No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

7 Considerations for a Strong Cybersecurity Strategy

Ensuring cyber readiness with a robust CRMP

by Ron Kral
March 6, 2020
in Cybersecurity, Featured
glowing green shield, cybersecurity concept

A cybersecurity risk management program (CRMP), or formal cybersecurity strategy document, is key in an organization’s ability to weather a cybersecurity incident. Kral Ussery’s Ron Kral discusses what to take into account when drafting one.

No topic has likely garnered more attention in boardrooms over the last couple of years than cybersecurity. And rightfully so when the full extent of direct and indirect costs of a data breach are considered. Direct costs include legal fees, forensic experts, public relations, remediation efforts, potential fines and regulatory compliance expenses. However, it is the indirect costs of operational disruption, increased insurance premiums, brand reputational damage, loss of future revenue streams, etc. that can lead to business ruin.

There is no shortage of specific cost estimates and articles on this important topic, and one research study pegs the total average cost of a data breach at $3.92 million.[1] Considering what is at stake, is your organization truly prepared to address cyber risks? This article offers some practical considerations to enhance cybersecurity.

The risk of a cyber incident, defined as a cybersecurity event that puts sensitive data at risk and requires action to protect associated assets, applies to all industries and companies of all sizes. No company is too big or too small, and smaller organizations tend to have higher costs relative to their size, thus hampering their ability to financially recover from the incident.[2] However, it tends to be the larger ones that dominate press coverage, and the lessons learned can be insightful. For example, the table below highlights five notorious cyber incidents and their respective causes.

Organization &
Year of Breach
Impact Cause
Equifax (2017) 145-150 million people Failure to patch one of its internet servers against a pervasive software flaw.
Verizon (2017) 6 million customers Contractor failed to secure a large batch of customer information.
Boeing (2017) 36,000 employees Employee data left control of the company when a worker emailed a spreadsheet to a significant other.
Target (2013) 70 million customers Hackers gained access to Target’s POS systems using login credentials belonging to an HVAC company.
Yahoo (2013) 3 billion users The hack came from a single user in Yahoo’s corporate office. An employee was sent a spear-phishing email with a link that, as soon as they clicked on it, downloaded malware on the network.

Examining the causes for these five high-profile breaches draws attention to the risks associated with:

  • not understanding vulnerabilities, nor taking timely action to address them;
  • lack of vendor oversight; and
  • lack of employee education.

There is no shortage of security and IT control frameworks to help formulate a cybersecurity strategy. One of the more prominent cybersecurity frameworks is the NIST Cybersecurity Framework (CSF) published by the U.S. government. The NIST CSF consists of five concurrent and continuous functions:

  • Identify cybersecurity risk to systems, assets, data and capabilities.
  • Protect the organization from identified risks through controls to limit or contain the impact of a potential cybersecurity event.
  • Detect potential cybersecurity events in a timely manner.[3]
  • Respond to cybersecurity events, including having a response plan and performing activities to eradicate the incident and incorporate lessons learned into new strategies.
  • Recover from cybersecurity events through actions to restore impaired capabilities or services.

At a minimum, all organizations should have these five functions addressed in a formal cybersecurity strategy document, sometimes referred to as a cybersecurity risk management program (CRMP). Many frameworks are daunting in terms of their terminology and complexities; it is easy to get lost in the details. Here are some considerations for developing and deploying a cybersecurity strategy:

  1. Utilize common language that is accessible and can be understood by all employees and relevant vendors.
  2. Don’t fall into the mindset that outsourcing to the cloud (i.e., electronic outsourcing) relieves management and the board from their accountability and oversight. While you can outsource the controls and process elements, the objectives, risks and ultimate control oversight resides with the procuring organization.
  3. Formalize cybersecurity objectives, risk considerations and associated processes in writing through a CRMP. The AICPA’s Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program is a great place to start.
  4. Leverage control criteria to evaluate the suitability of design and operating effectiveness of controls pertaining to a CRMP. The AICPA’s Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy forwards robust control criteria that utilizes COSO’s 2013 Internal Control – Integrated Framework. The COSO Internal Control – Integrated Framework is widely used by U.S. public companies and other organizations, thus reducing the learning curve for this control criteria.
  5. Keep a sharp focus on the process and people (i.e., control owners), as these elements can matter more than the technology. A strong IT infrastructure will not be successful without healthy control processes and competent people.
  6. Understand that the CRMP must be a living document that is continuously updated to address evolving risks. Cyber criminals are always trying to stay a step ahead of legitimate businesses, thus posing new risks.
  7. Assign a clear governance role at the board level to provide oversight of management’s CRMP.

Remember that cyber readiness, including implementing a robust CRMP, does not happen overnight. It will take time and resources to build and maintain, but an important objective is to strive for continuous improvement to address changing risk landscapes.

Do not procrastinate when it comes to cybersecurity, as the risks are real. While a goal of developing a CRMP leveraging security and IT control framework(s) should be of interest for all organizations, initial steps can be difficult. It begins with education and acquiring the expertise to assess the current state of cybersecurity objectives, risks and controls. An independent perspective can be an efficient and effective route for evaluating the current landscape. In addition, establishing roles and accountabilities at both the board and management levels is an important early step. Finally, for organizations with cloud computing, vendor management control also needs to be an early focus.

In conclusion, we must remember that hope is not a strategy. Cyberattacks and data breaches are rapidly growing with greater sophistication. It is likely only a matter of time before your organization is thrust into a serious cyber incident. If you have already been subject to one, be prepared for another. Don’t be caught off guard, as an entity-wide CRMP is essential in protecting shareholder value. A strong cybersecurity posture allows organizations to be more creative and proactive in the never-ending search for ways to strengthen revenue streams and profitability.


This is an article from the Governance Issues™ Newsletter, Volume 2020, Number 1, published on February 20, 2020 by Kral Ussery LLC.


[1] Page 5 of Cost of a Data Breach Report 2019, research conducted by Ponemon Institute LLC, published by IBM Security.

[2] We found significant variation in total data breach costs by organizational size. The total cost for the largest organizations (more than 25,000 employees) averaged $5.11 million, which is $204 per employee. Smaller organizations with between 500 and 1,000 employees had an average cost of $2.65 million, or $3,533 per employee. Research conducted by Ponemon Institute LLC as published by IBM Security in Cost of a Data Breach Report 2019, page 7.

[3] The average time to identify a breach in 2019 was 206 days and the average time to contain a breach was 73 days, for a total of 279 days. Research conducted by Ponemon Institute LLC as published by IBM Security in Cost of a Data Breach Report 2019, page 6.


Tags: Cyber Risk
Previous Post

Active Navigation’s Data Privacy Software Helps to Strengthen Equifax’s Cybersecurity Footprint

Next Post

31 Days to a More Effective Compliance Program

Ron Kral

Ron Kral

Ron Kral is a partner of Kral Ussery LLC, a public accounting firm delivering advisory services, litigation support and internal audits. Ron is a highly rated speaker, trainer and advisor. He is a member of 4 of the 5 COSO sponsoring organizations; the AICPA, FEI, IIA, and IMA. Contact Ron at Rkral@KralUssery.com or www.linkedin.com/in/ronkral.    

Related Posts

news roundup green bars

In-House Counsel Salary Increases Slow

by Staff and Wire Reports
May 2, 2025

Majority of execs predict rise in fincrime in ’25

data abstract green purple

66% of CISOs Worry Cyber Threats Are More Advanced Than Companies’ Defenses

by Staff and Wire Reports
April 25, 2025

US business sector falling behind in adoption of renewable energy

robot hand pointing to sky

Agentic AI Can Be Force Multiplier — for Criminals, Too

by Steve Durbin
April 21, 2025

How polymorphic malware and synthetic identities are creating unprecedented attack vectors

data abstract pixelated

GenAI Adoption Surging in Professional Services

by Staff and Wire Reports
April 18, 2025

Fewer than 1 in 3 organizations consistently meet cyber compliance standards

Next Post
31 days better compliance cover

31 Days to a More Effective Compliance Program

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights