There is a misconception that corporate boards are “old boys clubs” where cigar smoking and scotch drinking takes priority over supervising the conduct of their respective organisations. In truth, corporate directors have a lot of responsibilities, including executive oversight, revenue growth, organisational advising, and providing operational guidance. Today, helping organisations mitigate the risks associated with IT operations and cybersecurity is another board-level responsibility. That fact was reflected in an April 2021 advisory blog post by the U.S. Federal Trade Commission (FTC).
With IT operations teams still grappling with the challenges of managing their enterprises amid unprecedented pressures owing to the pandemic and a sudden shift to remote work, the article offered guidance to corporate boards. It made clear the FTC’s position that operational integrity must start at the top. One passage from that blog stands out:
Contrary to popular belief, data security begins with the Board of Directors, not the IT Department. A corporate board that prioritises data security can set the tone throughout an organisation by instilling a culture of security, establishing strong security expectations, and breaking down internal silos to facilitate technical and strategic collaboration.
Compliance is a Board-Level Responsibility
The trend toward convening boards with members holding deep experience in IT security and IT operations is gaining momentum. In its 2021 publication The Changing Role of the Board on Cybersecurity: Robust oversight ‘Now’ for a secure ‘Next’, Deloitte asserted that because of the risk of crippling disruption to business, “Cybersecurity oversight has now become the most important topic for the Board after strategic planning.” The economic implications associated with poor security, lack of business continuity, and technical non-compliance is not lost on regulators, either.
According to the World Economic Forum, the U.S. Securities & Exchange Commission (SEC) “released a proposed cybersecurity disclosure rule to advance risk management and governance towards the treatment of cyber risk” earlier in 2022 that, in the WEC’s view, would elevate cybersecurity and compliance to a board-level responsibility. Meanwhile, the Information Systems Audit and Control Association—better known as ISACA—offered its expertise in helping boards of directors understand the issues associated with cyber risk by recommending six areas of focus that they should follow, including:
Given these developments, and the clear trend toward putting boards of directors on the hook for the health and security of their organisations’ networks, C-level executives must review their budgets for IT operations, security, and compliance to ensure their IT leaders have the resources to meet higher expectations. And IT leaders must prepare themselves for the questions they are likely to hear as board members take steps to inform themselves of their organisations’ states of readiness.
Five Questions to Ask Before an Incident
Here are five questions boards should ask their IT teams that will help them assess their current condition and inform their strategies to come into alignment with the current threat and compliance landscape.
Is our network risk quantified and appropriately prioritised?
Mapping vital operations dependent on healthy network operations to revenue can quantify the risks associated with service outages and security incidents and help make a case for allocating more resources to IT operations and network compliance. In most organisations, everything runs through IT. When the health of the network can be correlated with business viability, IT risk management can be properly communicated and prioritised.
What is our backup strategy?
It’s important to know what is being backed up, and how often. That’s because data backup is not just about archiving files, but about recovering configuration settings as well. Backed up network configurations can be used to quickly restore systems to a last-known correct state in the event of an outage caused by unexpected changes or configuration errors. The Uptime Institute says 49% of all service outages are attributed to configuration and change management errors, and at $5,600 per minute, an accurate backup can save potentially millions of dollars.
What is our disaster recovery plan?
Even the best run enterprises are subject to business disruptions due to errors and incidents, so it is important to have a recovery plan to ensure operational resilience and continuity. As a part of that plan, beyond regularly scheduled backups it’s good to conduct configuration backups prior to network testing (by the way, when was the last time you completed a full recovery test?) to ensure you can recover if something goes wrong when bringing tested systems back online. It’s also important to make sure your recovery plan is designed to not only complement organisational compliance objectives, but also in accordance with regulatory requirements for data security.
How are our compliance obligations being managed?
Achieving and maintaining network and regulatory compliance is a rigorous process that requires constant monitoring, testing, and documentation. When an incident occurs that mandates reporting, there must be a plan in place for doing so. Records must be available to inform investigators and to provide outside authorities with evidence that your organisation did the right thing prior to the event and in response to the event. If your organisation works with (or wants to work with) government agencies there will be other compliance considerations as well depending upon your location.
What is our worst-case scenario?
In one dramatic example of the importance of maintaining healthy network operations, a major network services provider was knocked offline for 20 hours because of an erroneous code update. The outage affected business and residential telephone and internet, 911 emergency services, and critical commercial services for tens of thousands of customers. In the short term the outage cost the company $150 million in customer credits. Long term the company has pledged to spend $10 billion to improve IT operations oversight, conduct testing, and make capital improvements. These costs do not reflect increased customer churn, loss of reputation, and other financial penalties common to service outages and security incidents.
Restorepoint Can Help
These questions may be difficult to answer today, but it is far better to have conversations around these issues in advance rather than to address them following an event like a major service outage or security incident. Having the right tools in place to automate repetitive and programmatic processes like audits and backups is vital to ensuring that network compliance is fast, accurate, and fully documented. Otherwise, when left to traditional manual work, the risks and costs are far too high.
Restorepoint can help by not only automating the steps required for network compliance, but for change management as well. When these processes are automated, your IT teams can save as much as 40% of their time by shifting from repetitive, manual tasks and focusing on higher level operations, saving an average of 15,000 total labour hours per year—and with better results. Contact Restorepoint for more information or to learn how we can help you.