CYBER SECURITY AND RISK MANAGEMENT
Put cyber security on the agenda before it becomes the agenda
Cyber security risks are a constantly evolving threat to an organization›s ability to achieve its objectives and deliver its core functions.
Security failings in today’s information-driven economy can result in significant long term expense to the affected organizations and substantially damage consumer trust and brand reputation. Sensitive customer information, intellectual property, and even the control of key machinery are increasingly at risk from cyber attack.
The targeting of electronic assets has the potential to make a material impact on the entire organization and possibly its partners.
The topic of cyber security needs to move from being in the domain of the IT professional to that of the Executive and Board, where its consideration and mitigation can be commensurate with the risk posed. The traditional approach to thinking about cyber security in terms of building bigger walls (firewalls and antivirus software) - while still necessary - is no longer sufficient. A holistic approach to cyber security risk management – across the organization, its network, supply chains and the larger ecosystem – is required.
Incorporate cyber risks into existing risk management and governance processes
Cyber security is NOT implementing a checklist of requirements; rather it is managing cyber risks to an acceptable level. Managing cyber security risk as part of an organization›s governance, risk management, and business continuity frameworks provides the strategic framework for managing cyber security risk throughout the organization.
Elevate cyber risk management discussions to the Executive
Executive engagement in defining the risk strategy and levels of acceptable risk enables more cost effective management of cyber risks that are aligned with business needs. Regular communication between the CEO and those held accountable for managing cyber risks provides awareness of current risks affecting the organization and associated business impact.
Implement industry standards and best practices, don’t rely on compliance
A comprehensive cyber security program leverages industry standards and best practices to protect systems and detect potential problems. It is supported by processes informed of current threats and enables timely response and recovery.
Compliance requirements help to establish a good cyber security baseline to address known vulnerabilities, but do not adequately address new and dynamic threats, or counter sophisticated adversaries. Using a risk-based approach to apply cyber security standards and practices allows for more comprehensive and cost effective management of cyber risks than compliance activities alone.
Evaluate and manage your organization’s specific cyber risks
Identifying critical assets and associated impacts from cyber threats are key to understanding a company’s specific risk exposure– whether financial, competitive, reputational, or regulatory.
Risk assessment results are a key input to identify and priorities› specific protective measures, allocate resources, inform long-term investments, and develop policies and strategies to manage cyber risks to an acceptable level.
Provide oversight and review
Executives are responsible for managing and overseeing organization risk management. Cyber oversight activities include the regular evaluation of cyber security budgets, IT acquisition plans, IT outsourcing, cloud services, incident reports, risk assessment results, and top-level policies.
Develop and test incident response plans and procedures
Even a well-defended organization will experience a cyber incident at some point.
When network defenses are penetrated, an organization should have a clear idea of how to respond. Documented cyber incident response plans that are exercised regularly help to enable timely response and minimize impacts.
Coordinate cyber incident response planning across the organization. Early response actions can limit or even prevent possible damage. A key component of cyber incident response preparation is planning in conjunction with the entire executive, business leaders, continuity planners, system operators, general counsel, and public affairs. This includes integrating cyber incident response policies and procedures with existing disaster recovery and business continuity plans.
Maintain situational awareness of cyber threats
Situational awareness of an organization›s cyber risk environment involves timely detection of cyber incidents along with an awareness of current threats and vulnerabilities specific to the organization and associated business impacts.
Analyzing, aggregating, and integrating risk data from various sources and participating in threat information sharing with partners helps organizations identify and respond to incidents quickly and ensure protective efforts are commensurate with risk.
A network operations center can provide real-time and trend data on cyber events.
Business-line managers can help identify strategic risks, such as risks to the supply chain created through third party vendors or cyber interdependencies. Sector Information-Sharing and Analysis Centers, government and intelligence agencies, academic institutions, and research firms also serve as valuable sources of threat and vulnerability information that can be used to enhance situational awareness.