ing, high-level cybersecurity strategy tends to be
relatively similar and straightforward across most
organizations: select a cybersecurity framework
(e.g., NIST or ISO), assess the organization’s current
capabilities against that maturity scale, and then pri-oritize and address gaps.
Consulting firms are assisting with those assessments as well as the comprehensive work required
to address shortcomings. Specific areas in need of attention include application and data security, incident
response practices, and identity management. When
cybersecurity consulting leaders discuss these engagements, four other focal points loom large as enablers
of successful consulting engagements. These areas also
appear likely to generate more client interest over the
Focal Point 1: The Board
Clients and consultants are paying more attention
to the board’s awareness and understanding of cybersecurity issues as well as to what information is
reported to the board committee that oversees cyber
risk. Given that cyber breaches are now a matter of
when not if, “boards want to know how quickly the
company can handle the breach and get back up and
running,” notes The Santa Fe Group Chairman and
CEO Catherine Allen.
As cyber risks comprise a larger portion of an
organization’s overall risk appetite, board-level adjustments are needed. “Boards may need to restructure their committees and develop new charters
to adequately oversee cybersecurity risk management,” notes Dave Burg, EY Americas cybersecurity leader within the firm’s advisory services.
Clients are also asking for guidance regarding
which executives should present on cybersecurity
to the board and the nature of information those
reports should contain.
Wheeler, whose IBM team regularly conducts tabletop cyberattack exercises for
boards, says that more corporate directors
and boards and C-level executives are treating large cyber breaches as business incidents rather than as the sole purview of the
information security function.
That’s a perspective that needs to be nurtured
in most cases, according to a recent Deloitte