在选择新的董事会成员时,至少要有一个精通技术的人.
关键的外卖
董事会应该通过事件响应演习或桌面演习来帮助确保做好准备.
有一个全面的计划来应对违规行为对于减轻损害至关重要.
Boards have contended with many risks recently, 从大流行到供应链中断,从乌克兰战争到经济衰退的威胁. But one risk should always remain top of mind: cyber risk. 网络安全不仅应该是董事会所在公司的优先事项, but also within that company's ecosystem of vendors and customers, 以及这些政党做生意的国家的政府.
Sudhir Kondisetty, 他是RSM美国律师事务所的合伙人、咨询负责人和国家信息技术风险负责人, sat down with Directors & 董事会(D&B)讨论董事会在应对网络风险方面的角色,包括如何减轻潜在的攻击.
Below is a transcript of the discussion; the conversation has been edited for clarity and length.
D&B: Sudhir, 你能给我们介绍一下潜在的基础设施风险和对网络风险的担忧吗?
Kondisetty: It has really changed over the last decade. 过去,网络风险的重点是建立外围防御, including firewalls and external devices, to protect your internal data and systems. 然而, 随着云应用程序和数据中心外包的增长,我们看到只有很少的信息是专门存储在组织内部的.
在过去的几年里,人们重新关注,你如何保护你的数据,无论它在哪里? Consider cloud due diligence, data centre due diligence, vendor risk management, 查看入侵者可能受到的所有攻击因素——不仅仅是针对您自己, but also your vendors. 这是我们在过去10年里看到的网络安全领域最大的变化.
A breach is a big deal. We don't like to use that word breach until it really is a breach. But knowing how to identify it, having a plan in place, 知道你要给谁打电话——在事故发生之前就做好准备是很重要的.
Sudhir Kondisetty, 他是RSM美国律师事务所的合伙人、咨询负责人和国家信息技术风险负责人
D&B: 作为RSM现任董事会成员,您对董事会如何看待此类风险有着独特的看法. 你建议董事会做些什么来应对这类风险——云计算风险和外部风险?
Kondisetty: 这是双重的. 第一,你真的需要深入了解你的安全部门和IT部门在做什么. If you get the answer, “They've just outsourced it, so everything's fine; they don't have to worry about the problem,” that is the problem. 您必须确保他们理解,他们在安全方面的责任并没有在外包后停止.
你需要深入了解,他们是如何对他们的供应商进行尽职调查的? 相对于供应商的责任,他们的责任是什么? That is 当 most attacks occur. They originate from inside, 意思是某人的桌面或移动设备被入侵并发送信息. That person may have trusted access to an application in the cloud, and they're pulling data down, and now that's available. 您的安全和IT部门仍然对内部网络负有责任.
But I think the most important thing is, security is not absolute. 我认为我们已经看到,财富100强公司在安全基础设施和人员上花费了数百万美元, 政府机构遭到黑客攻击并遭受数据丢失. The idea must be, it’s not a matter of if we're going to be hacked, it's 当-我们是否将处于可能遭受数据丢失的境地?
有一个好的计划来应对入侵是非常重要的. A breach is a big deal. We don't like to use that word breach until it really is a breach. But knowing how to identify it, having a plan in place, 知道你要给谁打电话——在事故发生之前就做好准备是很重要的.
D&B: 你是否建议董事会通过突发事件应对演习或桌面演习来帮助锻炼肌肉?
Kondisetty: 绝对. Just like you do with a disaster, you go through the exercises. You don't actually have to call the FBI. You don't actually have to execute the plan. But, yes, a tabletop exercise making sure people are available.
I've seen some clients actually pull the plug on the internet. Those that can operate predominantly in business hours, 他们可以迈出真正断开连接的一步,看看会发生什么. 这确实给了你一点额外的保护和理解, if this system's down, how does it affect other systems? I would go so far as to investigate if that's possible. 如果没有,那么所有人都参与的桌面练习是个好主意.
D&B: 在董事会成员考虑网络风险时,你对他们有什么重要的建议? It's easy to say this is too technically complicated. What can they do to be better at this?
Kondisetty: One important thing is 当 you are selecting board members, have someone on the board who's technically savvy. 这并不意味着他们必须是能源安全工程师或核心程序员或诸如此类的人. 但他们应该有技术背景和对技术的理解.
2号, 我会定期从安全办公室得到最新消息——如果你没有安全办公室的话, the CIO—on what is happening on the security front. We, 例如, 在我们的一个委员会中与我们的首席信息官和首席安全官同时召开季度会议, and then they do an annual presentation to the board. This allows us to see trends, what struggles they're facing, what new technology they're putting in place.
Security is always changing, 你需要管理层稳定的沟通节奏来真正了解正在发生的事情.
RSM contributors
Related insights
Stay up to date on what matters most to your business.
Let us know your personal preferences for topics, 开始在您的收件箱中接收RSM更新. 从我们的首选顾问团队中获得最大的见解,活动和报价.
