Enterprise risk management needs to be extended to create cyber-resilience, which is built on a solid foundation of preparation and teamwork.
By Steve Durbin
Hardly a day goes by without news of a new cyber-security threat or a major data breach arising from “malspace”—that online environment inhabited by hacker groups, criminal organizations and espionage units. As hacktivists, cyber-criminals and nation-states excessively increase traditional information security risk, it’s becoming clear that the business risks of operating in cyberspace is quickly moving to the top of most chief executives’ agendas.
Today, CIOs, CISOs and other information practitioners are accountable to report on and explain the corporate risks associated with an organization’s activities in cyberspace. Highly publicized breaches, financial losses and more stringent government regulations have put the spotlight on information security in most organizations around the world. And, as a result, stakeholders need to be reassured that an organization’s sensitive information is secure.
Malspace vs. the Real World
Malspace is a thriving marketplace for those motivated to make money, get noticed, cause societal disruption and take down corporations and governments through cyber-attacks. Part of the attraction of doing business in malspace is its anonymity because the risk of getting caught is much less than the risk of committing a crime in the “real world.”
Cyberspace is a far better hiding place and the turf is much more dynamic in terms of thwarting IT software, staff and systems. Furthermore, there is the challenge of differing laws and regulations across different jurisdictions, which can make prosecuting cyber-crime extremely difficult.
In addition, cycle times for the people committing cyber-crimes are shortening while the potential rewards are growing. Global cyber-criminals are increasingly organized and professional in their approach. They are as innovative and strategic as many legitimate businesses, and their financial capabilities are ever evolving, keeping pace with the online economy.
With unprecedented opportunities for collaboration, a malspace ecosystem has developed, complete with marketplaces for buying and selling the expertise and tools needed to target and execute cyberattacks. Every hacker group, criminal organization and espionage unit in the world now has access to powerful tools and expertise for identifying, targeting and attacking their victims.
All of this makes it absolutely imperative for enterprises and governments to build up cyber-resilience. But how can this best be achieved?
Extending Risk Management
While cyber-security and risk management practices largely focus on achieving security through the management and control of known risks, cyber-resilience requires that businesses of all sizes prepare now. To cope with and mitigate the negative impacts of cyberspace activity, organizations must extend risk management to include cyber-resilience.
As everything from supply chain management to customer engagement shifts to the cloud, operating in cyberspace now has bottom-line implications if systems are disrupted. Fortifying governments and enterprises to build up resilience is imperative. Cyber-resilience requires a balanced approach that protects both organizations and individuals while also enabling open, safe commerce and communications.
Unfortunately, the risks that accompany doing business in cyberspace don’t always allow for that. In order to achieve cyber-resilience, risk management should encompass the confidentiality, integrity and availability of information. At the same time, resilient organizations must recognize the unintended business consequences from activity in cyberspace, such as commercial, reputational and financial risks, are real and growing.
Cyber-Security: All Hands on Deck
Cyber-threats are no longer the domain of information security. All units within the organization are affected, as are external customers, suppliers, investors and other stakeholders. Senior business leaders, preferably the chief executive or chief operating officer, should lead the charge with a coordinated and collaborative approach that allows the organization to prepare for unpredictable events.