Boardrooms have a reputation for not paying as much attention to cybersecurity, but it may be that executives are finally keen to become more interested in securing the systems and networks on which their companies depend.
Senior officials from US, British and Australian cyber security agencies have said that business leaders are now more aware of cyber threats and are actively collaborating with their Chief Information Security Officer (CISO) and information security team.
Abigail Bradshaw, head of the Australian Cyber Security Center (ACSC), said that in a “massive leap in trust”, many organizations are actively seeking advice to help boardrooms inform about cybersecurity issues.
LOOKS: A winning strategy for cybersecurity (ZDNet special report)
“Today, boards say, ‘Can you come and inform our board, and can you stay while CISO informs the board? And can you please give us a view on the quality of our controls and our risk assessment? “, Which is hugely transparent”, she said when speaking at the UK National Cyber Security Centers (NCSC) Cyber UK conference in Newport, Wales
“I see it too, it feels like it’s really maturing,” said Lindy Cameron, CEO of NCSC. “We have really made an effort in recent months to get organizations to take the step up but not panic, do the things we have asked them to do for a long time and take it more seriously.”
The NCSC regularly advises organizations on how to improve and address cyber security issues, from ransomware threats to potential nationwide cyberattacks – and Cameron said she has seen a more practical approach to cyber security from business leaders in recent months.
“I’ve seen managers really ask the right questions to their CISOs, rather than leaving them to it because they don’t have to understand complex technology. It feels like a much more engaging strategic conversation,” she said.
But there may still be a link between knowing what needs to happen, then actually budgeting for and implementing a cybersecurity strategy.
“I think everyone in this room knows what we need to do to lay the foundations for cybersecurity. And often the challenge is the culture and the resources; the will to say, ‘This is what we need to do and we are going to endure the pain to get there, “said Rob Joyce, director of cyber security at the National Security Agency (NSA).
He pointed to multi-factor authentication (MFA), which is widely regarded as a key step companies can take to increase cybersecurity, providing an extra barrier for hackers trying to use phishing, leaked or stolen usernames and passwords. But rolling out MFA to all users of a network can be a challenge.
“We have a long way to go when it comes to multifactor authentication, no one thinks it’s a bad idea – but it’s a real investment, a real pain to implement it,” said Joyce.
Nevertheless, the NSA director believes that progress is being made, especially after the White House signed an executive order on critical infrastructure cyber security and has committed to a zero-confidence model for federal authorities.
LOOKS: Cloud computing security: New guidance aims to protect your data from cyber attacks and intrusions
Although these proposals only relate directly to critical infrastructure and government respectively, it may be useful to follow the cybersecurity strategies of many organizations in other sectors outside government and industry.
“The story has changed at a political level, at board level, at industry level, which is now coming together and saying, ‘We know where we need to go, let’s all have the resources to get there,'” Joyce said.
And while most companies are expected to take control of the implementation and updating of a cybersecurity strategy themselves, governments and cybersecurity agencies are there to provide advice and guidance – and this is something that ACSC’s Bradshaw hopes companies will continue to benefit from during their cybersecurity journeys.
“What they are looking for is evidence of an ongoing relationship and collaboration between my agency and their CISO and senior executives. This is something I am extremely grateful for and I think bodes well for the development that is necessary in the coming decade.” She said.