Issue Twenty Six
June 2023
In the dynamic realm of the digital world, the thin line between opportunity and risk is where organizations navigate daily, especially when it comes to cybersecurity. According to a disquieting report by the National Association of Corporate Directors (NACD), corporate boards are often engaged in the wrong conversations about cybersecurity. The resulting misalignment with their Chief Information Security Officers (CISOs), misplaced focus on protection rather than resilience, and a lack of understanding of cybersecurity as an organizational and strategic imperative, are creating considerable security vulnerabilities. If we are to avoid this perilous path, we must redirect our conversations and ensure that board directors and CISOs are on the same page, concentrating on resilience and recognizing the organizational implications of cybersecurity.
Parallelly, organizations are finding themselves amidst a storm of data privacy concerns with AI tools like ChatGPT. While these AI tools promise unrivaled efficiencies, their usage must be tempered by an acute awareness of the potential risks involved. This understanding is far from widespread. Many unknowingly expose sensitive information or create data trails that could potentially be exploited, raising critical concerns about privacy and security. As we increasingly leverage such tools, it is imperative we understand their intricacies, minimize data sharing, and enhance our efforts to maintain digital safety.
However, there's a transformative approach on the horizon, heralding a new era in cybersecurity strategy - the adoption of an outcome-based cybersecurity model. As reported by Forrester Consulting, a surprising majority of organizations invest in cybersecurity solutions that often do not align with their strategic goals, leading to ineffective and reactive responses to threats. The solution lies in an outcome-based approach, aligning security controls, threat models, and security investments with specific business outcomes, thereby maximizing the value of cybersecurity efforts.
This month’s issue of Target Lock stands at this pivotal juncture, where we embrace innovative approaches and intertwine cybersecurity initiatives with business objectives - a journey that is well worth embarking upon.
ZEROING IN
What Not To Share With ChatGPT If You Use It For Work
AOL
ChatGPT is a tool that's as captivating as it is powerful. Sure, it can draft emails, brainstorm ideas, or even engage us in insightful conversations. The real question isn't about what ChatGPT can do, but rather, what we should share with it.
Now, consider this: every time you interact with ChatGPT, your data can be potentially accessed by unauthorized individuals. This isn't a scare tactic—it's a fact. OpenAI has taken steps to protect your data, but remember, no system is entirely breach-proof. And before anonymization occurs, your raw conversations lie there, accessible. That's a sobering thought.
By default, ChatGPT uses our interactions to improve itself. Yes, we contribute to its learning. We have the power to opt out, but even in 'incognito mode', our data remains on the servers for 30 days. This isn't just a conversation with a chatbot—it's a data trail we're leaving behind.
Now, imagine the potential repercussions in a professional setting. There have been cases where sensitive company information was unintentionally revealed. Companies have taken note and are setting strict guidelines against its use. This isn't a denial of ChatGPT's utility, but a call for mindful utilization.
It is vital to resist the temptation to use ChatGPT as a personal confidante. Our intimate thoughts and feelings, stored on a server, can be a privacy nightmare. It's a situation that calls for caution rather than comfort.
So, we must be proactive. If you choose to harness the benefits of ChatGPT, do so with a healthy dose of discretion. Navigate to your settings, disable your chat history, clear your chats. This is about taking control of your data. We must place as much emphasis on our digital safety as we do on our physical safety.
We must extend our understanding beyond these immediate implications and consider broader societal aspects as well. ChatGPT, like any tool, has its strengths and weaknesses, which are determined by the way we choose to use it. By using it wisely, we can unlock its full potential, while protecting our private lives and sensitive information.
There's another aspect that requires our careful consideration - the seductive illusion that ChatGPT, or any AI, is more than a tool. This 'Eliza effect', where we ascribe human-like intelligence and emotions to inanimate programs, can lead us down a path where we share more than we should. It's important to realize that despite the complexity of its algorithms, ChatGPT doesn't understand or empathize with us. It's just processing information and storing that data somewhere accessible.
Even if your discussions are innocent or mundane, remember that privacy isn't about hiding secrets, it's about protecting your right to control your personal information.
We're all part of this dynamic digital world, and we must continually adapt to its changes. It's not about fear, but about being informed and prepared. We must recognize the risks, understand the tools at our disposal, and make educated choices. That's how we truly tap into the power of tools like ChatGPT, without compromising our privacy or security.
With knowledge comes power, and with that power comes the responsibility to make wise choices. If we choose to embrace the possibilities of AI like ChatGPT we must use them in a way that not only enhances our lives, but also safeguards our precious personal information.
SQ Insight: Adam Brewer - Chief Executive Officer
Boards Are Having the Wrong Conversations About Cybersecurity
According to a recent report by the National Association of Corporate Directors (NACD), many boards are having the wrong conversations about cybersecurity, creating a significant security problem for their organizations. Although boards say cybersecurity is a priority, they have a long way to go in providing the necessary oversight to assist their organizations in becoming resilient to cyberattacks. Research shows that despite investments of time and money, most directors still believe their organizations are at risk of a material cyberattack within the next 12 months, and almost half believe they are unprepared to deal with a targeted attack.
One of the major issues identified is the lack of interaction between boards and their Chief Information Security Officers (CISOs). Fewer than half of board members serve on boards that interact with their CISOs regularly, and almost a third of them only see their CISOs at board presentations. This communication gap and board-CISO misalignment hinders progress in cybersecurity. To forge strategic partnerships with CISOs, director-CISO engagement between board meetings would enable directors to ask better questions and understand the answers they receive.
Another issue is that boards tend to focus on protection only, rather than on resilience. While 76% of board members believe they have made adequate investments in cyber protection, their investments may not be in correctly aligned areas. Boards must assume, for planning purposes, that their organizations will experience a cyberattack of some type and prepare to respond and recover with minimal damage, cost, and reputational impact. In order to shift the focus to resilience as the primary goal of cybersecurity, directors could ask their operating leaders to create a vision for how the company will respond and recover when an attack occurs.
Additionally, many boards view cybersecurity as a technical-only topic, yet it has become an organizational and strategic imperative. When boards view cybersecurity as only a technical issue, it becomes far too operational for the necessary attention. Directors may shy away from asking difficult questions because they feel they are not knowledgeable enough about technical concepts to properly articulate the question or even to understand the answer. Viewing cybersecurity as an organizational issue shifts the discussion from technical to an oversight and management challenge.
The report recommends that boards should ask questions such as, “What is the technical risk to our business from potential cybersecurity incidents?” “What are we doing about tempering any damage resulting from the realization of that risk?” “What is the organizational risk from potential cyber incidents and what are we doing to quickly recover from the consequences?” And, “What is the supply chain risk from potential cybersecurity incidents and what are we doing about it so we do not lose a day of production?”
Moreover, the lack of cybersecurity expertise on boards can create additional vulnerabilities for the organizations they serve. In 2022, the SEC proposed more explicit recommendations for cybersecurity risk management, governance, and disclosure for public companies, and it’s expected that these proposals will become requirements. That means that boards must have clearer oversight of cybersecurity risk and include explicit cybersecurity expertise on the board.
To bring cybersecurity expertise into the boardroom, board composition may well need to change. Board members may need to gain cybersecurity expertise through frequent conversations about cybersecurity-generated risk, training, and development programs, and add colleagues with radically different business and professional backgrounds than current board members.
Finally, the report finds that failing to show that cybersecurity is a priority for the board sends the wrong message to the organization. Research found that almost a quarter of boardrooms do not view cybersecurity as a priority, and many do not even regularly discuss the topic. Making cybersecurity a priority for the board is a commitment, not merely an annual update. Directors’ personal actions send messages to the senior leaders. By making cybersecurity a personal priority through actions and investment of time and attention, directors demonstrate how critical it is.
Cybersecurity is no longer just a technical issue, but an organizational and strategic imperative that requires the attention of the board. Boards that fail to prioritize cybersecurity and have the wrong conversations about it put their organizations at significant risk. By focusing on resilience and asking the right questions, boards can provide better oversight of cybersecurity risk and ensure that their organizations are prepared to respond to cyberattacks with minimal damage, cost, and reputational impact.
"By making cybersecurity a personal priority through actions and investment of time and attention, directors show how important it is."
SQ Insight: Kenneth Holley - Chairman
Adopting Outcome-Based Cybersecurity
According to a recent report by Forrester Consulting on behalf of WithSecure, many companies still invest in tactical and reactive cybersecurity solutions that don't align with their organization's strategic goals and can often hinder progress. Only 20% of respondents said their organization has complete alignment between cybersecurity priorities and business outcomes. This suggests that cybersecurity that does not align with business goals is flawed.
To enhance cybersecurity in businesses, the report recommends adopting an outcome-based approach that aligns with the organization's objectives and goals. This can be achieved by mapping security controls, threat models, and security investments to agreed-upon business outcomes. Compared to traditional threat, activity-based, and ROI-based methods, an outcome-based approach simplifies cybersecurity by focusing on initiatives that facilitate business success. By accurately comprehending business goals, security leaders can invest in the appropriate areas and explain to stakeholders how their cybersecurity initiatives and investments directly contribute to specific objectives and overall business success. Aligning cybersecurity investments with business goals and outcomes enables businesses to prioritize investments and achieve maximum value from their cybersecurity efforts.
It's worth noting that 75% of those surveyed stated that their organization's board of directors is giving more attention to cyber-risk management. This increased focus is essential for good governance. However, half of the companies reported difficulties in measuring the value of cybersecurity, obtaining reliable and useful data, and presenting meaningful cybersecurity metrics to the board. Many organizations still face challenges regarding skill gaps and limited resources, which hinder the implementation of effective cybersecurity measures.
An outcome-based approach still requires a cybersecurity risk/maturity assessment (such as the Silent Quadrant Cybersecurity Risk Assessment) to ensure that priorities correlate with the outcomes the business is trying to achieve. If a particular objective does not require the highest level of cybersecurity maturity, resources can be shifted based on the risk profile and the organization’s priorities. The goal may, therefore, not be 100%, but rather to understand the organization’s cybersecurity risks measured against the desired business outcome.
Additionally, an outcome-based approach will strengthen third-party risk management. Procurement and legal personnel can fashion purchasing, services, or other contractual agreements to ensure that the product or service is delivered consistent with the security requirements necessary to meet the particular business objective.
An outcome-based approach enables an organization to align its cybersecurity initiatives with broader business objectives. When cybersecurity is prioritized as an enterprise issue, along with a clear understanding of business outcomes, cybersecurity leaders can take a holistic approach and ensure that cybersecurity initiatives align with and enable businesses to achieve their objectives.
SQ Insight: Tony Ogden – President, GRC
