5 CEO considerations for maturing your credit union’s cyber posture
In 2020, $350 million was paid out for ransomware attacks and the average cost of a breach was over $8.5 million. If your credit union is not seriously prioritizing its cybersecurity posture in 2022, it’s time to start.
To protect their members, CEOs and senior leadership must be cyber-aware to ensure they have an effective cybersecurity program in place. The following are some considerations for CEOs and their leadership teams to take in maturing their credit union’s cyber posture.
Discuss cybersecurity regularly with leadership
CEOs and their teams should be having frequent discussions in their leadership meetings around how to best respond to the ever-evolving threat landscape. A risk management team should be reporting all risks to the senior leadership group, and risk should include cybersecurity. Therefore, the risk management team should include cybersecurity or IT representation.
It is recommended to discuss cybersecurity once per month — at minimum once per quarter — or any time a new major risk occurs. Your credit union is always under attack. Ask your IT leaders about recent threats that have occurred, their impact, the response, and what lessons were learned to be applied moving forward.
Prioritize regular cybersecurity training for leadership
As part of a top-down approach to cybersecurity, the leadership team should keep up to date on cybersecurity best practices periodically through training and security reminders from the IT team. Ideally this training would occur yearly and address topics like the various types of threat actors and their tactics.
Stay on top of business continuity and disaster recovery planning with leadership
Integrate your cyber risk management with your business continuity strategy. CEOs and senior leadership play an important role in the development and execution of a business continuity and disaster recovery plan. It should be reviewed annually or as major changes are made to your infrastructure and business services.
Conduct third-party assessments and tabletop exercises
Conducting a third-party assessment of the maturity of your cyber program is a great step toward increasing its effectiveness. The assessment will show what your organization is doing well and what gaps need to be addressed.
Tabletop exercises around cybersecurity and business continuity and disaster recovery are useful tools for your IT leaders to walk through potential risk and event scenarios, evaluate cybersecurity posture, and identify potential gaps.
The insights provided by both can spark discussion between your leadership team and IT leaders and help identify the resources IT needs to mature your security stance.
Evaluate whether your available resources can effectively handle the evolving cyber risk
Many CEOs and senior leaders are concerned with cyber maturity but are also responsible for driving many growth-focused initiatives. Resources are limited. Throw into the mix the cyber talent shortage and the Great Resignation — the latter of which highlights key person dependency risk, especially in IT — and it can quickly become overwhelming.
When it comes to allocating your resources to cybersecurity, there are two options: grow and develop your in-house cyber team or outsource to a Managed Security Services Provider (MSSP). Building an in-house cyber team would require you to find and retain people who are well-trained, ensure they are continually certified as the threat landscape evolves, and have staff that can be available for 24×7 continuous cybersecurity monitoring.
Outsourcing to an MSSP will open you up to a pool of experienced talent that will help the leadership team to stay up to date on the latest evolving threats, provide 24×7 monitoring for threat detection and remediation, conduct security gap and vulnerability assessments, and provide end user training.
It’s important for CEOs and senior leaders to regard cybersecurity as the enterprise-level risk that it is. By taking these considerations into account, leaders will be well on their way to ensuring the continual maturity of their cyber posture