No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

8 Realities in Managing Cyber Risk

by Jim DeLoach
August 29, 2018
in Featured, Risk
cybersecurity concept padlocks on binary code

Thoughts on Increasing Cyber Resiliency

Companies’ adoption of new technologies is outpacing their ability to protect against evolving cybersecurity threats. It used to be said that it’s not a question of IF an organization will be breached, but WHEN. Jim DeLoach suggests that companies either know they’ve been breached or they’ve been breached and don’t know it. How then, do we move forward?

Without question, senior executives and their boards remain concerned with the security and availability of information systems and protection of confidential, sensitive data from the commercial cyber war in which their organizations are engaged. However, too many think their risk tolerance is low, yet act as though it is relatively high, thus necessitating board and senior management engagement with cybersecurity.

A top-five risk for many organizations across many industries,[1] cyber risk presents a moving target as organizations undergo major transformations by accelerating cloud computing adoption, increasing digitalization investments, advancing data and analytics sophistication and expanding mobile device usage to leverage exponential increases in computing power, all to achieve and sustain competitive advantage. As these innovative transformation initiatives grow the digital footprint constantly, they outpace the security protections companies have in place. This dilemma presents several sobering realities:

  • Cyber risks are impossible to eliminate, resources are finite, risk profiles are ever-changing and getting close to secure is elusive.
  • The question is no longer whether the organization has been breached. Companies today fall into two groups – those that know they have been breached and those that have been breached but don’t know about it. (More on this point below.)
  • Security and privacy internal control structures that are effective in reducing cyber risk to an acceptable level today will inevitably become inadequate in the future – even sooner than many may realize.
  • To top it off, resources are needed to innovate to remain competitive. Companies cannot afford for cyber to dominate the IT budget and stifle innovation.

Needless to say, the picture is not a pretty one.

Key Considerations

Protiviti’s research indicates that board and senior management engagement in information security matters is improving.[2] In the spirit of further improvement, the following are eight business realities these leaders and the executives who support them should consider as they oversee and manage cybersecurity risk:

1. The organization must be prepared for success. Managing cybersecurity is not just about managing the risk of bad things happening, it’s also about handling the upside should the company’s digital initiatives work better than management ever could have imagined. As companies harvest new sources of value through digitalization and business-model innovation, more progress is needed to mature the performance of security and privacy capabilities across the enterprise. The wise course is to plan for incredible success through a hyperscalable business model that is resilient enough to accommodate rapid growth.

2. It is highly probable the company is already breached and doesn’t know it yet. The once-common adage, “It’s not a matter of if a cyber risk event might occur, but more a matter of when” is old, dated thinking. It’s happening – now. For the majority of companies, cyber risk events have already occurred and continue to take place, yet many companies do not have the advanced detection and response capabilities they need. And if that were not already enough, the proliferation of data privacy regulations around the globe – the European Union’s General Data Protection Regulation, for example – is raising the stakes. Publicity about data breaches affecting politicians, governmental agencies, global financial institutions, major retailers and other high-profile companies, along with the growing presence of state-sponsored cyber terrorism, is presenting an attention-grabbing landscape. As a result, directors and executives alike are recognizing the need for cyber resiliency to preserve their organizations’ reputation and brand image.

Boards should be concerned with the duration of significant breaches before they are finally detected. Our experience is that detective and monitoring controls remain immature across most industries, resulting in continued failure to detect breaches in a timely manner. Tabletop exercises alone are not sufficient to address the increasing sophistication of perpetrators and the significant impact of a breach. Simulations of likely attack activity should be performed periodically to ensure that defenses can detect a breach and respond in a timely manner. In addition, an organization’s preparedness to reduce the impact and proliferation of an event is key. Accordingly, boards should focus on the adequacy of the company’s playbook outlining the actions in place to respond, recover and resume normal business operations after an incident has occurred, including responses to customers and employees to minimize reputation damage that could occur in the wake of a breach.

3. The focus needs to be on adverse business outcomes that must be managed. Most businesses know what their critical data assets and information systems – the so-called crown jewels – are; however, they forget to focus on the business outcomes they are looking to manage when they assess security risks. Considering risk outcomes or scenarios leads to enterprise security solutions that are more comprehensive than steps taken based on a narrower focus on specific assets and systems.

To illustrate, once an application is deemed key, it is typically considered in scope and managed. If the risk pertains to sensitive data leakage, the security solution is often focused on the source application and implementation of generic security controls. But the risk of an adverse outcome extends beyond the technology perimeter and may even be a greater risk. Users have access to data, regularly download it and may even email it, either ignoring or forgetting the business imperative to protect it.

Therefore, controls over what happens to critical data assets once they are downloaded cannot be ignored. They won’t be if user leakage is an integral part of the adverse outcomes to be managed. That’s why boards and executives should insist that IT leaders assess information security risks holistically, focusing on strategies to manage adverse business outcomes rather than attempt to throw money at addressing every technical weakness. A holistic view will encompass both the technology and people perimeters.

4. Cyberthreats are constantly evolving. Because the nature and severity of threats in the cyber environment change incessantly, protection measures must evolve to remain ahead of the threat profile. While recurring assessments are important, they should not be relied on as the sole means to identify new threats to be managed. Boards and executives should inquire as to how the organization’s existing threat management program proactively identifies and responds to new and emerging cyberthreats, taking into consideration the company’s crown jewels, the business outcomes it wishes to avoid, the nature of its industry and business model and its visibility as a potential target. Directors should also insist on an assessment of the related cyber risks resulting from major systems changes; it is always less expensive to build security into the systems design early, rather than retrofit it later.

5. Cybersecurity is like a game of chess, so play it that way. IT security organizations must be steps ahead of cyber opponents, waiting and ready with an arsenal of technology, people, processes and prowess. The old game of sole reliance on technology to deliver an effective and sustainable security monitoring solution falls short time and again when combating the onslaught of ever-changing threats that surround businesses today. Security functions need to change the way they deliver protective services and move way beyond initiatives to create enterprisewide cyber awareness. Accordingly, boards and senior management should expect:

  • A clear articulation of the current cyber risks facing the business (not just IT)
  • A summary of recent cyber incidents, how they were handled and lessons learned
  • A short-term and long-term roadmap outlining how the company will continue to evolve its cyber capabilities to address new and expanded threats, including the related accountabilities in place to ensure progress
  • Meaningful metrics that provide supporting key performance and risk indicators as to how the top priority cyber risks are being managed today.

For those organizations facing significant gaps between the current state and the target state in their capabilities for managing security risks, a cybersecurity program office is an emerging practice for managing large security projects successfully, with a focus on aligning technology, people and processes with the enterprise’s key risks.

6. Cybersecurity must reach beyond the four walls. As companies look upstream to vendors and suppliers (including second tier and third tier) and downstream to channel partners and customers, they are likely to find sources of vulnerability. Directors and executives should foster collaboration with third parties to address cyber risk in a cost-effective manner across the value chain when assessing insider risk, because electronic connectivity obfuscates the notion of who constitutes an “insider.” As the use of cloud-based storage and external data-management vendors increases, the importance of vendor risk management grows. Notable gaps exist between top-performing organizations and other companies when it comes to overall knowledge of vendors’ data security management programs and procedures – areas that might stand between an organization’s crown jewels and cyber attackers.[3]

7. Cyber cannot dominate the IT budget. No doubt, boards and senior management should ensure that cybersecurity is appropriately addressed and sufficiently resourced. But, as pointed out earlier, they should not allow cyber initiatives to stifle innovation. Over the past decade, IT departments have been reducing operations and maintenance costs consistently and using most savings to fund other priorities, including, most notably, security. Taking into account other priorities, including compliance and system enhancements, Protiviti’s research indicates that mature businesses are left with only 13 percent of their IT budgets free for innovation.[4]

Within a strained budgetary environment, it is critical for IT leaders to focus on first protecting what’s important (the “crown jewels”), keeping up with the cyberthreat landscape to identify the kind of attacks that are most likely to occur and being proactive about incident response so that systems can be put back online with minimum impact to the business. Without this discipline, cybersecurity, while vital, will continue to consume ever-larger portions of the IT budget. As a result, innovation will suffer and the business could ultimately fail – not because a cyberthreat is realized, but because the disproportionate and unfocused spend on operational risk has distracted the business from the strategic risk of failing to mount a competitive response to new entrants and/or innovators.

8. Directors and executives should gauge their confidence in the advice they’re getting. While there is no one-size-fits-all approach, boards and senior management should periodically assess the sufficiency of the expertise to which they have access to advise them on cybersecurity matters. For boards, there may be circumstances in which they should strongly consider adding individuals with technology experience either as members of or advisers to the board, especially when the board’s agenda is crowded. For executive management, they may find value in a fresh perspective from an outsider.

Cybersecurity is likely to remain center stage as a top risk for a long time as companies increase their reliance on new technologies in executing their global strategies. Given the realities of managing cyber risks, as discussed above, it is important to target protection investments on the business outcomes that can adversely impact the organization’s crown jewels, understand the changing threat landscape and risk tolerances and prepare for the inevitable incidents.

Questions for Boards and Executive Management

The following are suggested questions that boards of directors and senior managers may consider in the context of the nature of the entity’s risks inherent in its operations:

  • Are we sufficiently engaged in our oversight of cybersecurity? For example:
    • Is there someone on the board or advising the board who is the focal point for this topic?
    • Is executive management satisfied with the advice it is getting?
    • Do we include cyber as a core organizational risk requiring appropriate updates in board and executive team meetings?
    • Are the company’s strategies for reducing the risk of security incidents to an acceptable level proportionate and targeted?
    • Do the board and executive team receive key metrics or reporting that present the current state of the security program in an objective manner?
  • Have we identified the most important business outcomes (both unanticipated successes of digital initiatives as well as adverse events) involving critical data and information assets (the crown jewels)? With respect to those outcomes occurring:
    • Do we know whether and how they’re being managed?
    • Does our security strategy differentiate these important outcomes from general cybersecurity?
    • Do we assess our threat landscape and tolerance for these matters periodically? Are we proactive in identifying and responding to new cyberthreats?
  • Does the company have an incident response plan? If so:
    • Have key stakeholders supported the development of the plan appropriate to the organization’s scale, culture, applicable regulatory obligations[5] and business objectives?
    • Have we thought about the impact specific cyber events can have and whether management’s response plan is properly oriented and sufficiently supported?
    • Is the plan complemented by procedures providing instructions regarding actions to take in response to specific types of incidents? Has the executive team approved the plan? Do all the stakeholders to a planned response know their respective roles and responsibilities? Is it clear in which events the board should play a key role in overseeing the response efforts?
    • Are effective incident response processes in place to reduce the occurrence, proliferation and impact of a security breach?
    • Are we proactively and periodically evaluating and testing the plan to determine its effectiveness? For example, does management have regular simulations to determine whether the detective capabilities in place will identify the latest attack techniques?
    • In the event of significant breaches, have we made the required public disclosures and communicated the appropriate notifications to regulators and law enforcement in accordance with applicable laws and regulations?

[1] Executive Perspectives on Top Risks for 2018, Protiviti and North Carolina State University’s ERM Initiative, available at www.protiviti.com/US-en/insights/protiviti-top-risks-survey.

[2] Managing the Crown Jewels and Other Critical Data, Protiviti, 2017, available at www.protiviti.com/US-en/insights/it-security-survey.

[3] Managing the Crown Jewels and Other Critical Data.

[4] From Cloud, Mobile, IoT and Analytics to Digitization and Cybersecurity: Benchmarking Priorities for Today’s Technology Leaders, Protiviti, 2016, available at www.protiviti.com/sites/default/files/united_states/insights/annual-technology-trends-and-benchmark-study-2016-protiviti.pdf.

[5] For example, the Gramm-Leach-Bliley Act for financial institutions and HIPAA for health information in the United States, and PCI security standards for payment systems.


Tags: Cloud ComplianceCyber Risk
Previous Post

Top Banking Regulations & Security Compliance Requirements for 2018

Next Post

Companies Don’t Pay Bribes, People Do

Jim DeLoach

Jim DeLoach

Jim DeLoach, a founding Protiviti managing director, has over 35 years of experience in advising boards and C-suite executives on a variety of matters, including the evaluation of responses to government mandates, shareholder demands and changing markets in a cost-effective and sustainable manner. He assists companies in integrating risk and risk management with strategy setting and performance management. Jim has been appointed to the NACD Directorship 100 list from 2012 to 2018.

Related Posts

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

cloud computing security

Cloud Security Isn’t Just on Your Provider; It’s Your Job, Too

by Wolters Kluwer
March 1, 2023

Organizations want to embrace all the benefits the cloud has to offer while still protecting their sensitive data. Engaging a...

cisa website

What Can Your Organization Learn From the New CISA Strategic Plan?

by FTI Consulting
January 11, 2023

Cyber threats against organizations of all sizes are only rising as scammers and fraudsters become more and more sophisticated. Kyung...

data minimization practices_w

Ransomware Threats Are Growing. How Can Boards Protect Mission-Critical Assets?

by Jim DeLoach
December 14, 2022

As the sophistication level of cyber attackers continues to rise, there’s probably not a business on Earth that isn’t at...

Next Post
shaking hands while accepting under-the-table bribe

Companies Don't Pay Bribes, People Do

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT