Key Cyber Governance Issues That Businesses Struggle with and How to Overcome Them

Did you attend our recent cyber governance webinar? On November 17th, 2020, Nexus IT Consultants’ founder and CEO, Earl Foote, was joined by cybersecurity expert Greg Johnson to discuss several key recommendations for overcoming your organization’s cyber governance concerns. This article recaps everything you need to know, to improve your cyber governance and protect your sensitive data.

You can also watch the YouTube upload of the Livestream here:

Who Is Greg Johnson?

Greg Johnson is the CEO of the world-class penetration testing and cyber-security services company, Webcheck Security. A BYU graduate, Greg started his career back in the days of 64k 5.25-inch floppy drives and Mac 128Ks.

He founded Webcheck Security after serving on multiple executive teams and with a long sales and management career in technology companies such as Word Perfect, Nobel, SecurityMetrics, Align, and Secuvant.

As the industry has advanced, Greg has moved into the cyber arena to provide his clients with solutions. Ranging from compliance digital forensics, data breach prevention, to detection and response. In 2016, Greg earned his PCI Professional designation.

In several Vice President of Business Development roles, Greg consulted, guided, and educated companies on compliance guidelines and certifications for standards such as PCI, HIPAA, ISO, SOC 1, SOC 2, NIST, GDPR, and so on.

Outside of work, you’ll find Greg spending quality time with his amazing wife Kelly, playing with his grandchildren, or rehearsing and performing with the world-renowned Tabernacle Choir at Temple Square!

What Is Cyber Governance?

If you’re like most people, you probably view cybersecurity as an IT problem. Yet, the reality is that network security affects nearly every aspect of an organization, including the board, policy, practices and procedure, and so on.

To understand what cyber governance is, you need to first think about cybersecurity program management in an organization. Unfortunately, most organizations do not have a robust cybersecurity program in place.

Proper cybersecurity is multifaceted and must encompass everything from email protection, authentication, access, disaster recovery, penetration testing, incident response planning, Endpoint protection, security awareness, etc.

However, most businesses are merely keeping their systems up and running, but the question is: who’s in charge of governing and managing all the other components?

Here’s a shocking statistic: only 38% of the Fortune 500 companies actually have a Chief Information Security Officer (CISO). This is the case for such large corporations, even though every business needs some form of cyber governance. But what does proper cyber governance mean?

Cyber governance refers to real cybersecurity program management and accountability within an organization.

Why Is Cyber Governance Important?

Simply put, cybersecurity is no longer simply a problem for your IT department. It’s a business problem that must concern your entire business unit and most of all, your executive team.

The harsh reality is that in today’s world, the stakes are simply too high. As each day passes, the growing army of cybercriminals is evolving with increasingly sophisticated techniques and strategies for harming your network and stealing your data.

As a business leader, you need to ask yourself: are you good stewards of the information your company holds? What steps are you taking to safeguard your data, be it proprietary data, client data, financial data, HR data, and so on?

Considering all the various cybersecurity components, it’s not hard to see how this is an incredibly complex and perhaps even daunting task. However, with proper cyber governance, your organization can overcome any challenges you encounter in your cybersecurity efforts.

What Are the Most Prevalent Cybersecurity Challenges Businesses Face?

We’ll look at this in two parts:

  • With Covid-19 measures still in place, what are some challenges businesses face due to the decentralized perimeter?
  • What are the common findings from maturity assessments conducted on both small and large businesses?

What Cyber Security Challenges Are Businesses Facing During the Ongoing Pandemic?

  • Inadequate Planning and Preparation: As a business leader, you need to ask yourself: what would happen today if your organization suffered a security breach? Even worse, what if you experienced a data breach that required you to notify your clients? Sadly, many company leaders have yet to have this crucial conversation, which produces a host of related challenges.
  • Problems with Patching: Far too often, we discover that the concept of patching hasn’t hit the radar in many organizations. When we carry out risk assessments for prospective clients, they typically ask us to evaluate the infrastructure, determine what is or isn’t working, and identify potential vulnerabilities. Many times, we realize that a prospect hasn’t been patched for months or even years. That might include critical servers, crucial databases, applications, file servers, or user devices. But, to be fair, patching isn’t always a straightforward process. For example, if your organization uses Linux servers with Apache, upgrading to the latest versions can be a tall order. Beyond requiring a significant amount of downtime, you might end up breaking whatever you’re hosting. For instance, a web app or website, in the process. If that happens, what was to be a 2-hour maintenance window might quickly turn into 72 agonizing hours of downtime! Consequently, many internal IT departments may not be willing to take such a huge risk leaving their organizations open to cyber-attacks.
  • Continued Reliance on Perimeter Defense: When the Covid-19 pandemic hit and restrictions took effect, many businesses soon realized they were ill-prepared for remote work. Many company leaders lacked contingency plans to migrate from a perimeter identity, authentication, and access policies. For example, several businesses were forced to rethink their reliance on Fortinet firewalls as they can’t support the numerous VPN connections needed for secure remote work.
  • Insufficient Visibility and Controls: Often, when we are implementing IT infrastructure, there is inadequate visibility into logs and ineffective technologies and alerts should an issue arise.
  • Lack of Agility: Did your organization’s policies and practices allow you to pivot as quickly as you needed when the pandemic struck? With proper cyber governance, tabletop exercises, and incident planning, it becomes much easier to work safely and efficiently in a remote setting.

What Are the Most Prominent Failings by Organizations with Regards to Cyber Governance?

To illustrate these, we’ll consider the last four cyber maturity assessments Webcheck conducted. A maturity assessment (also called security or cyber hygiene assessment) is essentially a test to determine how well-prepared an organization is to defend against cyber-attacks. Ideally, you want your business to have a high maturity score and a low-risk score.

How does Webcheck conduct maturity assessments?

A lot of Webcheck’s work involves helping businesses achieve compliance with several regulatory standards such as HIPAA, NIST, PCI DSS, and so on. That usually involves implementing and managing technologies on behalf of clients, identifying any gaps, and eventually bringing a partner on board that issues the certification.

Using data gathered from companies of different sizes, operating in various industries, Webcheck discovered these two common failings:

  • Lack of Proper Incident Response and Management Policies: Here are some of the key missing policies and procedures:
    • Information security policy.
    • Incident response policy and procedure.
    • Vulnerability management policy and procedure.
    • Disaster recovery/business continuity policy and procedure.
    • Acceptable use policy.
  • Information Security isn’t Driven at the Board Level: Many CISOs, CTOs, Directors of IT, and other high-ranking IT staff at most companies struggle to get their message across. They find it hard to mobilize the business leadership units to pay attention to and budget for cybersecurity and cyber governance. To put it simply, most company leaders are unaware of this significant concern that needs to be addressed immediately.

What Is a CISO and Why Does Your Organization Need One?

CISO stands for Chief Information Security Officer and refers to a senior-level executive responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected.

However, we realize that CISOs typically command huge salaries that may be prohibitive to growing businesses. So, what’s the solution for your small or medium-sized company? Well, you can lease or rent one!

Webcheck Security calls it FISO, which stands for Fractional Information Security Officer. At an affordable rate, you can begin to understand what your vulnerabilities are, develop proper incident response plans, among other governance practices.

Contrary to what most business owners might believe, cybersecurity and cyber governance is not a one-time event. To protect your organization, you need to engage an experienced cybersecurity professional in an ongoing management process.

What Steps Can You Take to Start Addressing Cyber Governance?

  1. Perform a Risk Assessment: Do you feel your internal IT team can conduct a comprehensive risk assessment? If not, you could outsource to a service provider that can run a detailed analysis. As a business leader, you are directly responsible for your organization’s cybersecurity, meaning even your assets may be seized if it’s determined that you were negligent in protecting your client data.
  2. Conduct a Vulnerability Assessment: You need to identify vulnerabilities in your network from a technology perspective, including penetration testing exercises.
  3. Lease a CISO: Rather than hiring a full-time CISO at nearly $250,000 a year, a FISO would only cost your business a couple of thousand dollars or less. That would get you a few hours every month, which is all the cyber governance you need, including reviewing your cybersecurity policy, supplier security, and supply chain security, etc.
  4. Formulate and Implement Data Security Policies: Do you have all the necessary policies in place, including an acceptable use policy, password policy, mobile device policy, incident response policy, etc.?
  5. Evaluate Your Vendors’ Cyber Hygiene: Because your business deals with several third-party vendors who might hold pieces of your client or employee data, you need to ensure they are also good stewards of your sensitive information. Any third-party vendor you work with must adhere to proper data security policies.

How can SaaS and Tech Companies Fortify Their Security? With web applications, there are numerous injection areas such as SQL injection, LDAP injection, CGI Cross-Site Scripting, etc. These are essentially weak points that a bad actor can exploit to inject malicious code and gain access to servers or deposit malware.

So, how can you fortify your SaaS platform or database security? Here’s a list of a few key measures:

  • Conduct Regular Penetration Testing: A penetration test is a real-world simulated attack conducted by a highly experienced individual. Penetration testing should be performed by an experienced cybersecurity professional who documents everything, then contacts the client and briefs them on the network’s vulnerabilities. We recommend having at least one penetration test per year.
  • Implement a Development Security Operations (DevSecOps) Policy: Integrating software development, IT operations, and security can be tricky, to say the least. You can either outsource to a reputable company such as SolutionStream or do it in house. When building your platform, you need to consider DevSecOps by leveraging specific scanning tools, policies, and practices. While this doesn’t replace penetration testing, it will ensure the code you deploy has fewer vulnerabilities.
  • Carry Out Proper Research: When developing your program, you need to conduct intensive research into your language, database engine, and cloud platform. This will help you identify any possible vulnerabilities and the most secure code, databases, and Cloud services for your platform.
  • Implement a Good Patching Policy: It’s also integral to your security to ensure all your patches are kept up to date.

Looking for the Most Reliable Cyber Governance and Cyber Security Support in Northern Utah?

Our cybersecurity experts at Nexus IT Consultants are here to help you recognize and address any cyber governance concerns facing your organization.

Contact us now | Call (801) 839-7006 or (435) 200-5926 to book your initial cyber governance consultation!