Don’t delegate cyber risk management responsibility
Craig Richardson is chief executive at the Wynyard Group
The responsibility of managing and overseeing the cyber-risk in an organisation must sit at an executive level, writes Craig Richardson
To be most effective an organisation must have a person providing leadership and oversight in the strategic planning, execution, and assessment of security strategies, policies, procedures and guiding practices. Ensuring compliance with legal obligations in respect of information and information security is also a key responsibility.
More commonly the role of the chief information security officer is emerging. Organisations that had previously not identified the need for a CISO need to re-evaluate this as a priority. It is also crucial this role has independence from IT and has a direct reporting channel into the board. This position indicates the organisation is taking a formal approach to monitoring cyber threat risk with regular updates and board oversight.
Evaluate, assess and manage cyber risk
Cyber-attacks could cause severe disruption to a company’s business functions or operational supply chain, impact reputation, compromise customer information or result in loss of intellectual property.
From kids hacking video game downloads, to organised criminals targeting financial services organisations, state-sponsored theft of trade secrets, and terrorists targeting critical infrastructure, no company is immune to cyber-attacks.
Each organisation has a distinctive cyber-threat risk profile depending on the nature of the business, what information the industry deals with and how valuable that asset is to criminals.
It is important that the executive understands that assets need to be identified and valued, and then risk assessed against cyber-threats. It is important also that executives recognised information is their most important and valuable asset.
Defining the risk strategy and levels of acceptable risk requires critical assets and the impact from cyber-attacks to be identified and the specific financial, competitive, reputational and regulatory risk exposure defined.
Key is to adopt a governance-led, information driven approach to managing cyber-risk. The company needs to understand how threats are evolving, evaluate the degree of risk at any one time and set strategies for countering attacks.
Information-driven cyber intelligence allows companies to assess, manage and minimise the risks. By identifying and characterising cyber threats and assessing the vulnerability of critical assets and operations, companies can better identify ways to reduce those risks and strategically prioritise risk reduction measures.
They can clearly plan for what the likelihood and consequences of specific types of attacks are and can better manage and minimise the risk.
Early detection makes a key difference
An ability to detect the manifestation of an incident early in its lifecycle and assimilating that information into a dynamic risk model, is becoming a key differentiator for a modern business connected to the internet.
This means defenders of a network need to have an advantage – but it requires a deep understanding of your network and business:
– How it works?
– What and where are the key business assets?
– How the users interact with it and the outside world (the internet)?
– How the business works?
Organisations that take a strategic approach to cybersecurity spending can build a more effective cybersecurity practice, one that advances the ability to detect and quickly respond to incidents that are all but inevitable.
Include cyber-risk on the board agenda
Cyber -hreat is one of the many areas of risk that should be overseen by the board of directors, but is often misunderstood.
Directors are not expected to be experts in this area so do rely upon management and external parties for information and advice. In saying this, this is not an excuse for complacency.
At a minimum the board should have a high-level understanding of the company’s cyber-risks, the management of these risks and the company’s cyber incident response plan. Boards must be clear on the information they require to understand what is needed to make decisions.
Directors need to re-evaluate risks against the threat vector. Organisations that had previously completed risk assessments that minimised or discounted cyber-risk should revisit these assessments against current cyber-threat trends. Organisations need to accelerate this process and not wait for evidence of a breach, they need to pre-empt an inevitable breach investigation.
Directors should also understand how companies run their process for identifying and mitigating the most current risks. Management should also be able to explain to the board how it selects, manages and monitors third parties and their access to data.
As part of reporting, boards should be provided with meaningful, data-driven metrics that demonstrate both performance and effectiveness of a cyber-response plan. This means performance changes can be correlated with key events to gain an understanding about the impact of technology investments, headcount and policy decisions.
Summary
Companies must assess and manage cyber risk as they do other operational, reputational and financial business risks across their enterprise.
The first place to start is for executives and boards to get involved in cyber-risk management discussions, including an evaluation of your company’s specific cyber-risks and incident response plans.
To properly manage cyber risk, the CEO must fully understand the company’s cyber-risks, the company’s plan to manage these risks, and the company’s response plan when the inevitable breach occurs.
