We've decided to break this week's post into two parts: Part I focuses on past studies and the board's role in evaluating Cyber Risks. Later, we'll follow up with Part II: Organizational Best Practices.
In 2012, as the importance of cybersecurity grew more
apparent for business leaders around the globe, the World Economic Forum (WEF)
launched a new initiative called the Partnership for Cyber Resilience. Since then,
every yearly edition of the WEF’s Global Risks Reports have featured cyber
risks front and center. As a PricewaterhouseCoopers (PwC) presentation titled “Threat Smart: Building a Cyber Resilient Financial Institution” put it: “Cyber risk is a business issue, not just a
technology issue. Market leaders are finding that cyber risk management needs
to be owned by the C-suite rather than by IT.”
In 2015, the WEF released a special report titled “Partnering for Cyber Resilience Towards the Quantification of Cyber Threats.” As Jacques Buith, the managing partner at
Deloitte Risk Services, pointed out in the accompanying news release, “We need to be able to quantify
cyber risks if proper cyber resilience assurance is to be achieved. Only then
will management boards be able to take sound risk/reward decisions in this
volatile world and thus secure their organizations’ cyber resilience.” The report uses a cyber value-at-risk approach that aims to
determine the value of x, or the amount of money over a period that
businesses would lose in a successful cyberattack. The report also covers the
different types of models from which to derive quantified risks: the Monte
Carlo Method, Behavioral Modeling, Parametric Modeling and the Delphi Method,
to name a few. Deloitte offered a more in-depth look at the relationship
between risk and compliance, including measuring the status of risk governance.
C-Suites Must Have Knowledge of Cyber Risks
The WEF is not alone in pointing out the need for CISOs,
CIOs, business executives and boards of directors to have more frequent,
productive conversations around cyber risks and to properly oversee the
effectiveness of controls deployed to mitigate them. Here is a sampling from
the past year showing the level of interest — or, depending on your
perspective, the demands from executives or directors — in the management of
cyber risks.
- A
first-quarter 2015 New York Stock Exchange (NYSE) special report entitled
“Managing Cyber Risk: Are Companies Safeguarding Their Assets?” pointed out that 42 percent of boards surveyed
“admitted their board only occasionally discusses cyber/IT security.”
Also, only 21 percent of the directors reported their company had “IT risk
well under control with regard to a possible cyber breach.”
- In
2015, NYSE Governance Services surveyed about 200 directors of public
companies. The “Cybersecurity in the Boardroom” report
highlighted a definite trend in the level of interest in the discussion of
cyber risks in the boardroom: About 35 percent said that cybersecurity
matters were discussed at every meeting, while another 46 percent
indicated they were discussed at most meetings. Even more interesting is
the perspective from the board that, in the event of a major breach, the
order in which directors would hold leaders accountable for the breach
started with the CEO, who was then followed by the CIO, the entire
executive team and, in fourth place, the CISO.
- An
article titled “Do boards have a role in cyber-risk?” asked whether boards need a cyber risk expert within their ranks. The answer,
so far, is no. However, for directors, the author noted that the “one
thing you can’t do is escape responsibility.”
- In
2015, PwC’s “18th Annual Global CEO Survey” showed
that 61 percent of CEOs are concerned about “cyber threats, including lack
of data security.” Cybersecurity was listed third in level of strategic
importance (78 percent), just behind mobile technologies for customer
engagement (81 percent) and data mining and analysis (80 percent).
Additionally, 53 percent of CEOs reported cybersecurity as being very
important strategically.
- Finally, from a government regulation and oversight perspective, companies operating in the U.S. must pay attention to the tone and words from Securities and Exchange Commission (SEC) Commissioner Luis A. Aguilar’s address at the NYSE’s Cyber Risks and the Boardroom Conference on June 10, 2014: “Board oversight of cyber risk management is critical to ensuring that companies are taking adequate steps to prevent, and prepare for, the harms that can result from such attacks. There is no substitution for proper preparation, deliberation and engagement on cybersecurity issues,” Aguilar said in his speech. “Given the heightened awareness of these rapidly evolving risks, directors should take seriously their obligation to make sure that companies are appropriately addressing those risks.”
VSS helps organizations to reduce their risk exposure across all areas of the enterprise including its people, data, applications, network and servers. VSS works with best of breed technologies including IBM Security, IBM InfoSphere, CheckPoint, Ping Identity and cloud security partners. By having skills that cover the entire organization, VSS can integrate the best security products and practices to provide clients with an enterprise-wide solution. Learn more here.
Author: Christophe Veltsos
Originally posted on July 9, 2015
Sourced From IBM's Security Intelligence http://securityintelligence.com/
No comments:
Post a Comment