{"id":2143,"date":"2025-02-28T16:00:26","date_gmt":"2025-02-28T16:00:26","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2143"},"modified":"2025-02-28T16:00:26","modified_gmt":"2025-02-28T16:00:26","slug":"is-your-enterprise-cyber-resilient-probably-not-heres-how-other-boards-fixed-that","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2143","title":{"rendered":"Is your enterprise \u2018cyber resilient\u2019? Probably not. Here\u2019s how other boards fixed that"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

In the escalating battle against cyberthreats, most businesses pour more security resources into prevention and detection: Keep attackers at bay, and if (er, when) a breach occurs, respond to it faster. While that focus has merit, another strategy is gaining traction.<\/p>\n

With attacks becoming all but inevitable, more boards and business leaders want more focus on mitigating the aftermath, to get back up and running with minimal cost or impact. Sophisticated cyberattacks, from ransomware to\u00a0phishing attacks, threaten not only companies\u2019 informational assets but also, crucially, their operational continuity and reputation. And with business leaders under increasing pressure from regulators and investors to implement effective cyber-risk management, many are starting to approach it through the lens of\u00a0cyber resilience<\/a>\u00a0\u2013 facing the reality that attacks will happen and having a plan for recovery when they do.<\/p>\n

Dating back at least to the year 2000, the idea of resilience has increasingly become a topic of serious discussion in boardrooms and C-suites in the post-pandemic years of accelerated digitization. It acknowledges the stark reality that no defense is impenetrable.<\/p>\n

Instead of just trying to detect and\u00a0respond to incidents faster<\/a>, cyber resilience prepares organizations to endure and quickly recover. This ensures that when breaches occur, their impact on operations, reputation, and finances is minimized, allowing businesses to sustain their momentum with minimal disruption.<\/p>\n

\u201cThe ultimate goal of a cyber resilient organization would be zero disruption from a cyber breach \u2013 no impact on operations, finances, technologies, supply chain or reputation,\u201d says Keri Pearlson, executive director of the research consortium Cybersecurity at MIT Sloan (CAMS). \u201cBoard members should ask, \u2018What would it take for this to be the case?\u2019\u201d<\/p>\n

Getting the board on board with cyber resilience scorecards<\/strong><\/p>\n

Regulatory bodies are increasingly mandating disclosures related to cyber risk management and the presence of cybersecurity expertise within boards. So, boards must deepen their understanding and move beyond delegating to risk management experts, and actively engage in safeguarding their enterprises, Pearlson says. This entails a fiduciary duty to shareholders to mitigate business risks effectively, a responsibility that grows in complexity with the advancing cyber threat landscape.<\/p>\n

A course designed by Pearlson and her colleagues, called \u201cCybersecurity Governance for the Board of Directors,\u201d aims to arm board members with the necessary insights to navigate this intricate domain, emphasizing the board\u2019s critical role in cybersecurity oversight and the strategic alignment of cybersecurity measures with broader business objectives.<\/p>\n

More broadly, the \u201ccyber resilience scorecard\u201d has emerged in the past few years as a pivotal tool in the shift toward resilience, serving as a\u00a0comprehensive cybersecurity framework<\/a>\u00a0for assessing, monitoring, and enhancing an organization\u2019s ability to withstand security incidents.<\/p>\n

The multidimensional view of cyber resilience scorecards<\/strong><\/p>\n

Unlike traditional metrics that might focus narrowly on incident counts or response times, a scorecard adopts a holistic view. It evaluates factors across the spectrum of cyber resilience, from the robustness of protective measures and the efficacy of response protocols to the readiness for recovery and the adaptability to emerging threats. This approach provides a multidimensional view of an organization\u2019s cyber resilience, enabling targeted improvements and strategic decision-making.<\/p>\n

Pearlson and her team at MIT developed a scorecard template based on her experience in board meetings.<\/p>\n

\u201cThe scorecard idea came from my observation on the boards I\u2019m on that board members don\u2019t really know how to talk about cybersecurity, number one,\u201d explained Pearlson, in an exclusive interview with Focal Point.\u00a0<\/p>\n

\u201cNumber two, technology people don\u2019t know how to report to the board on cybersecurity. They report technical things, quantitative things that are important to managing cybersecurity, but really, the board is not in a position to take the right kind of action or make the right kind of decisions\u2026 without lots of explanation.\u201d<\/p>\n

Top business sectors adopting scorecards in recent years include\u00a0financial services<\/a>, healthcare, IT and IT services, manufacturing<\/a>, and e-commerce, with some companies adopting them because of the increase in regulation or the increase in supply chain attacks, says Malini Rao, CISO of DeepLearnCyber.ai, who developed a scorecard for CISOs.<\/p>\n

\u201cThese scorecards provide a comprehensive view of potential vulnerabilities,\u201d she told Focal Point. \u201cThey can help quantify the likelihood and potential impact of different threats, allowing organizations to prioritize resources and efforts accordingly.\u201d<\/p>\n

Not a \u2018one size fits all\u2019<\/strong><\/p>\n

There is no \u201cofficial\u201d cyber resilience scorecard and no defined \u201cright way\u201d to do it. Pearlson developed the concept as a framework or template, but implementation is somewhat subjective. Organizations need to define for themselves what matters and what metrics are valuable to track and monitor.<\/p>\n

Here are a few examples of cyber resilience scorecards developed by various entities:<\/p>\n

Lockheed Martin<\/strong>: Lockheed Martin introduced its\u00a0Cyber Resiliency Level (CRL) Framework<\/a>\u00a0and corresponding\u00a0Scoreboard<\/a>\u00a0in 2018, illustrating a more formalized approach to measuring cyber resilience during this period. The company\u2019s Cyber Resiliency Scoreboard includes tools like a questionnaire and dashboard for measuring the maturity levels of six categories, including Cyber Hygiene and Architecture.<\/p>\n

MIT<\/strong>: The\u00a0Balanced Scorecard for Cyber Resilience (BSCR)<\/a>\u00a0provides insight into financial and operational performance by combining information about core activities that might otherwise be isolated from each other.<\/p>\n

USDA<\/strong>: The\u00a0USDA Cybersecurity Scorecard<\/a>\u00a0created with the Farm Service Agency emphasizes a balanced scorecard approach aligned with the NIST framework, focusing on areas like compliance, vulnerability management, and incident response. Aligning with the NIST framework ensures that the USDA adopts a comprehensive, standardized approach to cybersecurity that is recognized and utilized across various industries. This alignment enhances the organization\u2019s ability to manage and mitigate risks effectively while ensuring that all aspects of cybersecurity, from prevention to response, are systematically addressed.<\/p>\n

Malini Rao<\/strong>: Rao\u2019s\u00a0CISO Operational Balanced Scorecard<\/a>\u00a0distinguishes between transformational and operational aspects, offering a dual approach to align cybersecurity with strategic business objectives. She champions scorecards for helping CISOs \u201cgain trust by proactively reporting metrics\u2026 that can identify weaknesses and prioritize areas for improvement.\u201d<\/p>\n

While there is no \u201cone-size-fits-all\u201d approach to a cyber resilience scorecard, there are certain elements that they typically have in common. Whether you\u2019re considering an existing cyber resilience scorecard or designing your own, look for this basic framework:<\/p>\n

Risk assessment<\/strong><\/a>: Evaluating potential cyber risks and their impact on the organization<\/p>\n

Security controls<\/strong>: Reviewing the effectiveness of implemented security measures<\/p>\n

Incident response<\/strong>: Assessing the readiness and response strategies for potential cyber incidents<\/p>\n

Recovery capabilities<\/strong>: Measuring the ability to recover from a cyberattack with minimal disruption<\/p>\n

Build your own cyber resilience scorecard<\/strong><\/p>\n

Follow these key steps to make a cyber resilience scorecard that\u2019s effective for your particular situation:<\/p>\n

Assessment and goal setting<\/strong>: Begin by assessing your current cybersecurity posture and defining what cyber resilience means for your organization. This could involve setting goals for recovery times, reducing the impact of breaches, or enhancing system redundancies.<\/p>\n

Framework development<\/strong>: Develop a scorecard that aligns with your cyber resilience goals. This should include a blend of quantitative and qualitative metrics, such as recovery time objectives, employee training levels, system backup frequency, and the integration of cybersecurity in business continuity planning.<\/p>\n

Regular monitoring and reporting<\/strong>: Establish a routine for monitoring performance against the scorecard metrics. This monitoring should be an integral part of the cybersecurity governance process, with regular reporting to key stakeholders, including the board of directors.<\/p>\n

Continuous improvement<\/strong>: Use insights gained from the scorecard to drive continuous improvement in your cyber resilience strategies. This could involve adjusting cybersecurity policies, investing in better\u00a0incident response technologies<\/a>, or enhancing employee training programs.<\/p>\n

Board involvement and oversight<\/strong>: Ensure that the board of directors is actively involved in overseeing the implementation of the scorecard. Their strategic insight and oversight will be crucial in aligning cyber resilience efforts with broader business objectives.<\/p>\n

By prioritizing cyber resilience and adopting tools like a scorecard, organizations can not only mitigate the impacts of cyber incidents but also bolster their competitiveness and sustainability. Rao recommends using AI<\/a>\u00a0and\u00a0automation<\/a>\u00a0to enhance cyber resiliency reporting, like generating weekly and monthly scorecards. And don\u2019t forget your supply chain, she stresses: Businesses should align their third-party partners to\u00a0report scorecard metrics too.<\/p>\n

Learn how to protect your business-critical endpoints and cloud workloads with the Tanium platform.<\/a><\/p>\n

This article was written by Tony Bradley and originally appeared in Focal Point magazine.<\/em><\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

In the escalating battle against cyberthreats, most businesses pour more security resources into prevention and detection: Keep attackers at bay, and if (er, when) a breach occurs, respond to it faster. While that focus has merit, another strategy is gaining traction. With attacks becoming all but inevitable, more boards and business leaders want more focus […]<\/p>\n","protected":false},"author":0,"featured_media":2144,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2143","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2143"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2143"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2143\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2144"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2143"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2143"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2143"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}