No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

7 Considerations for a Strong Cybersecurity Strategy

Ensuring Cyber Readiness with a Robust CRMP

by Ron Kral
March 6, 2020
in Cybersecurity, Featured
glowing green shield, cybersecurity concept

A cybersecurity risk management program (CRMP), or formal cybersecurity strategy document, is key in an organization’s ability to weather a cybersecurity incident. Kral Ussery’s Ron Kral discusses what to take into account when drafting one.

No topic has likely garnered more attention in boardrooms over the last couple of years than cybersecurity. And rightfully so when the full extent of direct and indirect costs of a data breach are considered. Direct costs include legal fees, forensic experts, public relations, remediation efforts, potential fines and regulatory compliance expenses. However, it is the indirect costs of operational disruption, increased insurance premiums, brand reputational damage, loss of future revenue streams, etc. that can lead to business ruin.

There is no shortage of specific cost estimates and articles on this important topic, and one research study pegs the total average cost of a data breach at $3.92 million.[1] Considering what is at stake, is your organization truly prepared to address cyber risks? This article offers some practical considerations to enhance cybersecurity.

The risk of a cyber incident, defined as a cybersecurity event that puts sensitive data at risk and requires action to protect associated assets, applies to all industries and companies of all sizes. No company is too big or too small, and smaller organizations tend to have higher costs relative to their size, thus hampering their ability to financially recover from the incident.[2] However, it tends to be the larger ones that dominate press coverage, and the lessons learned can be insightful. For example, the table below highlights five notorious cyber incidents and their respective causes.

Organization &
Year of Breach
Impact Cause
Equifax (2017) 145-150 million people Failure to patch one of its internet servers against a pervasive software flaw.
Verizon (2017) 6 million customers Contractor failed to secure a large batch of customer information.
Boeing (2017) 36,000 employees Employee data left control of the company when a worker emailed a spreadsheet to a significant other.
Target (2013) 70 million customers Hackers gained access to Target’s POS systems using login credentials belonging to an HVAC company.
Yahoo (2013) 3 billion users The hack came from a single user in Yahoo’s corporate office. An employee was sent a spear-phishing email with a link that, as soon as they clicked on it, downloaded malware on the network.

Examining the causes for these five high-profile breaches draws attention to the risks associated with:

  • not understanding vulnerabilities, nor taking timely action to address them;
  • lack of vendor oversight; and
  • lack of employee education.

There is no shortage of security and IT control frameworks to help formulate a cybersecurity strategy. One of the more prominent cybersecurity frameworks is the NIST Cybersecurity Framework (CSF) published by the U.S. government. The NIST CSF consists of five concurrent and continuous functions:

  • Identify cybersecurity risk to systems, assets, data and capabilities.
  • Protect the organization from identified risks through controls to limit or contain the impact of a potential cybersecurity event.
  • Detect potential cybersecurity events in a timely manner.[3]
  • Respond to cybersecurity events, including having a response plan and performing activities to eradicate the incident and incorporate lessons learned into new strategies.
  • Recover from cybersecurity events through actions to restore impaired capabilities or services.

At a minimum, all organizations should have these five functions addressed in a formal cybersecurity strategy document, sometimes referred to as a cybersecurity risk management program (CRMP). Many frameworks are daunting in terms of their terminology and complexities; it is easy to get lost in the details. Here are some considerations for developing and deploying a cybersecurity strategy:

  1. Utilize common language that is accessible and can be understood by all employees and relevant vendors.
  2. Don’t fall into the mindset that outsourcing to the cloud (i.e., electronic outsourcing) relieves management and the board from their accountability and oversight. While you can outsource the controls and process elements, the objectives, risks and ultimate control oversight resides with the procuring organization.
  3. Formalize cybersecurity objectives, risk considerations and associated processes in writing through a CRMP. The AICPA’s Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program is a great place to start.
  4. Leverage control criteria to evaluate the suitability of design and operating effectiveness of controls pertaining to a CRMP. The AICPA’s Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy forwards robust control criteria that utilizes COSO’s 2013 Internal Control – Integrated Framework. The COSO Internal Control – Integrated Framework is widely used by U.S. public companies and other organizations, thus reducing the learning curve for this control criteria.
  5. Keep a sharp focus on the process and people (i.e., control owners), as these elements can matter more than the technology. A strong IT infrastructure will not be successful without healthy control processes and competent people.
  6. Understand that the CRMP must be a living document that is continuously updated to address evolving risks. Cyber criminals are always trying to stay a step ahead of legitimate businesses, thus posing new risks.
  7. Assign a clear governance role at the board level to provide oversight of management’s CRMP.

Remember that cyber readiness, including implementing a robust CRMP, does not happen overnight. It will take time and resources to build and maintain, but an important objective is to strive for continuous improvement to address changing risk landscapes.

Do not procrastinate when it comes to cybersecurity, as the risks are real. While a goal of developing a CRMP leveraging security and IT control framework(s) should be of interest for all organizations, initial steps can be difficult. It begins with education and acquiring the expertise to assess the current state of cybersecurity objectives, risks and controls. An independent perspective can be an efficient and effective route for evaluating the current landscape. In addition, establishing roles and accountabilities at both the board and management levels is an important early step. Finally, for organizations with cloud computing, vendor management control also needs to be an early focus.

In conclusion, we must remember that hope is not a strategy. Cyberattacks and data breaches are rapidly growing with greater sophistication. It is likely only a matter of time before your organization is thrust into a serious cyber incident. If you have already been subject to one, be prepared for another. Don’t be caught off guard, as an entity-wide CRMP is essential in protecting shareholder value. A strong cybersecurity posture allows organizations to be more creative and proactive in the never-ending search for ways to strengthen revenue streams and profitability.


This is an article from the Governance Issues™ Newsletter, Volume 2020, Number 1, published on February 20, 2020 by Kral Ussery LLC.


[1] Page 5 of Cost of a Data Breach Report 2019, research conducted by Ponemon Institute LLC, published by IBM Security.

[2] We found significant variation in total data breach costs by organizational size. The total cost for the largest organizations (more than 25,000 employees) averaged $5.11 million, which is $204 per employee. Smaller organizations with between 500 and 1,000 employees had an average cost of $2.65 million, or $3,533 per employee. Research conducted by Ponemon Institute LLC as published by IBM Security in Cost of a Data Breach Report 2019, page 7.

[3] The average time to identify a breach in 2019 was 206 days and the average time to contain a breach was 73 days, for a total of 279 days. Research conducted by Ponemon Institute LLC as published by IBM Security in Cost of a Data Breach Report 2019, page 6.


Tags: Cyber Risk
Previous Post

Active Navigation’s Data Privacy Software Helps to Strengthen Equifax’s Cybersecurity Footprint

Next Post

31 Days to a More Effective Compliance Program

Ron Kral

Ron Kral

Ron Kral (CPA, CMA, CGMA) is a partner of Kral Ussery LLC, a public accounting firm delivering advisory services, litigation support and internal audits. He serves public and private companies to protect and grow shareholder value, as well as nonprofits and governments on internal controls to combat errors and fraud. Ron has worked with hundreds of clients as a public accountant offering robust solutions on accounting, auditing, controls, ethics, anti-fraud programs, governance and SEC regulatory matters. Prior to forming a predecessor firm to KU in 2003, he was a general manager for a large technology company traded on the NYSE. Ron was also a principal consultant with PwC leading operational audits and internal control projects. He began his public accounting career with a California CPA firm as a financial auditor and was responsible for signing audit opinions upon becoming managing director of the firm’s Orange County office. Ron launched his career as a performance auditor with the California State Auditor. Ron is a highly rated speaker and facilitator, including for COSO’s Internal Control Certification Program for the AICPA. He also served on FEI’s working group for the development of COSO’s 2013 control framework and is a member of four of the five COSO-sponsoring organizations: the AICPA, FEI, IIA and IMA. Ron holds an MBA from Arizona State University and a BBA from the University of Wisconsin-Madison. He can be reached at www.linkedin.com/in/ronkral.    

Related Posts

compliance cyber risk titanic

5 Reasons Why Compliance Alone Is Not Efficient at Reducing Cyber Risks

by Stu Sjouwerman
June 8, 2022

Understandably, most businesses prioritize compliance when it comes to security risks. But as KnowBe4 CEO Stu Sjouwerman explains, a compliance...

logicgate black kite integration

LogicGate Risk Cloud Adds Black Kite Integration for Third-Party Risk Management

by Corporate Compliance Insights
March 30, 2022

LogicGate’s Risk Cloud compliance platform has added integration with Black Kite, which offers cyber ratings, Open FAIR financial risk quantification,...

Arms extended from computer screen to signify hackers

Kroll Warns: We’ve Detected a Staggering Rise in Two Key Forms of Cyber Attack

by Alan E. Brill
March 22, 2022

As part of its ongoing commitment to cyber threat research, Kroll’s threat intelligence team looked at hundreds of real-life cyber...

an out-of-focus cyber whistleblower obscured behind a screen

Cybersecurity Whistleblowers Are Different. Here’s How to Deal With Them.

by Kenji Price, Mark Schreiber and Scott Ferber
March 15, 2022

Compliance teams could see an uptick in cybersecurity whistleblower complaints as regulators expand protections and incentives for those reporting data...

Next Post
31 days better compliance cover

31 Days to a More Effective Compliance Program

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance Decision-Making DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring Ransomware RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT