The Sri Lanka Institute of Directors (SLID) together with EY organized a webinar, moderated by Manil Jayasinghe-Partner, EY on “Security of Information Assets: What the Board Needs to Know” recently to update the knowledge and understanding of Board members on the increasing cyber security risks and threats to information assets of an organization brought about by the rapid wave of digitalization and resulting changes in the way organizations work in response to the on-going pandemic.
The webinar also discussed strategies and best practices on how best to mitigate these risks in securing information assets while ensuring business continuity, loss minimization and quick, safe recovery in the event of a breach. The keynote address was delivered by Dileepa Lathsara-CEO, TechCert and the panel comprised of eminent tech and business leaders Madu Ratnayake-Executive Vice President, CIO/GM Virtusa and D. Soosaipillai-INED of Listed Companies.
“It is important to define what information assets are so that security can be provided to those assets. Contrary to the misconception that information assets are only the application systems or the systems where staff work on and the data that resides on those systems, information assets include supporting infrastructure such as switches, patch panels, routers, servers and all other equipment, and application systems including confidential corporate information in those systems. It is also important to identify where corporate information is stored and who has access to it” said Dileepa Lathsara-CEO, TechCert.
“Boards should get involved in handling cyber security risk by firstly setting a security tone for the organization so that everyone takes security seriously and also ensure that the required resources are made available. Boards can focus on the actual requirements of information security by adopting and adhering to security frameworks, standards, acts and directives such as NIST and ISO27000 series, PCI-DSS rather than having the IT security team re-invent the wheel” he added.
He further stated that cyber security should be incorporated into the digital transformation chain and should not be a mere afterthought to be plugged in at the end. Cyber accountability is also important in that it is the organization’s ability to demonstrate that they have good cyber hygiene to ensure, in case of an eventual attack, the ability to track back to a unique event/person or group responsible with admissible evidence which also aids in quick rectification and recovery. Dileepa also emphasized that it is important to make informed and optimal investments in cyber security mitigation which can be calculated preferably as Annualized Loss Expectancy (ALE) as against ROI since security is about loss prevention and not about earnings where ALE is calculated as the cost of a security incident x chance that the incident will occur in a year.
Panelist Madu Ratnayake said that it is essential and fundamental to have the right people in the security team led by a CISO (Chief Information Security Officer) and that cyber security is a journey and not a destination as security is evolving. The Boards should comprise of members who have expertise on security given that most companies are going digital and the risk becomes crucial.
Panelist D. Soosaipillai said that the first thing is to find a security standard to be adopted in the organization without which there will be limitless spending on security without knowing what the benefits are. The organization should have a security vertical such as a CISO or IT Security, which is where the Boards will look at to establish ownership for IT security. He also suggested that Board does regular, if not half yearly Vulnerability Assessment and Penetration Testing (VAPT) by external 3rd parties into the systems/security matrix of the organization.