In Cyber Guardians: Empowering Board Members for Effective Cybersecurity, veteran cybersecurity advisor Bart McDonough delivers a comprehensive and hands-on roadmap to effective cybersecurity oversight for directors and board members at organizations of all sizes. The author includes real-world case studies, examples, frameworks, and blueprints that address relevant cybersecurity risks, including the industrialized ransomware attacks so commonly found in today’s headlines.
In the book, you’ll explore the modern cybersecurity landscape, legal and regulatory requirements, risk management and assessment techniques, and the specific role played by board members in developing and promoting a culture of cybersecurity. You’ll also find: - Examples of cases in which board members failed to adhere to regulatory and legal requirements to notify the victims of data breaches about a cybersecurity incident and the consequences they faced as a result - Specific and actional cybersecurity implementation strategies written for readers without a technical background - What to do to prevent a cybersecurity incident, as well as how to respond should one occur in your organization
A practical and accessible resource for board members at firms of all shapes and sizes, Cyber Guardians is relevant across industries and sectors and a must-read guide for anyone with a stake in robust organizational cybersecurity.
Table of Contents
Preface: What to Expect from This Book xv
Chapter 1 Introduction 1
Summary of a Board’s Incident Response 5
Checklist for a Board’s Incident Response 8
Chapter 2 Cybersecurity Basics 11
CIA Framework 13
Key Cybersecurity Concepts and Terminology for Board Members 19
Threats and Risks 19
Vulnerabilities and Exploits 20
Malware 21
Social Engineering 22
Encryption and Data Protection 23
Authentication and Access Control 24
Common Cyber Threats and Risks Faced by Companies 26
Phishing 26
Malware 27
Ransomware 28
Business Email Compromise 29
Insider Threats 30
Third-Party Risk 31
Mistakes/Errors 32
Emerging Threats 33
Advanced Persistent Threats 34
Supply Chain Attacks 35
Data Destruction 36
Zero-Day Exploits 37
Internet of Things Attacks 38
Cloud Security 39
Mobile Device Security 40
Key Technologies and Defense Strategies 42
Firewall Technology 42
Intrusion Detection/Prevention Systems 43
Encryption 44
Multifactor Authentication 45
Virtual Private Network 46
Antivirus and Anti-malware Software 47
Endpoint Detection and Response 48
Patch Management 49
Cloud Technology 49
Identity and Access Management 50
Mobile Device Management 51
Data Backup and Recovery 52
Zero-Trust Architecture 54
Micro-segmentation 55
Secure Access Service Edge 56
Containerization 56
Artificial Intelligence and Machine Learning 57
Blockchain 59
Quantum Computing 61
Threat Intelligence 64
What Is Threat Intelligence? 65
How Can Threat Intelligence Help Organizations? 65
What Should Board Members Know About Threat Intelligence? 66
Threat Actors 67
External Threat Actors 68
State-Sponsored Attackers 68
Hacktivists 70
Cybercriminals 70
Competitors 72
Terrorists 72
Internal Actors 73
Employees 73
Contractors 75
Third-Party Vendors 76
Motivations of Threat Actors 77
Financial Gain 77
Political and Strategic Objectives 78
Ideological Beliefs 79
Personal Motivations 80
Tactics, Techniques, and Procedures 81
Examples of TTPs Used by Different Threat Actors 81
MITRE ATT&CK Framework 83
Chapter 2 Summary 85
Chapter 3 Legal and Regulatory Landscape 87
Overview of Relevant Cybersecurity Regulations and Laws 90
Federal Regulations in the United States 90
The Federal Trade Commission Act 90
The Gramm-Leach-Bliley Act 92
The Health Insurance Portability and Accountability Act 94
State Regulations in the United States 97
Data Breach Notification Laws 97
California Consumer Privacy Act 99
European Union Regulations 101
General Data Protection Regulation 101
Network and Information Security Directive 102
ePrivacy Directive 104
Industry Standards 105
Payment Card Industry Data Security Standard 105
National Institute of Standards and Technology 107
Securities Exchange Commission 108
2011 Cybersecurity Disclosure Guidance 108
2018 Cybersecurity Disclosure Guidance 108
2023 Proposal for New Cybersecurity Requirements 109
Discussion of Compliance Requirements and Industry Standards 112
Compliance Requirements 112
Sarbanes-Oxley Act 112
New York State Department of Financial Services Cybersecurity Regulation 114
Industry Standards 117
Center for Internet Security Controls 117
International Organization for Standardization 27001 118
Individual Director Liability 120
Chapter 3 Summary 124
Chapter 4 Board Oversight of Cybersecurity 127
The Board’s Role in Overseeing Cybersecurity Strategy 129
Legal Responsibilities 130
Developing an Effective Cybersecurity Governance Framework 131
Best Practices for Board Engagement and Reporting 133
Regular Reporting 133
Use of Metrics 134
Executive Briefings 136
Cybersecurity Drills 137
Independent Assessments 138
Overcoming Objections to Effective Cybersecurity Oversight 139
Promoting a Cybersecurity Culture 141
Chapter 4 Summary 143
Chapter 5 Board Oversight of Cybersecurity: Ensuring Effective Governance 145
The Role of the Board in Overseeing Cybersecurity 147
Developing an Effective Cybersecurity Governance Framework 150
Conduct a Cybersecurity Risk Assessment 150
Implement a Threat Intelligence Program 150
Develop a Risk Management Framework 150
Prioritize High-Impact Risks 151
Regularly Review and Update Risk Management Strategies 151
Strategies for Identifying, Assessing, and Prioritizing Cyber Risks 152
Conducting Cybersecurity Risk Assessments 154
How to Develop and Promote a Culture of Cybersecurity 156
Chapter 5 Summary 158
Chapter 6 Incident Response and Business Continuity Planning 161
Implementing Cybersecurity Policies and Procedures 164
Incident Response and Business Continuity Planning 165
Incident Response Plan 166
Business Continuity Planning 166
Incident Response Planning 167
Defining the Types of Assessments 170
Penetration Testing 170
Vulnerability Scanning 171
Security Risk Assessments 173
Threat Modeling 174
Social Engineering Assessments 175
Compliance Assessments 176
Red Team/Blue Team Exercise 177
Chapter 6 Summary 178
Chapter 7 Vendor Management and Third-Party Risk 181
The Importance of Third-Party Risk Management for Board Members 183
Best Practices for Managing Third-Party Cyber Risk 184
Legal and Regulatory Considerations in Third-Party Risk Management 185
Sample Questions to ask Third-Party Vendors 187
Chapter 7 Summary 189
Chapter 8 Cybersecurity Training and Awareness 191
Importance of Cybersecurity Awareness for All Employees 193
Strategies for Providing Effective Training and Awareness Programs 195
More Detail on Effective Training Strategies 198
Chapter 8 Summary 200
Chapter 9 Cyber Insurance 201
Understanding Cyber Insurance 202
What Is Cyber Insurance? 202
Why Is Cyber Insurance Important? 203
Evolution of Cyber Insurance 204
The Role of the Board in Cyber Insurance 204
Key Components of Cyber Insurance 205
Types of Coverage 205
Policy Limits and Deductibles 206
Exclusions 207
Retroactive Dates 207
Policy Periods 208
Cyber Risk Assessments 208
Evaluating and Purchasing Cyber Insurance 209
Assessing the Organization’s Risk Profile 209
Determining the Appropriate Level of Coverage 210
Selecting an Insurer 211
Negotiating Terms and Conditions 211
Implementing the Policy 212
Managing and Reviewing the Cyber Insurance Policy 213
Filing a Claim 213
Managing a Claim Dispute 214
Reviewing and Renewing the Policy 214
Chapter 9 Summary 215
Chapter 10 Conclusion: Moving Forward with Cybersecurity Governance 219
The Board’s Role in Cybersecurity Governance 222
Key Takeaways and Action Items for Board Members 225
Chapter 10 Summary 226
Appendix A Checklist of Key Considerations for Board Members 229
Appendix B Sample Questions 231
Appendix C Sample Board Meeting Agenda 233
Appendix D List of Key Vendors 235
Appendix E Cybersecurity Resources 237
Appendix F Cybersecurity Books 239
Appendix G Cybersecurity Podcasts 241
Appendix H Cybersecurity Websites and Blogs 243
Appendix I Tabletop Exercise: Cybersecurity Incident Response 245
Appendix J Articles 249
About the Author 253
Acknowledgments 255
Index 257