Companies are collecting more personal data than ever before creating a vast array of concerns for privacy. This accounts for various issues in the way the data is managed shared and stored. It is an issue not just for compliance teams to look at, but at a broader level, executives at enterprises and startup founders to product managers need to wrap their heads around.
“Be safe or sorry” has a new definition in a digital economy where millions if not billions of data points, are transacted globally across borders. A linear perspective of just doing a pen test is not going to suffice for companies any more. We need interdisciplinary teams to come together to create a comprehensive framework for compliance and governance and cyber being the cornerstones of great product design and not an afterthought. A comprehensive compliance framework could include but not limited to encryption, intrusion detection, backup., audits, PCI compliance frameworks. This not only prepares companies for when an attack occurs but to systematically respond to various stakeholders in the event an unfortunate event occurs.
Regardless of the stage of the company, whether it is an early stage startup getting ready to scale or an incumbent migrating the data to the cloud, Cybersecurity should be given the same level of thought as product managers give to UI and UX and systems architecture.
Part of DD of our investment mandate is to gauge the risk associated with the companies in our portfolio before and after the investment. There are a number of resources that are required to have proper governance structures in place, let alone Cybersecurity. We do understand with startups that are rapidly building products and acquiring customers and testing and validating idea; security is the last thing on their minds; however, this does not exempt the importance and of Cybersecurity. Having a through governance framework allows the founders and the various stakeholders to assess the risk and mitigate the risk before an event occurs that compromises the company and its data assets.
When looking at a new investment or trying to gauge the risk profile associated with a company in our portfolio, it is imperative that we get a sense of where they are in terms of corporate governance, therefore what we usually ask for is a Pentest ( Cybersecurity Penetration test ). It is essential that this test be internal & external if you are assessing risk enterprise-wide.
The critical step in a simple PEN test exercise is to understand your exposure. A common occurrence is the PEN test report is usually handed over to the CTO / CIO / CISO. This report is summarised for the board as it is preconceived that the board should not have to be across technical jargon, but the report contains a few things that we should all be across 1) the executive summary 2) what risks and severity levels have been identified. Therefore, the report must be delivered unaltered with accompanying documentation to provide a list of remediation actions by the parties responsible and timeframes. It is not a time for playing blame games, and the organisation should pull together to resolve or accepts the risks as quickly as possible.
When selecting a vendor, you should consider what you are testing for and if the vendor has the relevant qualifications to do a proper test. If you are unsure as to who to use, then the following link should provide a list of proven companies or individuals in the security space.
As cyber threats are evolving, we need to look for ways to oversee cybersecurity risk. An organisation should understand the potential damage a breach can do in a proactive fashion, but there is often a knowledge and translation deficit that can weigh on the responsible parties.
There are some critical questions to be asked about Cybersecurity, which can help determine if you have the information you need to oversee cyber risks and evaluate the effectiveness of your company's Cybersecurity framework. Education on the threat landscape facing the organisation and considering if there are specific measures that should be explored further, such as cyber insurance or a cyber incident response plan
Questions:
Do we have enough information to understand Cyber risks?
Is the current Cybersecurity strategy addressing the business risks?
How is sensitive & personal information handled, stored and transmitted?
Is Cyber insurance in place?
Is our threat landscape reviewed for currency and is it tested?
Is there a response plan and has it been tested?
When you are satisfied that these questions have suitable answers, you can be confident about building a thorough framework. Don't forget that this is not a one-time exercise, and it will need to be reviewed yearly at a minimum.