Security Risks: It's All About How You Manage ThemBy Guest Author
Security Risks: It's All About How You Manage Them
By Steve Durbin
Cyber-security stepped into the public eye in 2013 with a number of high-profile cyber-attacks and data breaches. Hacktivists have evolved from solo teenagers in their parents' basement into full-fledged global organizations, such as Anonymous and other online collectives. These groups have caused hundreds of millions of dollars in damage to a number of organizations, with the most recent example being the Target data breach—a textbook example of how not to handle a breach, some might say.
In 2014, cyber-attacks will continue to become more innovative and sophisticated. Unfortunately, while organizations are developing new security mechanisms, cybercriminals are cultivating new techniques to circumvent them. Businesses of all sizes must prepare themselves for the future so that they have the flexibility to endure unexpected and high-impact security events.
With President Obama's recent executive order on "Improving Critical Infrastructure Cybersecurity," U.S. businesses must now create a security framework to collaborate with one another and to share best practices with the government. This mandate involves implementing a comprehensive risk-management approach to creating a sustainable control environment by managing operational risks. The executive order also requires businesses to maintain privacy and civil liberties and to continuously monitor their own threat landscape and meet a number of common information security standards, including ISO, SANS 20 and COBIT. Similar developments are occurring across Europe, with the U.K. government about to release its guidance to businesses on operating safely in cyberspace and the European Union continuing to refine its requirements on data protection and privacy.
Understanding threats is fundamental to enterprise risk management. One of the key things that we at the Information Security Forum have noticed in recent years is how cyber-threats have evolved. Attackers have become more organized, attacks have become more sophisticated, and almost all threats are more dangerous and pose more risks simply because they've had that degree of maturing. The sophistication of the people who are behind the attacks has also increased significantly.
The commercial, reputational and financial risks that come with cyberspace are real—and growing. The range and intricacy of information security threats continues to escalate and businesses that fail to immediately prepare will struggle to handle the challenges later. While individual threats continue to pose risk, it is the combination of them, along with the speed at which attacks can be launched, that will give businesses the greatest danger.
Driving Board Engagement
The role of cyber and information risk management has quickly become a board issue and must be given the same level of attention afforded to operational risk management and other established risk management practices. Today's insatiable appetite for speed and agility, the growing importance of the full supply chain, and the mounting dependence on diverse technologies, such as cloud computing and bring your own device, are just some of the challenges that are confronting organizations.
CIOs need to engage with their boards to ensure their organization understands and manages information risk appropriately while also delivering their strategic goals. One of the key things that I constantly hear when I speak with CIOs and boards around the world is that the corporate risk landscape is maturing and evolving at a speed that many businesses are having difficulty keeping up with.
Inevitably, CIOs need to lead and drive engagement with the board. They need to translate the complex world of information security and information risk into easily understandable issues and solutions. CIOs must also change their way of thinking and the resulting conversations so information risk can be considered alongside the other risks that boards oversee.
Increasingly, I'm seeing leading CIOs aligning or, better yet, integrating security strategies with business-focused initiatives and projects. This continues to remain a challenge for those that are working in enterprises where security is not regarded as a top issue.
In terms of cyber-security, CIOs need to ask five questions of themselves and their boards:
1. How does cyber-security in general and information security specifically support our business priorities, such as attracting and retaining customers, maintaining or growing a competitive advantage, and fostering innovation?
2. If the worst happened, could we honestly tell our customers, partners and regulators that we had done everything that was reasonably expected?
3. Are we prepared for the future?
4. How can we validate our understanding of our information risks and how they are managed?
5. Should we, as an organization or as a board, be changing our approach?
Engagement is about communicating the value of information security and delivering that value. Ideally, board engagement will be proactive, initiated by the CIO, with the support of senior management, to provide assurance that information risk is being managed appropriately.
Security Risks: It's All About How You Manage Them
Preparation Is Key
Today, the stakes are higher than ever before. High-level corporate secrets and critical infrastructure are constantly under persistent attack and organizations need to be aware of the important trends that have emerged or shifted in the past year, as well as those that they should prepare for in 2014.
Organizations of all sizes are operating in a progressively cyber-enabled world and traditional risk management isn't agile enough to deal with the dangers from activity in cyberspace. Enterprise risk management must be extended to create risk resilience, built on a foundation of preparation, which evaluates the threat vectors from a position of business acceptability and risk profiling. From cyberspace to insider threats, organizations have varying degrees of control over evolving security threats, and with the speed and complexity of the threat landscape changing on a daily basis, far too often I'm seeing organizations being left behind, sometimes in the wake of major reputational and financial damage.
The Time Is Now
While it would be nearly impossible for businesses to avoid every serious incident, few organizations have a mature, structured approach for analyzing what went wrong. Organizations of all sizes must take immediately stock of their present situation in order to ensure that they are prepared and engaged to deal with these ever-emerging challenges.
Three key steps that businesses can take today to ensure that they are best equipped to deal with the challenges of operating in cyberspace are:
1. Prepare for the strategic challenge of operating in cyberspace by adopting a framework or set of policy guidelines, such as the ISF Standard of Good Practices or the NIST Cyber Framework, to begin the process of standardizing and consolidating their approach to being cyber safe. This can be used to improve resilience against low probability and high-impact events that can threaten the survival and success of the organization and to establish a comprehensive control framework to support effective information risk management.
2. Align cyber-security with stakeholder value by benchmarking the organization against standards, other companies and sectors, and gaining an overall picture of information security status across the business. This also allows you to compare performance with other leading organizations and identify areas of weakness for further investigation. From the stakeholder standpoint, it allows you to target spending where it will provide the most business benefit.
3. Assess business impact and risk mitigation focus areas by using a risk assessment methodology. Through a structured process of business impact assessment, threat and vulnerability identification, and relevance to your own business or organization, such an approach allows you to evaluate and select controls to reduce the likelihood of serious incidents occurring.
By adopting a realistic, broad-based and collaborative approach to cyber-security and cyber-resilience, CIOs will be better prepared to apprehend the true nature of today's global cyber-threats and respond properly. This will be of the greatest importance in 2014.
About the Author
Steve Durbin is global vice president of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber-security, BYOD, the cloud and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
To read his previous CIO Insight article, "The CIO's Secret Weapon: Stakeholder Pressure," click here.