Effective management of information risk has never been more critical. Information risk management has been elevated to a board-level issue that should be given the same level of attention afforded to operational risk management and other established risk management practices.
Photo credit: (Image Courtesy of iStock.com)
As the global vice president of the Information Security Forum, Steve Durbin includes among his main areas of focus the emerging security-threat landscape, cyber security, consumerization, outsourced cloud security, third-party management and social media across both the corporate and personal environments.
Cyber-attacks are becoming more state-of-the-art and sophisticated with each passing day. Unfortunately, while organizations develop new security mechanisms, cyber criminals are cultivating new techniques to sidestep them. Cyber risk is an ever-growing concern for businesses around the world, as data breaches make headlines with increasing frequency and the resulting financial and reputational costs mount.
One especially sobering example comes from the recent data breach at Target. On December 19, 2013, the company announced their point-of-sale card payment system had been breached, and debit and credit card details for tens of millions of customers had been compromised. As a result, Target is now liable for significant restitution to customers and suppliers, and it will also face closer scrutiny and possible fines from regulators across the country. The company acknowledged a noticeable dip in holiday sales due to the incident, and the reputational damage has been severe.
Of course, Target is not the only recent example of a major organization succumbing to hacker intrusions. Breaches have also been reported at companies such as Snapchat, Yahoo!, Neiman Marcus, Michaels and most recently, Tesco in the UK and Sears in the US. In today’s cyber age, a company’s reputation – and the trust dynamic that exists amongst suppliers, customers and partners – has become a very real target for cybercriminals and hacktivists.
Driving Successful Executive Engagement
Effective management of information risk has never been more critical. Information risk management has been elevated to a board-level issue that should be given the same level of attention afforded to operational risk management and other established risk management practices. Organizations of all sizes are facing a wide range of challenges today, including the insatiable appetite for speed and agility, the growing importance of the full supply chain, and the mounting dependence on diverse technologies.
In many organizations, cyber opportunities and risks have already become a board-level issue, so the cyber security head needs to engage right up to the board of directors. Information strategy and risk should sit comfortably alongside other types of risks that the board already oversees. In order to balance risks vs. rewards, cyber security chiefs must drive engagement broadly across their organizations. To do this, they need to change the conversation so it will resonate with the leading decision-makers while also supporting the organization’s business objectives.
Creating Enterprise Cyber Resilience
Cyber resilience requires recognition that organizations must prepare now to deal with severe impacts from future cyber threats that cannot be predicted or prevented. Traditional risk management is insufficient to deal with the potential impacts from unforeseen activities in cyberspace. That’s why enterprise risk management must be extended to include organizational risk and cyber resilience – just ask Target and so many others.
To achieve this goal, I strongly recommended that your organization establish a crisis management plan which includes the implementation of a formal Cyber Resilience Team. This team, made up of experienced security professionals including employees, investors, customers and others, will become the driving force behind your cyber security initiatives. The Cyber Resilience Team will be charged with ensuring that necessary communication takes place between all relevant players, and making sure all facts are determined for each incident in order to put a comprehensive and collaborative recovery plan in place.
Today’s most successful, and cyber-resilient organizations, are appointing a coordinator, such as a Director of Cyber Security or a Chief Digital Officer (CDO), to oversee all activities in cyberspace and to apprise the board of its responsibilities for operating in cyberspace. This coordinator also highlights the board’s obligations to establish cyber resilience programs that protect the organization’s assets and preserve shareholder value. Such efforts are especially important due to all the new legal aspects of doing business in cyberspace.
Cyber Insurance Anyone?
Data breach liabilities are spreading swiftly. As a result, I’m seeing more organizations respond by purchasing cyber insurance, which has become a viable option for a growing range of organizations and industry sectors.
Privacy exposure has been a key motivator for some organizations to purchase cyber insurance. Others are motivated by growing regulatory exposure. And it’s no longer just the organizations that we’ve traditionally focused on, including financial institutions, retail, healthcare and higher education. These industry groups have been buying insurance for a long time. The healthcare industry players have been particularly large buyers of cyber insurance, due to the enormous volumes of customer data they have to handle. I’m also seeing players in a number of new industries, such as manufacturing and supply chain, who are purchasing cyber insurance because it’s a regulatory concern.
But let me offer a couple of words of warning: cyber insurance is no replacement for sound cyber security and cyber resilience practices. On the contrary, well resourced and industry and standards compliant practices can oftentimes positively reduce the associated premiums for cyber insurance. Secondly, look very carefully at the small print – many policies do not cover state sponsored attacks and may not provide you with the full financial cover that you would wish.
Securing the Supply Chain
When I look for key areas where information security may be lacking, one place I always come back to is the supply chain. Supply chains are the backbone of today’s global economy. Businesses are increasingly concerned about managing major supply chain disruptions, and rightfully so. In fact, a recent World Economic Forum report (in cooperation with Accenture) entitled “Building Resilience in Supply Chains”, indicates that significant supply chain disruptions reduce the share price of affected companies by as much as seven percent on average.
Security chiefs everywhere are concerned about how open their supply chains are to various risk factors. Businesses must focus on the most vulnerable spots in their supply chains now. The unfortunate reality of today’s complex global marketplace is that not every security compromise can be prevented beforehand. Being proactive now also means that you – and your suppliers – will be better able to react quickly and intelligently when something does happen. In extreme but entirely possible scenarios, this readiness and resiliency may dictate competitiveness, financial health, share price, or even business survival.
How Can the ISF Help Your Organization?
Business leaders recognize the enormous benefits of cyberspace and how the Internet greatly increases innovation, collaboration, productivity, competitiveness and engagement with customers. Unfortunately, they have difficulty assessing the risks versus the rewards. That’s why the Information Security Forum (ISF) has designed its new tools to be as straightforward to implement as possible. These ISF tools offer organizations of all sizes an “out of the box” approach to address a wide range of challenges – whether they be strategic, compliance-driven, or process-related.
For example, the ISF’s Standard of Good Practice for Information Security (the Standard) is the most comprehensive and current source of information security controls available. It enables organizations to adopt good practices in response to evolving threats and changing business requirements. The Standard is used by many organizations as their primary reference for information security. The Standard is updated annually to reflect the latest findings from the ISF’s Research Program, input from our global member organizations, and trends from the ISF Benchmark, along with major external developments including new legislation.
Don’t Find Yourself Left in the Financial and Reputational Ruin
With the complex threat landscape changing on a daily basis, we’re seeing many businesses get left behind, sometimes after incurring reputational and financial damage. In preparation for making your organization more cyber resilient, here is a quick recap of the next steps that businesses should implement to better prepare themselves:
- Re-assess the Risks to Your Organization and its Information from the Inside Out
- Change your Thinking About Threats
- “It couldn’t happen here” is not a great backup plan
- Revise Cyber Security Arrangements
- Implement a cyber-resilience team
- Put a recovery plan in place
- Focus on the Basics
- People and technology
- Prepare for the Future
- Be ready to provide proactive support to business initiatives in order to protect your reputation and minimize brand damage
Organizations of all sizes need to ensure they are fully prepared to deal with these ever-emerging challenges by equipping themselves better to deal with attacks on their reputations. This may seem obvious, but the faster you can respond to these problems, the better your outcomes will be.
About the Author
Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.