During the speech, Martin posed five basic questions board members should be asking of their technical teams.
These cover: how the organization deals with phishing, privileged IT accounts, software and device patching, supply chain security and authentication.
“Crucially, we are also telling you what to look for in the response,” he added.
“If the answer is: ‘We have hired X and bought Y to address the problem,’ ask the question again. You need to understand what is actually happening — not what activity has been bought.”
Cannot agree more.
Martin admitted that the government’s strategy on providing businesses with cybersecurity advice and best practice hasn’t worked out as expected, with organizations focusing on good governance and simply outsourcing expertise.
Focusing on good governance is not a bad thing. Many organizations don’t do it well if at all. However, it might not help much independent of other activities.
Outsourcing expertise also isn’t a bad thing, but boards need to know that they cannot outsource ownership and responsibility. Finding a “trusted security advisor” is a great move, and any worth their salt will help educate the board.
Ultimately, this is the key take-away:
… board members can’t manage risk they don’t understand, so they must become more cyber-literate …