Cyber Guardians

A comprehensive overview for directors aiming to meet their cybersecurity responsibilities

In Cyber Guardians: Empowering Board Members for Effective Cybersecurity, veteran cybersecurity advisor Bart McDonough delivers a comprehensive and hands-on roadmap to effective cybersecurity oversight for directors and board members at organizations of all sizes. The author includes real-world case studies, examples, frameworks, and blueprints that address relevant cybersecurity risks, including the industrialized ransomware attacks so commonly found in today’s headlines.

In the book, you’ll explore the modern cybersecurity landscape, legal and regulatory requirements, risk management and assessment techniques, and the specific role played by board members in developing and promoting a culture of cybersecurity. You’ll also find:

• Examples of cases in which board members failed to adhere to regulatory and legal requirements to notify the victims of data breaches about a cybersecurity incident and the consequences they faced as a result
• Specific and actional cybersecurity implementation strategies written for readers without a technical background
• What to do to prevent a cybersecurity incident, as well as how to respond should one occur in your organization

A practical and accessible resource for board members at firms of all shapes and sizes, Cyber Guardians is relevant across industries and sectors and a must-read guide for anyone with a stake in robust organizational cybersecurity.

Preface: What to Expect from This Book xv

Chapter 1 Introduction 1

Summary of a Board’s Incident Response 5

Checklist for a Board’s Incident Response 8

Chapter 2 Cybersecurity Basics 11

CIA Framework 13

Key Cybersecurity Concepts and Terminology for Board Members 19

Threats and Risks 19

Vulnerabilities and Exploits 20

Malware 21

Social Engineering 22

Encryption and Data Protection 23

Authentication and Access Control 24

Common Cyber Threats and Risks Faced by Companies 26

Phishing 26

Malware 27

Ransomware 28

Business Email Compromise 29

Insider Threats 30

Third-Party Risk 31

Mistakes/Errors 32

Emerging Threats 33

Advanced Persistent Threats 34

Supply Chain Attacks 35

Data Destruction 36

Zero-Day Exploits 37

Internet of Things Attacks 38

Cloud Security 39

Mobile Device Security 40

Key Technologies and Defense Strategies 42

Firewall Technology 42

Intrusion Detection/Prevention Systems 43

Encryption 44

Multifactor Authentication 45

Virtual Private Network 46

Antivirus and Anti-malware Software 47

Endpoint Detection and Response 48

Patch Management 49

Cloud Technology 49

Identity and Access Management 50

Mobile Device Management 51

Data Backup and Recovery 52

Zero-Trust Architecture 54

Micro-segmentation 55

Secure Access Service Edge 56

Containerization 56

Artificial Intelligence and Machine Learning 57

Blockchain 59

Quantum Computing 61

Threat Intelligence 64

What Is Threat Intelligence? 65

How Can Threat Intelligence Help Organizations? 65

What Should Board Members Know About Threat Intelligence? 66

Threat Actors 67

External Threat Actors 68

State-Sponsored Attackers 68

Hacktivists 70

Cybercriminals 70

Competitors 72

Terrorists 72

Internal Actors 73

Employees 73

Contractors 75

Third-Party Vendors 76

Motivations of Threat Actors 77

Financial Gain 77

Political and Strategic Objectives 78

Ideological Beliefs 79

Personal Motivations 80

Tactics, Techniques, and Procedures 81

Examples of TTPs Used by Different Threat Actors 81

MITRE ATT&CK Framework 83

Chapter 2 Summary 85

Chapter 3 Legal and Regulatory Landscape 87

Overview of Relevant Cybersecurity Regulations and Laws 90

Federal Regulations in the United States 90

The Federal Trade Commission Act 90

The Gramm-Leach-Bliley Act 92

The Health Insurance Portability and Accountability Act 94

State Regulations in the United States 97

Data Breach Notification Laws 97

California Consumer Privacy Act 99

European Union Regulations 101

General Data Protection Regulation 101

Network and Information Security Directive 102

ePrivacy Directive 104

Industry Standards 105

Payment Card Industry Data Security Standard 105

National Institute of Standards and Technology 107

Securities Exchange Commission 108

2011 Cybersecurity Disclosure Guidance 108

2018 Cybersecurity Disclosure Guidance 108

2023 Proposal for New Cybersecurity Requirements 109

Discussion of Compliance Requirements and Industry Standards 112

Compliance Requirements 112

Sarbanes-Oxley Act 112

New York State Department of Financial Services Cybersecurity Regulation 114

Industry Standards 117

Center for Internet Security Controls 117

International Organization for Standardization 27001 118

Individual Director Liability 120

Chapter 3 Summary 124

Chapter 4 Board Oversight of Cybersecurity 127

The Board’s Role in Overseeing Cybersecurity Strategy 129

Legal Responsibilities 130

Developing an Effective Cybersecurity Governance Framework 131

Best Practices for Board Engagement and Reporting 133

Regular Reporting 133

Use of Metrics 134

Executive Briefings 136

Cybersecurity Drills 137

Independent Assessments 138

Overcoming Objections to Effective Cybersecurity Oversight 139

Promoting a Cybersecurity Culture 141

Chapter 4 Summary 143

Chapter 5 Board Oversight of Cybersecurity: Ensuring Effective Governance 145

The Role of the Board in Overseeing Cybersecurity 147

Developing an Effective Cybersecurity Governance Framework 150

Conduct a Cybersecurity Risk Assessment 150

Implement a Threat Intelligence Program 150

Develop a Risk Management Framework 150

Prioritize High-Impact Risks 151

Regularly Review and Update Risk Management Strategies 151

Strategies for Identifying, Assessing, and Prioritizing Cyber Risks 152

Conducting Cybersecurity Risk Assessments 154

How to Develop and Promote a Culture of Cybersecurity 156

Chapter 5 Summary 158

Chapter 6 Incident Response and Business Continuity Planning 161

Implementing Cybersecurity Policies and Procedures 164

Incident Response and Business Continuity Planning 165

Incident Response Plan 166

Business Continuity Planning 166

Incident Response Planning 167

Defining the Types of Assessments 170

Penetration Testing 170

Vulnerability Scanning 171

Security Risk Assessments 173

Threat Modeling 174

Social Engineering Assessments 175

Compliance Assessments 176

Red Team/Blue Team Exercise 177

Chapter 6 Summary 178

Chapter 7 Vendor Management and Third-Party Risk 181

The Importance of Third-Party Risk Management for Board Members 183

Best Practices for Managing Third-Party Cyber Risk 184

Legal and Regulatory Considerations in Third-Party Risk Management 185

Sample Questions to ask Third-Party Vendors 187

Chapter 7 Summary 189

Chapter 8 Cybersecurity Training and Awareness 191

Importance of Cybersecurity Awareness for All Employees 193

Strategies for Providing Effective Training and Awareness Programs 195

More Detail on Effective Training Strategies 198

Chapter 8 Summary 200

Chapter 9 Cyber Insurance 201

Understanding Cyber Insurance 202

What Is Cyber Insurance? 202

Why Is Cyber Insurance Important? 203

Evolution of Cyber Insurance 204

The Role of the Board in Cyber Insurance 204

Key Components of Cyber Insurance 205

Types of Coverage 205

Policy Limits and Deductibles 206

Exclusions 207

Retroactive Dates 207

Policy Periods 208

Cyber Risk Assessments 208

Evaluating and Purchasing Cyber Insurance 209

Assessing the Organization’s Risk Profile 209

Determining the Appropriate Level of Coverage 210

Selecting an Insurer 211

Negotiating Terms and Conditions 211

Implementing the Policy 212

Managing and Reviewing the Cyber Insurance Policy 213

Filing a Claim 213

Managing a Claim Dispute 214

Reviewing and Renewing the Policy 214

Chapter 9 Summary 215

Chapter 10 Conclusion: Moving Forward with Cybersecurity Governance 219

The Board’s Role in Cybersecurity Governance 222

Key Takeaways and Action Items for Board Members 225

Chapter 10 Summary 226

Appendix A Checklist of Key Considerations for Board Members 229

Appendix B Sample Questions 231

Appendix C Sample Board Meeting Agenda 233

Appendix D List of Key Vendors 235

Appendix E Cybersecurity Resources 237

Appendix F Cybersecurity Books 239

Appendix G Cybersecurity Podcasts 241

Appendix H Cybersecurity Websites and Blogs 243

Appendix I Tabletop Exercise: Cybersecurity Incident Response 245

Appendix J Articles 249

About the Author 253

Acknowledgments 255

Index 257

BART R. McDONOUGH, the CEO and Founder of Agio, uses his extensive 20-plus years of IT and cybersecurity expertise to decode complex cybersecurity subjects, establishing him as a reliable resource for clients. His acclaimed book Cyber Smart provides a user-friendly guide to navigating the intricate landscape of cybersecurity for professionals and families alike. In addition to his role as a strategic cybersecurity advisor to boards, McDonough has also contributed valuable insights and perspectives as a member of several boards. Throughout his notable career, he has offered expert cybersecurity counsel to some of the world’s premier money managers. Bart received his undergraduate degree from the University of Connecticut and his Master’s degree from Yale University.

Cybersecurity remains an urgent concern for businesses of all sizes as the risks posed by a potential attack continue to rise. The consequences of an industrialized ransomware attack—as well as other types of cybersecurity breaches—can be profound, leading to financial loss, reputational damage, and legal consequences and costs for companies, directors, and officers alike.

In Cyber Guardians: Empowering Board Members for Effective Cybersecurity, veteran cloud and on-premises IT security advisor Bart McDonough delivers a comprehensive guide for board members seeking to fulfil their duties in cybersecurity oversight. Written for those without a technical background, this book outlines the contemporary cybersecurity landscape, legal and regulatory requirements, the importance of risk management and assessment, and the particular role played by board members in developing and promoting a culture of cybersecurity.

The author includes real-world case studies and examples of cybersecurity incidents, including those in which data breach notification laws were violated and the involvement of boards of directors in those cases. You’ll learn what to do—and what not to do—both to prevent a data or cybersecurity incident and how to respond should one occur.

Cyber Guardians guides you on how to formulate a proactive, robust approach to cybersecurity, helping you design a program uniquely suited to your firm’s needs. You’ll gain insights on adhering to specific regulatory mandates—including the FTC Act, CCPA, GDPR, and SEC regulations—while evaluating the potency of your current cybersecurity infrastructure.

A must-read resource for board members at companies of all sizes and in any industry, Cyber Guardians will also prove invaluable to technical professionals seeking to understand the directorial perspective on cybersecurity.

AN EASY-TO-READ BLUEPRINT FOR CONTEMPORARY CYBERSECURITY THAT RESPONDS TO TODAY’S MOST URGENT RISKS

Cyber Guardians: Empowering Board Members for Effective Cybersecurity is an insightful and comprehensive discussion of how to apply contemporary cybersecurity best practices to companies of all shapes and sizes. In the book, veteran cybersecurity advisor Bart McDonough walks you through how to fulfil your directorial responsibilities as a board member at an organization with respect to IT and data security.

Written specifically for those without an extensive technical background, the book teaches you the current cybersecurity landscape, the legal and regulatory requirements you’re bound by, and the importance of risk management and assessments in the maintenance of responsible cybersecurity policies and frameworks. It also includes real-world case studies and examples of cybersecurity done right and wrong, demonstrating the consequences to organizations and board members of failing to comply with relevant legislation and regulations.

Cyber Guardians is the intuitive and practical guide that officers, directors, and managers across organizations of any size have been seeking, paving the way towards responsible cybersecurity, without compromising accessibility.