Meet Fiduciary Responsibility
Board members and executives have a fiduciary responsibility to monitor and mitigate corporate risk and minimize financial loss.
Like many organizations, your company probably has a firewall and antivirus software, and those tools are probably doing their designated job. But as the Center for Internet Security (CIS) and the Australian Government Department of Defense noted in recent studies, this is not sufficient. Their studies show that eighty-five percent (85%) of recent CyberSecurity attacks could have been easily prevented if the targeted companies had only implemented, and routinely tested compliance with, five fundamental security practices.
Many Directors and senior managers simply trust that their IT staff are aware of these issues and are addressing them. The reality is that most IT departments are understaffed, and the employees are busy dealing with password resets, hardware failures, software bugs, and other day-to-day problems that demand immediate attention to give CyberSecurity the attention it deserves. At the same time, laws and regulations are changing, and shareholders are becoming more diligent, with all of the attention focusing on whether companies are faithfully discharging their fiduciary responsibilities toward the company and as stewards of their customers’ information. As high-profile cyber data breaches continue to occur, lawmakers, regulators, and shareholders are holding officers and Directors of the company responsible. Delegation is no longer an option; your company’s senior management and Directors all need to play a part in setting and enforcing company’s CyberSecurity policies. This process of setting and enforcing CyberSecurity policies is referred to as Cyber Governance.
The prospect of Cyber Governance is daunting for many companies, and many do not really know where to begin. That’s where ClearArmor’s ICSP comes in.
Upon installation, the ICSP releases an army of autonomous, virtual robots (we call them “bots”) throughout your network. These bots carefully and completely inventory your entire IT landscape, from servers and workstations to printers, networking equipment, and more, giving you an independent, trusted view of your company’s network. Our bots are not some new creation – we have partnered with one of the pioneers in the industry to leverage their nearly two decades of experience inventorying IT systems for some of the largest companies and governments in the world so you can be assured the information the bots provide is comprehensive and reliable. Visibility is a key component of CyberSecurity – you can’t secure what you can’t see. Armed with the information, your company’s Directors and senior executives can work with the IT department to create a custom CyberSecurity plan that is in line with corporate priorities, including budget, risk tolerance, and regulations.
This independent visibility is important in today’s security environment; if the officers and Directors are not actively involved in creating the plan and ensuring it is properly implemented, they could be accused of breaching fiduciary responsibilities, including failure to exercise due diligence to reduce the risk of financial loss, reputation risk, and lawsuits by overseeing the company’s CyberSecurity.
The officers’ and Directors’ responsibilities do not stop at the creation of the plan; they also have to be involved in the execution of the plan. With CyberSecurity, every minute counts. Rather than waiting hours or days for issues to percolate up to the C-suite, the ClearArmor ICSP’s powerful and easy-to-understand dashboards allow senior executives and Directors to proactively discharge their fiduciary duty to protect the company. The ICSP’s bot army collect and report on meaningful, unbiased, and concrete facts, enabling the CEO and Directors to side-step potential internal politics and focus the company’s resources where they matter most. The result is a leaner, more responsive CyberSecurity strategy that is in line with corporate priorities rather than those of a particular business unit or organization.
The ClearArmor Cyber Governance framework will:
- Work with your IT department to create and implement a custom CyberSecurity plan based around your company’s specific needs, budget, risk tolerance, risk appetite, and the regulations impacting your company today, leveraging the same processes used to secure some of the government’s and industry’s most valuable data.
- Deploy an army of trusted, automated, intelligent, virtual robots, which scour your network to independently collect timely information about how the plan’s implementation is progressing.
- Provide the results in easy-to-read dashboards and reports, which give senior managers and Board of Directors the trusted information needed when addressing shareholders, customers, and regulators.
Document Regulatory Compliance
ClearArmor’s Cyber Governance Framework allows for an extensive documentation of the required regulatory compliance.
Most organizations are unable to print-out reports or conduct random audits against regulations, proving compliance with many CyberSecurity industry standards such as, NIST, CIS, ISO, etc.
In order to effectively comply with requirements, regulations, and controls, a comprehensive solution must be deployed, which documents measurements against compliance metrics and performs self assessments as well as random audits.
This exercise and proactive action protects the Organization and its Employees against litigation or financial burden.
Even with well-constructed cyber defenses, companies are still vulnerable to attack.
This is evidenced in part by the fact that many companies first learn of a data breach when a third party,
typically a law enforcement or intelligence agency, contacts them.
Many companies that experience data breaches are subject to lawsuits by regulators and/or customers, including class action suits.
To properly defend itself, your company needs to show that it not only had a plan, but also had been diligently implementing,
testing, and refining the plan, including any regulatory requirements.
Manually auditing and documenting compliance for even a modest-sized network is such a significant undertaking that many companies either give up or have come to accept that they will only ever be able to partially document compliance.
Rather than relying on an army of humans to fight a computer battle, the ClearArmor ICSP allows your company to deploy an army of virtual robots (“bots”)
to automate the data collection and testing processes. This greatly speeds up the data collection process,
helps reduce personnel costs, and greatly improves information fidelity and reliability.
These bots automatically collect and record the actions your company takes to implement its CyberSecurity plan, including who views the dashboards, how often they are viewed, and how the company’s plan and level of involvement changes over time.
This allows your company to show regulators, the courts, customers, and shareholders that the data ex-filtration was the result of a highly competent adversary rather than a lack of diligence on your company’s part.
This information can be vital to help your company limit its liability.
Quantify and Mitigate Security Risks
The very nature of CyberSecurity demands a managed effort.
Few organizations have a managed effort. To "Detect, Mitigate and Protect" the CyberSecurity process requires numerous technical tools and processes. Typically, the tools and processes are stovepipe applications that generate independent data stored in local databases without central management.
Current organization CyberSecurity solutions may or not be functioning and if they are, they are not incorporated into standard documented process. Since networks are not well defined, the application is not properly deployed and the resulting data is not useful.
A CSRP forces integration and analysis of the CyberSecurity applications against an overall framework. Applications are reviewed and decisions are made as to the necessity of the data and associated actual cost of the application in maintenance fees and work effort.
It is easy for organizations to waste money and effort on the latest CyberSecurity point solution; there is a temptation to think "If we just spend money and incorporate the latest 'Hot Solution' surely we'll be protected."
As a result, organizations have many CyberSecurity point solutions but lack an executive view that ensures the software is deployed and actively in use and the data generated is useful and complete. Spending money on solutions that end users or administrators disable because they cause performance problems or just do not use can be worse than not having the solutions at all, since it can create a false sense of security and diverts resources from other, potentially valuable activities.
The ClearArmor CSRP solution quantifies CyberSecurity spend.
All costs can be quantified, along with a process that includes active solution management, contract management, storage of associated documents, agreements, licensing and administrative efforts. The process sends alerts, and monitors application activity. The ClearArmor SRP solution summarizes data through dashboards and reports to provide the data you need to oversee a successful CyberSecurity process.
By understand and quantifying the full cost of CyberSecurity and the proposed changes, the organization assesses any further purchases by quantifying the risk-benefit against risk tolerance and cost increases.
Enable A Security-Focused Culture
Employee security participation and a security-focused corporate culture is an often-overlooked but core component of Cyber Governance.
According to the Association of Corporate Counsel Foundation’s "State of CyberSecurity Report", forty-five percent (45%) of recent data breaches were the result of human-related errors. Human factors must be considered and included in a CyberSecurity process.
The ClearArmor CSRP enables a security-focused culture by including management and personnel within your company’s CyberSecurity program. The CSRP includes documented, automated, and tracked training for employees and incorporates them into the web-based "CyberSecurity Daily" newsletter. It also includes CyberSecurity information on current cyber issues, the corporation's position on current cyber threats, and an automated assessment of the employee's participation in CyberSecurity.
End-point security is an integral part of the ClearArmor CSRP; the most important network endpoint is the employee.
A proper CyberSecurity process includes a documented and continuous employee CyberSecurity program. The ClearArmor CSRP can integrate with existing Employee Security programs for documentation. The process tracks employee CyberSecurity training, providing management summaries of activities and performance.
- System misconfiguration
- Poor patch management
- Use of default user names and passwords or easy-to-guess passwords
- Lost devices
- Disclosure of information via an incorrect email address
- Double-clicking on an unsafe URL or attachment
- Sharing passwords with others
- Leaving computers unattended when outside the workplace
- Using personally owned mobile devices that connect to the organization’s network