Cybersecurity for Business: Organization-Wide Strategies to Ensure Cyber Risk Is Not Just an IT Issue - podcast episode cover

Cybersecurity for Business: Organization-Wide Strategies to Ensure Cyber Risk Is Not Just an IT Issue

May 01, 202521 min
--:--
--:--
Download Metacast podcast app
Listen to this episode in Metacast mobile app
Don't just listen to podcasts. Learn from them with transcripts, summaries, and chapters for every episode. Skim, search, and bookmark insights. Learn more

Episode description

Cybersecurity for Business is presented as a crucial element of national security and a significant concern for organizations across sectors. The included excerpts highlight the necessity of a comprehensive, top-down approach to cybersecurity, integrating it into all levels of business operations and decision-making, including the board of directors. The text emphasizes moving beyond traditional, IT-centric views to a holistic, enterprise-wide risk management strategy that includes legal, human resources, and financial considerations. Furthermore, the material underscores the importance of understanding and quantifying cyber risk in financial terms, adapting to the evolving threat landscape that includes sophisticated attackers and the challenges of new technologies. The book also examines the roles of various stakeholders, such as the General Counsel and the board, in fostering a culture of security and effectively managing cyber risks through planning, response, and continuous improvement.

You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cyber_security_summary

Get the Book now from Amazon:
https://www.amazon.com/Cybersecurity-Business-Organization-Wide-Strategies-Ensure/dp/1398606146?&linkCode=ll1&tag=cvthunderx-20&linkId=ac919ca30cd9132035ab4f2f4db90ae2&language=en_US&ref_=as_li_ss_tl



Discover our free courses in tech and cybersecurity, Start learning today:
https://linktr.ee/cybercode_academy

Transcript

Speaker 1

Welcome to the deep dive. Today. We're jumping into a subject that's well, it's really moved beyond the server room. We're talking cybersecurity for business, right and it's not just about tech anymore, is it. It's really fundamental to how businesses work today, how they compete, even our national security in some ways.

Speaker 2

That's spot on. And our guide for this is a really fascinating book, Cybersecurity for Business. It pulls together insights from some real heavy hitters.

Speaker 1

Yeah, like who, Well.

Speaker 2

You've got contributions from a former head of US Cyber Command, a former Deputy Undersecretary for cybersecurity. People who've really seen this from the top down.

Speaker 1

Wow. Okay, so serious expertise.

Speaker 2

Definitely.

Speaker 1

So for you the learner, our mission here is to kind of boil this down, pull out the absolute must know insights from this comprehensive guide.

Speaker 2

Yeah, give you a shortcut basically, help you understand this complex cybersecurity world in a business context without you know, getting totally bogged down in technical details.

Speaker 1

Oka things off. The book apparently starts with a pretty powerful quote it.

Speaker 2

Does from General retired Keith Alexander. He says, very bluntly, cybersecurity is national security. The only way to effectively protect ourselves is through a collective defense model.

Speaker 1

Hmmm, collective defense. That sets a high bar. What does that mean for a typical company.

Speaker 2

It means it's not just the IT department's problem anymore. That's the core message. Really. The book stresses that protection today needs everyone involved, the whole organization.

Speaker 1

From the board down to well everyone exactly.

Speaker 2

Yeah, and they don't pull any punches. The very first chapter title is cybersecurity is not an IT issue.

Speaker 1

Okay, that's pretty direct.

Speaker 2

It signals a really big shift in thinking, doesn't it.

Speaker 1

It does. It seems like we went through a phase where people tried to teach boards of directors all the IT specifics.

Speaker 2

Yeah, and the book points out that often didn't Well, it didn't really work.

Speaker 1

Why not too technical?

Speaker 2

Exactly? Two technical? Too disconnected from what bores actually focus on the business side of things. They mentioned the whole y two K bug era as an example. It was focused on the code the fixes, but a lot of board members they struggled to see how that translated into real business risk or opportunity. The communication just wasn't there.

Speaker 1

So what changed? How do you get the board engaged now?

Speaker 2

You talk their language business language, things like innovation, growth, profitability, pe ratios, bottom line stuff. Precisely. So now it's about enabling boards to ask the right questions, business focus questions about.

Speaker 1

Cyber risk, like if we're launching a new product, what are the cyber implications exactly?

Speaker 2

Or if we're acquiring another company, what's their cybersecurity situation? Really like it has to be part of that core business discussion, not an afterthought.

Speaker 1

Makes sense? And is this linking into those broader corporate responsibility frameworks too like ESG?

Speaker 2

It is. Yeah. The book definitely highlights that embedding cybersecurity into the Environmental, Social and Governance ESG framework is becoming more important. Interesting Larry Fink at Blackrock, for instance, has been quite vocal about this, saying, you know, digital resilience is a key part of long term value, just like environmental factors.

Speaker 1

Okay, so it's a whole company issue. Let's roll down on the board of directors. Then chapter two seems to lay out their specific responsibilities.

Speaker 2

It does. Yeah, five key ideas for boards. First one is pretty fundamental. They need to actively work with the executive team. Oh so to build a culture of security and also to provide real effective oversight. It's not just signing off on budgets. It's about collaboration and informed guidance.

Speaker 1

So not passive acceptance, active engagement.

Speaker 2

Right. And the second point builds on that cybersecurity has to be integrated into all business decisions enterprise wide.

Speaker 1

No more silos, absolutely not.

Speaker 2

It can't be treated as this separate thing over in the corner.

Speaker 1

Which logically brings up the legal side. I guess boards must worry about the fallout from a breach.

Speaker 2

They certainly should. The third point is exactly that directors need a solid grasp of the legal implications, like what specifically, things like public disclosure rules if there's a breach, privacy laws, data protection regulations GDPR, or CCPA, you name it, information sharing requirements protecting critical infrastructure if that applies.

Speaker 1

That's a lot to track.

Speaker 2

It is. And interestingly, the book sites a twenty twenty survey only about what was it fourteen point eight percent of US board members fell deeply informed about these legal bits.

Speaker 1

Wow, less than fifteen percent. That's quite a gap.

Speaker 2

It really is shows there's work to be done.

Speaker 1

Okay, what's the fourth principle for boards?

Speaker 2

Insuring management sets up an effective enterprise risk management process specifically for cybersecurity ERM but with a cyber lens.

Speaker 1

A structured way to handle the risks exactly.

Speaker 2

And this isn't just a US thing. The book mentions international principles being developed based on global focus groups, so there's a worldwide push for this kind of structured oversite. And the fifth point, it comes back to culture. Boards play a crucial role in actively promoting a security aware culture throughout the entire organization. It reinforces that it's not

just tech, it's people. And PWC's Global Information Security Survey apparently shows there's a growing expectation for executives to actually meet these kinds of principles.

Speaker 1

So the pressure is mounting from multiple directions. This really drives home the point about breaking down silos.

Speaker 2

It has to happen. The old way of keeping departments separate just doesn't work in today's interconnected digital world. You need collaboration.

Speaker 1

The book mentions a governance, risk and reputation triangle. What's that about?

Speaker 2

Ah? Yeah, that model. It basically highlights the need for the board, the top leadership, CEO, c suite, and top management to all be well synchronized on the same page about strategy and risk, especially cyber risk.

Speaker 1

So alignment is key.

Speaker 2

Absolutely, and cyber risks can't be this standalone item. It must be part of the overall risk management plan for the whole company.

Speaker 1

It sounds like communication breakdowns could be a major problem here.

Speaker 2

Huge problem, and the book points to a twenty twenty EY survey that found a sort of a systemic failure in communication between the cybersecurity team and other parts of the business who like marketing, hr R, and D finance. Basically everyone except it generally reported low trust in collaboration with the cyber folks. Ouch.

Speaker 1

That's not good.

Speaker 2

No, it creates massive blind spots. If marketing is launching a new campaign using customer data and they haven't talked to security about the risks, well you see the problem.

Speaker 1

Yeah, leaving the door wide open exactly.

Speaker 2

It's a major weakness. On a related note, though the book does mention a positive trend CISOs, the chief information security officers are increasingly reporting higher ups, sometimes directly to the CEO.

Speaker 1

Which signals it's importance right right.

Speaker 2

It shows cyber risk as being seen finally as a top level business concern, not just a tech issue.

Speaker 1

Okay, So if it's a business concern, how should leaders think about cyber risk? It feels like it could be overwhelming.

Speaker 2

That's a fair point. The book offers a really helpful way to frame it. Don't think of cyber risk as just a category of risk. Think of it as a quantity. A quantity, how so as a measure of potential harm, specifically in financial terms related to your business mission. What's the potential dollar impact if this system goes down or that data gets breached.

Speaker 1

Ah, putting a price tag on it. That definitely gets attention exactly.

Speaker 2

So, business leaders need basically three things. First, a way to quantify that risk financially. Second, clear options for dealing with it, remediation, risk transfer like insurance, maybe even accepting some level of risk. And third, integrating that cyber risk assessment with all the other business.

Speaker 1

Risks so you can make informed trade offs about resources. Precisely, how do you actually calculate that financial risk? Though it seems tricky, the.

Speaker 2

Modern approach, as the book lays it out, combines three things. First, is your exposure profile, basically mapping out what you have that's valuevaluable, or critical. Your annual revenue where you operate, key suppliers, what kind of data you hold? How much the value of your intellectual property? Understanding your footprint?

Speaker 1

Okay, what do we need to protect? What's next?

Speaker 2

Second, technical metrics. This is the data from your actual security tools, vulnerability scans, compliance checks, security event logs, incident reports, what your tech is telling you about your current state.

Speaker 1

Got it? Technical reality.

Speaker 2

And the third piece empirical data. And the book stresses this is the real backbone. It means looking at real world incidents. What's happening out there, what attack patterns are common, what are the actual financial damages other similar organizations have suffered.

Speaker 1

So combining your specific situation, your tech posture, and real world incident.

Speaker 2

Costs exactly that empirical data provides the financial grounding. It helps turn abstract threats into potential dollar figures, and.

Speaker 1

That financial view helps prioritize absolutely.

Speaker 2

Leaders can then focus spending and effort where it actually reduces the biggest potential financial hit. It helps make those tough resource allocation decisions much clearer.

Speaker 1

This sounds like something you'd need to do regularly, not just once.

Speaker 2

Oh definitely. The book emphasizes needing a standard, repeatable evaluation process like financial reporting, right so you can track trends over time see if your risk posture is improving or moistening. An adjust strategy, you need consistent data collection, a reliable model or algorithm integrity in the process so the results are comparable and clear reports for leadership.

Speaker 1

Let's shish gears a bit to the human side of this. Seems like people are often the weak link.

Speaker 2

Unfortunately, that's a major theme. Yeah, malicious actors know this. They're increasingly targeting the human element because frankly, it's often easier than breaking through complex technical defenses.

Speaker 1

And the book talks about different types of insider threats.

Speaker 2

Right. It distinguishes between malicious insiders people intentionally causing harm, maybe for revenge or espionage, ok eglision insiders. These are the people who make honest mistakes, click on phishing links, use week passwords, lose laptops, basically poor security hygiene.

Speaker 1

Any examples come to mind.

Speaker 2

The book mentions a couple of dark ones. A VA analyst's unencrypted laptop with stolen had data for over twenty six million veterans on it wow, and a Facebook employees' laptop theft contromised info for thousands of colleagues. Often it's negligence rather than malice, but the impact could be just as bad.

Speaker 1

And that statistic about phishing emails is just mind blowing.

Speaker 2

Over ninety percent of attacks starting with phishing. Yeah, yeah, it really hammers home how vital employee awareness training is. You can have the best tech, but one wrong click.

Speaker 1

And the whole COVID pandemic. The massive shift to remote work that must have just thrown gasoline on this fire.

Speaker 2

Oh absolutely, Suddenly you had this explosion of remote access points. The attack surface just ballooned overnight. The UN reported something like a six hundred percent increase in phishing attacks during that time. Were to scramble to update security policies for remote.

Speaker 1

Work, and HR's role became even more.

Speaker 2

Critical, hugely critical. Educating that dispersed workforce, trying to build and maintain a security conscious culture when people aren't even in the same building a massive challenge.

Speaker 1

Okay, let's dive into the technical operation side. The demands on those security teams must be immense.

Speaker 2

Now they really are. Threats are getting more sophisticated, businesses are digitizing everything. It's a constant battle. The Solar one's attack was a prime example of that complexity.

Speaker 1

Yeah, that was huge. What are the absolute basics the foundations for technical defense asset inventory?

Speaker 2

It sounds simple, but knowing exactly what hardware, software, and network addresses you have is critical. It's literally the first two controls in the CIS Top twenty framework.

Speaker 1

Can't protect what you don't know you have precisely.

Speaker 2

The book also argues for a central security operations team, ideally with some independence for efficiency and effective oversight across the board.

Speaker 1

What about industrial systems technology or OT? Is that different?

Speaker 2

It often is managed differently. Yeah. Even though OT systems, the tech controlling physical processes and factories, power grids, et cetera, are increasingly connected.

Speaker 1

To the main IT network, which sounds risky.

Speaker 2

It can be a huge gap. The book mentions breaches at Honda, nors Caedro even Target where OT vulnerabilities played a role. You really need the same security rigor applied to OT as to IT, and definitely network segmentation to isolate critical systems.

Speaker 1

So what does a strong technical prevention program look like? Layer by layer?

Speaker 2

Okay, several key parts. Network segmentation is crucial, using things like containers to wall off different areas. Then you need strong access control like bastion hosts acting as secure gateways, always with multi factor authentication FA, plus the usual network security tools, Intrusion detection and prevention systems IDSS, network access control NSC to keep unauthorized devices off, web proxies for filtering, and importantly, internal.

Speaker 1

Red teams that ethical hackers right.

Speaker 2

Testing your defenses like a real attacker would, finding weaknesses before the bad guys do.

Speaker 1

And protecting the actual computers the endpoint.

Speaker 2

Yeah, host layer prevention that includes data loss prevention DLP tools to stop sensitive data leaving and standard workstation protection, good anti virus, anti malware, full disk encryption, and crucially rigorous patch management. Keeping software up to date is non negotiable.

Speaker 1

Okay, that's prevention. What about detection? How do you spot something that gets through?

Speaker 2

Detection relies on things like those id SIP systems again, but also security information and event management SIM systems. Yeah, they pull in logs from all over the network and analyze them for suspicious patterns. FRED intelligence fees are also vital, keeping you updated on the latest attack techniques. But again the book stress is Detection isn't just tech, it's everyone's job. Training staff to spot and report phishing is a huge part of detection.

Speaker 1

Right that security is everyone's responsibility mantra. Again, it seems particularly relevant when things go wrong, which leads to incident response.

Speaker 2

Absolutely critical. You will have incidents, so having a well thought out, coordinated and regularly tested incident response plan and IRP is non negotiable. Solar winds drove that home too, and.

Speaker 1

The book says the process of building the plan is as important as the plan itself.

Speaker 2

Yeah, because it forces those conversations. Who needs to be involved, what are their roles? What defines an incident? Going through that process builds understanding and coordination before the crisis hits.

Speaker 1

What should be in that plan or the playbook?

Speaker 2

Key things include identifying all stakeholders, security, legal, the business units, communications, regulatory contacts, clear definitions of incident types, clear roles, responsibilities, and crucially, escalation paths, who calls, who win? In testing it, tabletop exercises are invaluable. Simulating an incident, walking through the plan under pressure, you find the gaps, refine the process, build muscle memory. It makes the real thing much less chaotic.

Speaker 1

Should companies connect with law enforcement or experts before hand?

Speaker 2

Definitely building relationships with the FBI DHS, external forensic firms, crisis comms experts, irrelevant regulators, SEC, FTC, industry bodies before you need them. That saves critical time during an actual incident.

Speaker 1

What about telling investors when do you have to disclose a breach?

Speaker 2

The SEC has rules about disclosing material cybersecurity risks and incidents. Understanding what crosses that materiality threshold and having a process for disclosure is a key part of the legal and commside of IR.

Speaker 1

Breach is sound expensive? What drives up the cost?

Speaker 2

Lots of things detecting and containing it, Notifying customers or regulators lost business due to downtime or reputational damage, Legal fees finds it heads up fast. Ponomont Institute and IBM do regular studies. The average breach cost is typically in.

Speaker 1

The millionsof Can anything bring that cost down?

Speaker 2

Yes? The data shows things that help include having that tested IR plan, solid business continuity plans, doing proactive red TA testing, using AI tools for faster response, and consistent employee training. Those investments pay off when an incident happens.

Speaker 1

How do you measure success in cybersecurity management?

Speaker 2

Key Performance Indicators KPIs. The book talks about using quantifiable metrics to track how well you're doing it against your security goals, whether they're strategic, financial, or operational. You need to measure to manage effectively.

Speaker 1

Okay, the incident is contained. What happens next? It's not over? Then is it not?

Speaker 2

At all? Post incident is crucial. First triage and containment confirmation, then deep forensic analysis what happened, how, what was compromised? Then securely regaining control and rebuilding systems, and perhaps the most important step the lessons learned the post mortem exactly, a thorough honest look at what went right, what went wrong, and how to improve the planet defenses. The GAO report on the Big ECHOFAX breach is cited as an example of that kind of essential analysis makes sense?

Speaker 1

Now, what about when companies merge or acquire others? MNA seems like a potential cyber suit security minefield.

Speaker 2

It really can be. You're essentially inheriting an other organization's entire risk profile. The book strongly advocates for proactive cyber assessment early in the m and a process.

Speaker 1

Not after the deal is done.

Speaker 2

Ideally know but an IBM report from twenty twenty found over half of companies were doing the cyber assessment after due diligence that's way too late.

Speaker 1

Why so early.

Speaker 2

Because it gives you leverage. You can understand the target's true cyber posture factor, potential remediation costs into the price, maybe even walk away if the risks are too high. Doing it early avoids nasty surprises later.

Speaker 1

What should you look for in that M and A due diligence?

Speaker 2

Key areas are understanding of their data, what types, how it's collected, stored, protected, your compliance status. Also assessing their technical security measures, their organizational policies and how they handle data disposal a deep dive.

Speaker 1

And then during the integration phase after the deal closes, focus.

Speaker 2

Is on closing identified security caps, prioritize or mediation based on risk, and critically getting the acquired employees trained on the parent company security policies and systems. You need a solid day one integration plan ready to go, extending your protections immediately.

Speaker 1

We've circled back to culture and process multiple times. It seems like building that strong cybersecurity culture is the ultimate goal.

Speaker 2

It really is foundational for sustainable security. A mature program isn't just about the latest tech. It's about embedding security thinking into everyday processes.

Speaker 1

And workflows and leadership access is key.

Speaker 2

Consistency OPSO access to the rest of the c suite and the board is vital, and building those relationships across functions, sales, HR or audit for our crisis, hits, mats collaboration much smoother when you need it.

Speaker 1

The book uses the Atlanta ransomware attack as an example of not having that culture.

Speaker 2

Yeah, that twenty eighteen attack was a stark reminder of the cost of neglecting basic cyber hygiene and not having that security mindset embedded. It crippled city services cost millions a very painful lesson.

Speaker 1

The book also pushes for more industry collaboration, sharing thread and FOE best practices.

Speaker 2

How do you actually build that culture day to day?

Speaker 1

It needs to be part of the whole employee life cycle, thinking about security during recruiting, making it core to onboarding, providing ongoing, engaging training.

Speaker 2

Engaging seems key. A lot of training is pretty dry.

Speaker 1

Right, and research suggests only a small fraction of companies feel their training is extremely successful, so effectiveness is an issue. The book also mentions habit formation it takes around sixty days apparently to form new habits, so reinforcement is crucial.

Speaker 2

What about those phishing tests companies sent out.

Speaker 1

They can be valuable if they're framed correctly as training exercises, learning opportunities, not gatcha moments or punitive measures used, well, they definitely raise awareness.

Speaker 2

Can you actually measure cybersecurity culture? People are trying? The NASI DASA Cybersecurity Handbook has metrics covering different aspects, and organizations like ic NECD the World of Economic Forum are working on measures looking at training effectiveness, risk management, adoption, incident rates, even employee sentiment about security. It's an evolving area.

Speaker 1

This has been incredibly comprehensive, our real deep dive into why cybersecurity is so much more than just an IT issue today. If you had to pick one core takeaway for our listeners, I think.

Speaker 2

It's that cybersecurity is a fundamental business issue, full stop. It needs a holistic, top down, bottom up approach from the board setting the tone to every single employee understanding their role. It's not optional anymore.

Speaker 1

Yeah, and the stakes are incredibly high, impacting national security, financial stability, just basic business success in this digital age exactly.

Speaker 2

It's about moving past just checking compliance boxes and building a truly proactive, risk aware, adaptive security strategy and culture.

Speaker 1

So a final thought for you, the learner to maybe all over with threats constantly changing, getting smarter, think about AI being potentially weaponized. How ready is your organization really? How deeply embedded is that could mature of security and collective defense we've been talking about, something to consider in your own context. Thanks for joining us for the steep dive

Transcript source: Provided by creator in RSS feed: download file
For the best experience, listen in Metacast app for iOS or Android