Businesses must prepare themselves for the future so that they have the flexibility to survive unexpected and high-impact cyber-security events.
By Steve Durbin
Cyber-security stepped into the public eye in 2013 with a number of high-profile cyber-attacks and data breaches. Hacktivists have evolved from solo teenagers in their parents' basement into full-fledged global organizations, such as Anonymous and other online collectives. These groups have caused hundreds of millions of dollars in damage to a number of organizations, with the most recent example being the Target data breach—a textbook example of how not to handle a breach, some might say.
In 2014, cyber-attacks will continue to become more innovative and sophisticated. Unfortunately, while organizations are developing new security mechanisms, cybercriminals are cultivating new techniques to circumvent them. Businesses of all sizes must prepare themselves for the future so that they have the flexibility to endure unexpected and high-impact security events.
With President Obama's recent executive order on "Improving Critical Infrastructure Cybersecurity," U.S. businesses must now create a security framework to collaborate with one another and to share best practices with the government. This mandate involves implementing a comprehensive risk-management approach to creating a sustainable control environment by managing operational risks. The executive order also requires businesses to maintain privacy and civil liberties and to continuously monitor their own threat landscape and meet a number of common information security standards, including ISO, SANS 20 and COBIT. Similar developments are occurring across Europe, with the U.K. government about to release its guidance to businesses on operating safely in cyberspace and the European Union continuing to refine its requirements on data protection and privacy.
Understanding threats is fundamental to enterprise risk management. One of the key things that we at the Information Security Forum have noticed in recent years is how cyber-threats have evolved. Attackers have become more organized, attacks have become more sophisticated, and almost all threats are more dangerous and pose more risks simply because they've had that degree of maturing. The sophistication of the people who are behind the attacks has also increased significantly.
The commercial, reputational and financial risks that come with cyberspace are real—and growing. The range and intricacy of information security threats continues to escalate and businesses that fail to immediately prepare will struggle to handle the challenges later. While individual threats continue to pose risk, it is the combination of them, along with the speed at which attacks can be launched, that will give businesses the greatest danger.
Driving Board Engagement
The role of cyber and information risk management has quickly become a board issue and must be given the same level of attention afforded to operational risk management and other established risk management practices. Today's insatiable appetite for speed and agility, the growing importance of the full supply chain, and the mounting dependence on diverse technologies, such as cloud computing and bring your own device, are just some of the challenges that are confronting organizations.
CIOs need to engage with their boards to ensure their organization understands and manages information risk appropriately while also delivering their strategic goals. One of the key things that I constantly hear when I speak with CIOs and boards around the world is that the corporate risk landscape is maturing and evolving at a speed that many businesses are having difficulty keeping up with.
Inevitably, CIOs need to lead and drive engagement with the board. They need to translate the complex world of information security and information risk into easily understandable issues and solutions. CIOs must also change their way of thinking and the resulting conversations so information risk can be considered alongside the other risks that boards oversee.
Increasingly, I'm seeing leading CIOs aligning or, better yet, integrating security strategies with business-focused initiatives and projects. This continues to remain a challenge for those that are working in enterprises where security is not regarded as a top issue.
In terms of cyber-security, CIOs need to ask five questions of themselves and their boards:
1. How does cyber-security in general and information security specifically support our business priorities, such as attracting and retaining customers, maintaining or growing a competitive advantage, and fostering innovation?
2. If the worst happened, could we honestly tell our customers, partners and regulators that we had done everything that was reasonably expected?
3. Are we prepared for the future?
4. How can we validate our understanding of our information risks and how they are managed?
5. Should we, as an organization or as a board, be changing our approach?
Engagement is about communicating the value of information security and delivering that value. Ideally, board engagement will be proactive, initiated by the CIO, with the support of senior management, to provide assurance that information risk is being managed appropriately.