How to get your board on board with Collective Defense
Remember when cybersecurity was on offshoot of operational IT? “Just” a technology concern? As digital transformation, data privacy, rapid innovation, and business continuity take center stage across all industries, a strategic cybersecurity strategy now has a critical place at the table. As David X. Martin, co-chair of The Directors and Chief Risk Officers Group notes, “A well-developed cybersecurity strategy keeps the operational wheels of business rolling.”
It’s clear that attackers are innovating faster than defenders can respond, not to mention the cost of trying to keep up. In fact, 69% of executives and leaders indicate that, “staying ahead of attackers is a constant battle and the cost is unsustainable.”
Those of us entrenched in the world of cyber defense know this current reality … and what’s ahead. As Global Lead of Accenture Security Kelly Bissell and his colleagues observe, “[I]n the shape-shifting world of cybersecurity, attackers have already moved on to indirect targets, such as vendors and other third parties in the supply chain. It is a situation that creates new battlegrounds even before they have mastered the fight in their own backyard.”
Why a Collective Defense cybersecurity strategy?
As IronNet’s Co-CEO General (Ret.) Keith Alexander, former Commander U.S. Cyber Command, and I recently discussed in the “Cybersecurity’s Tectonic Shift: A Call for Collaboration” webinar, individual companies are struggling to solidify an effective cybersecurity strategy despite increasing investments. There are no easy answers to cybersecurity, but we do know that a Collective Defense strategy — where companies, sectors, states, and nations collaborate on cyber defense as a united force — is providing a growing advantage against cyber attacks. This collaborative approach is helping companies contend and compete with adversaries’ seemingly unlimited time, resources, and relentlessness.
If Collective Defense presents such a promising approach to cybersecurity, how can you get the support of your corporate board to participate?
Communicate the urgency to lessen digital risk
The first step to engaging in Collective Defense is creating a business-wide sense of urgency to defend together within and across sectors, recognizing that no individual organization can work alone to weaken threat groups and anticipate their ever-changing TTPs.
Collective Defense is a way to lessen digital risk as part of a Board’s expected scrutiny of business risk at large, especially in the face of digital transformation if you’re a long-standing, traditional company. Cyber attacks are among the top five global risks, according to the World Economic Forum and the business impact can be significant. Think about the growing list of top brands that know the negative impact firsthand — from losing digital trust to losing millions from business recovery and brand repair efforts.
The energy sector, along with finance and healthcare, is one leading the charge for working together to mitigate risk and strengthen cyber resilience. Their approach is emphasized in the World Economic Forum “Cyber Resilience in the Electricity Ecosystem: Principles and Guidance for Boards” white paper, “While we each have a role and responsibility in managing the cyber risks affecting our organizations, we must realize that individual efforts are not sufficient. In our connected ecosystem, a cyber attack on one can cascade and affect many. As a result, we must collaborate with one another, across the public and private sectors, to develop, adopt and share best practices to ensure collective cyber resilience.”
This type of collaboration is at the core of IronNet Collective Defense, wherein threat knowledge-sharing can happen at network speed across and within sector ecosystems. Working together in this way broadens your visibility of the threat landscape and gives you collective resources for faster network detection and response (NDR).
Critical here is ensuring that your CISO is not a lone voice perceived as crying wolf and, more important, that your CISO communicates your cybersecurity strategy as business strategy. Language around your technology stack, SOC metrics, etc., matters. But more important is communicating:
- The full business impact of a data breach or other cyber attack, including impact to intangible assets like intellectual property and brand reputation/equity
- The most critical assets to protect and your layered defense-in-depth approach
- Your response plan to ensure business continuity.
Advocating for Collective Defense must be an aligned, hand-in-hand effort by your CISO, your executive team, and your board.
Taking action on your cybersecurity strategy
As I mentioned, step one is communicating the urgency as an organization-wide business conversation. From there, there are very clear operational steps to put a Collective Defense cybersecurity strategy in play. You can learn more about these steps in IronNet’s “10-step Executive Action Plan for Collective Defense.”