the Executive Team
The executive team should be trained on cyber security and effective governance. This training provides a crucial foundation for executive-level decisions to be made on.
The executive team should regularly review the status of the entity’s cyber security program, with a goal of reviewing this program on a quarterly basis at a minimum. Gaps to the program and risk associated with the cyber threat landscape should be discussed and actioned as soon as possible
Just like with other programs, the executive team should ensure that the appropriate number of resources with the appropriate skill levels are applied to the program. Planning for increased budgets over time for cyber security measures is part of addressing the increasingly challenging threat landscape that is bound to require more resources in the future. For a review of what this landscape looks like, read the first article of our series here.
Finally, visible support by the Executive Team goes a long way in keeping the momentum of a strong cyber security program going. Celebrating wins such as the completion of a key element of the cyber program, a reduction in the failure rate for phishing tests, and the vigilance demonstrated by employees will help ensure continued effectiveness and improvements in your program.
Role of the Board of Directors
Cyber security oversight and support is part of the Board’s risk management mandate. As with executive teams, members of the governing Board should be trained on cyber security so that they can make informed and sound decisions when needed. Boards are now increasingly recruiting Directors with cyber security experience in order to have subject matter expertise at the Board level in this important risk area.
Reporting is the vehicle that ties cyber security governance together; however, cyber security reporting is often not properly established. Many executive teams and Boards do not have the reporting insights or proper information required to make informed decisions.
At the operating level, technical reporting is required and typically consists of items such as intrusion attempts, open vulnerabilities, and technical threat intelligence. As the reporting flows upward in an organization, it should be detailed at a higher level and risk focused. Appropriate monthly or quarterly reporting to the executive team can consist of:
- Threat intelligence summary
- Status of the organization’s cyber security program
- Phishing test results
- Risk heat map
- Resources & budgets
- Status of action plans
For Boards, the above information can be summarized with color-coded dashboards and trend indicators. At a minimum, this information should be reviewed quarterly.
Lastly, the executive team and Board should ensure that the proper cyber insurance is in place for residual risk protection.
The cyber risks associated with a critical infrastructure entity are significant. Without proper implementation and governance of an effective cyber security program the business, operations, and reputation of your entity can be greatly impacted.
AESI’s Cyber & Physical Security Risk Management Services
AESI offers a full spectrum of Cyber and Physical Security Risk Management Services, including risk identification and prioritization, risk management program development, governance alignment, resourcing, budgeting, and training. We assist our clients in managing cyber and physical security risk via a cost-effective and pragmatic approach. We work as an extension of your team as a trusted advisor, providing industry and threat landscape updates and advice on how to increase your cyber security maturity.
As an Industry Trusted Advisor, AESI can assist you. For more information: