Remember the good old days when the control network stood on its own and no one but engineering could touch it? There were no connections to the enterprise network or the Internet. Cyber attackers were happy focusing on financial institutions, and the operations staff was free to just get on with making products.

Well, as you know, those days don’t exist anymore. The stories of reputable organizations falling victim to disastrous cyberattacks are regularly covered in the mainstream press. And, industry is not being spared.  Attacks on both manufacturers and energy providers are happening all too frequently.

There’s no escaping the push to secure industrial applications. With the Industrial Internet of Things driving connections to more devices and more external people and systems, protecting control networks is more difficult than ever.

The challenge is how to go about industrial security. In particular, what are the roles of various groups such as IT, operations and top managements in making sure your facility is both protected and ready to act if there is a breach?

To help you with one part of this challenge, let’s take a look at how to communicate with non-technical executives about cyber security. The goal is to make you an effective cyber security leader in your organization.

Executives need to understand ICS SecurityLearning how to communicate to non-technical executives about cyber security enhances your role as a leader and sets the stage for key security initiatives.

Cyber Security from the CEO Perspective

In order to communicate effectively with management about cyber security, you need to consider it from their perspective. Two years ago, US-Cert issued a document that still resonates today called Cyber Security Questions for CEOs. Here are the top five questions US-Cert suggested chief executives should be asking:

  1. How is our executive leadership informed about the current level and business impact of cyber risks to our company?
  2. What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks?
  3. How does our cyber security program apply industry standards and best practices?
  4. How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?
  5. How comprehensive is our cyber incident response plan? How often is it tested?

Important Cyber Rick Management Concepts

For executives and board members, cyber security is a new area of risk management. Here are the key cyber risk management concepts they need to understand, again according to US-Cert.:

Incorporate cyber risks into existing risk management and governance processes.

Cyber security is not implementing a checklist of requirements; rather it is managing cyber risks to an acceptable level. Managing cyber security risk as part of an organization’s governance, risk management, and business continuity practices provides the right strategic framework for it throughout the enterprise.

Elevate cyber risk management discussions to the chief executive.

Chief executive engagement in defining the risk strategy and levels of acceptable risk enables more cost effective management of cyber risks aligned with the business needs of the organization. Regular communication between the chief executive and those held accountable for managing cyber risks provides awareness of current risks affecting their organization and associated business impact.

Implement industry standards and best practices, don’t rely on compliance.

A comprehensive cyber security program leverages industry standards and best practices to protect systems and detect potential problems. It also provides processes for understanding current threats and enabling timely response and recovery.

Compliance requirements help to establish a good cyber security baseline to address known vulnerabilities but do not adequately address new and dynamic threats, or counter sophisticated adversaries. Using a risk-based approach to apply cyber security standards and practices allows for more comprehensive and cost effective management of cyber risks than compliance activities alone.

Evaluate and manage your organization’s specific cyber risks.

Identifying critical assets and associated impacts from cyber threats are critical to understanding a company’s specific risk exposure– whether financial, competitive, reputational, or regulatory. Risk assessment results are a key input to identify and prioritize specific protective measures, allocate resources, inform long-term investment decisions, and develop policies and strategies to manage cyber risks to an acceptable level.

Provide oversight and review.

Executives are responsible to manage and oversee enterprise risk management. Cyber oversight activities include the regular evaluation of cyber security budgets, IT acquisition plans, IT outsourcing, cloud services, incident reports, risk assessment results, and top-level policies.

Develop and test incident response plans and procedures.

Even a well-defended organization will experience a cyber-incident at some point. When network defenses end up penetrated, a chief executive should be ready to answer, “What is our Plan B?” Documented cyber incident response plans exercised regularly help to enable timely response and minimize impacts.

Improving the Cyber Security Dialogue with Executives

Additional tools for improving the cyber security dialogue with executives are available from Tripwire. Tripwire was recently acquired by Belden as part of our strategy to provide leading network cybersecurity solutions.

Tripwire has some handy cyber literacy tools like:

By answering the questions in this workbook and reading its tips you will be able to present your existing cyber security measures from an executive’s point of view. The questions in this document are more extensive than the ones suggested by US-Cert and will aid in the thoroughness of your preparation.

Furthermore they are holding an interesting webinar this week that features their CTO along with executives from leading companies on a panel discussing board level cyber literacy. Here are the details:

Live broadcast: Thurs. May 28, 2015, 2:00-3:00PM EDT (9:00-10:00 AM PDT, 18:00-19:00 GMT)
After the live broadcast: The webinar is available on demand.  Just follow the “Register Now” link below.

What tips do you have for improving the cybersecurity literacy of executives?  I look forward to hearing from you.

Related Links