Businesses must manage risks beyond those traditionally handled by the information security function, including cyber-attacks on reputation and technology.
By Steve Durbin
Understanding security threats is essential to enterprise risk management. One of the key things I regularly hear in my conversations with cyber-security chiefs and board members around the world is that the corporate risk landscape is evolving and maturing at a speed that many organizations have been unable to keep up with. Attackers have become more organized, attacks have become more sophisticated, and all threats are more dangerous—and pose more risks—to an organization’s reputation.
BYOD Poses New Risks
One of the reasons for the maturation of security threats is that technology is advancing at an unrelenting pace. The amount of information that we create and generate on a daily basis continues to increase exponentially. The same is true for the demand for access to it anywhere, any time and from any device. The integration of the bring your own device (BYOD) environment is complex and needs careful consideration. The move to consumer-oriented technologies in the workplace is changing the way in which organizations have to deal with how they handle corporate data, mixing it potentially with privately owned data.
For the majority of people, before they shower and grab their cup of coffee or tea in the morning, the first thing they do is check their mobile phone or tablet. While many are looking at their work e-mail, they're also looking at their Facebook pages, Twitter feeds or YouTube. The real impact of a threat or an attack going viral in this way is difficult to control. Hacktivists obviously understand this and they're determined to make their case, particularly if they have an axe to grind with particular organizations.
With cyberspace so critical to everything these days, holding back adoption or disconnecting from cyberspace isn’t realistic. Businesses need to take advantage of developing trends in both technology and cyberspace. Obviously, it makes sound business sense. But to do so, they must manage risks beyond those traditionally handled by the information security function, including attacks on reputation and all manner of technology. New attacks impact not just technology, but also business reputation.
Driving Executive Engagement
In many organizations, cyber opportunities and risks are a board-level issue, so the cyber-security head will need to engage right up to the board, where information strategy and risk should sit comfortably with other types of strategy and risk that the board already oversees. To manage this balance of risk vs. reward, cyber-security chiefs must drive engagement across their organizations. To do this, they need to change the conversation so it resonates with the leading decision-makers and supports the organization’s business objectives.
Successful organizations have likely already appointed a director of cyber-security or a chief digital officer (CDO) to oversee all activities in cyberspace. They will have also appointed someone at the board level whose job is, if the CDO does not sit on the board, to apprise the board of its responsibilities for operation in cyberspace and to highlight its obligation to establish cyber-resilience programs that protect the organization’s assets and preserve shareholder value. This is especially important at a time when there is an increased focus on the legal aspects of doing business in cyber-space.
Undoubtedly, boards need help in understanding the business implications of cyber-resilience. To be effective requires the right people, operating at the right level, who are able to communicate the requirements of cyber-security in the language of the business and drive cyber-resilience throughout the enterprise as a cultural change. We all operate in cyberspace. Boards and their cyber-security directors now need to step up to the challenge.