Building a culture of cybersecurity in your business doesn’t just happen. And when it doesn’t happen, trouble is just a few clicks away. So how do you keep your IT team connected to senior leadership and even to your governing board?
Cybersecurity is an effort that requires more than just the talents of a dedicated IT staff. To be effective in protecting your data and your networks - in keeping your business safe from hackers and cybercriminals - you have to develop a culture of cybersecurity. From the most entry-level employee all the way up to the CEO, everyone has to be committed to success when engaged in a battle where the opponent only has to be right (or lucky) once.
More and more, cybersecurity is becoming a priority for board members. Where they used to trust the CEO, who trusted the IT guy… that’s not the case as much anymore.
While Zoom is an interesting example of prioritizing security, there are lessons to be learned from its experience. Forbes lays out Ten Privacy/Cybersecurity Governance Actions boars should take and I’d like to discuss a few of them today with our panel.
Top Ten Privacy/Cybersecurity Governance Actions
1. Adhere to best practices and standards for the governance of information security and undertake the specific responsibilities assigned to boards and senior management.
2. Establish a culture of respect for privacy and security through top-level policies, actions, and enforcement.
3. Assign key roles and responsibilities for privacy and cybersecurity to senior management personnel.
4. Issue a Code of Conduct applicable to all employees, contractors, vendors, and business partners that requires honesty and transparency in business transactions and compliance with policies and procedures.
5. Ensure that privacy and cybersecurity compliance issues are clearly identified and integrated into operational policies and procedures and the cybersecurity program.
6. Require that all systems and code be designed, developed, tested, and maintained with privacy and security considered at every stage and code is developed according to secure coding practices.
7. Ensure that software code undergoes regular code reviews and scans for vulnerabilities and risk assessments of cybersecurity programs are performed.
8. Ensure that all privacy policies and public-facing information, especially marketing and securities information about the company and security of its systems and data, accurately reflect operational practices, especially with respect to the sharing and use of personal data.
9. Require the escalation of serious privacy and security incidents to the senior management team and the board and ensure that privacy and security incidents are integrated into crisis communications plans.
10. Identify the key information flows that are required to keep the board informed about the foregoing and put in place an oversight process that includes monitoring the status of key risks.