According to the June 2016 Ponemon/IBM study, the average cost of a compromised record in the U.S. was $158 per record and the cost of a cyber breach was estimated at $4 million per incident. If there were ever any questions, this fact certainly elevates cybersecurity to the boardroom of every corporation and the executive committee of every government agency. The purpose of this article is to suggest several key questions which may guide executive discussions about cybersecurity and risk management. The following questions should be viewed as a starting point for further discussions, not as a comprehensive blueprint to resolve cybersecurity concerns.
What questions should a CEO or board member ask to determine the state of cybersecurity?
1) How is executive management informed about the potential impact of cybersecurity threats on business operations and how timely is this information?
2) What is the current risk level and what is our risk appetite? That is, what amount of residual risk are we willing to accept?
3) What federal or state regulations are relevant and how are we meeting these requirements?
4) Are we following established best practices in cybersecurity? If not, why not, and what specific areas are excluded? Are the most appropriate standards, such as the ISO, being followed?
5) Do we have comprehensive incident response, business continuity, and disaster recovery plans established and are they being followed? Is an annual independent audit conducted on these critical processes and were steps taken to remediate all findings? If not, why not?
Cybersecurity oversight and governance includes the regular evaluation of cybersecurity budgets, IT acquisition plans, IT outsourcing, supply-chain security, cloud services, incident reports, risk assessment results, and review of security policies. As well as engagements with information sharing consortiums. The security industry realizes that the definition of good security has changed from attempting to create an inviolate perimeter to equal parts strong defense plus timely and effective response.
Effectively managing cybersecurity risk throughout the enterprise flows from good governance. Good communications between the boardroom and those held accountable for managing cybersecurity provides the opportunity to address vulnerabilities and to create a robust incident response program. Achieving compliance with federal and state regulations should not be mistaken for a comprehensive cybersecurity program. A comprehensive cybersecurity program leverages people, process, and technology to create a set of controls that have been specifically crafted to serve a specific corporation or agency.
A risk-based approach to cybersecurity will generate a more comprehensive and cost effective management of cyber risks than compliance activities alone. Identifying critical assets, determining the business impact of cyber-attacks, and setting priorities are critical first steps in understanding and responding to risk exposure – whether the risks are financial, competitive, reputational, or regulatory. Ongoing and independent risk assessments are essential to identify and to prioritize specific defensive actions, allocate resources, and develop policies and strategies to manage cyber risks. In-house reviews are still valuable in that they point out areas that need work. But inadequate separation of duties and conflicts of interest often bias these findings.
Early and effective response to a cyber-attack has been proven to limit damage. Quickly detecting and remediating a data breach saves money. The average time to discover a breach is about 201 days in 2016. That’s slightly over 6.5 months and that’s the average time. Some breaches are not found for years. Imagine the damage that a hacker can cause. Imagine the liability that a business might incur. When a company discovers and contains a data breach within 30 days or less, on average, about one million dollars is saved per breach. Effective solutions can come only from an accurate understanding of our environment and a willingness to adapt our responses to meet ever-changing challenges.
(Source: Ponemon/IBM Report June 2016)