Cyber threats demand executive not just IT skills

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://fedscoop.com/commentary-cyber-threats-demand-executive-skills/

It seems that every week we read about another cyber incident or data
breach on the front pages of online or print news publications. While
breaches of banks and retailers are now routinely part of that news, so are
more worrisome threats.

Consider the latest acknowledgement from the Department of Homeland
Security that Trojan software has successfully penetrated the critical
infrastructure of the U.S., dating back to 2011. This is just another
indicator of the scale and scope of the constant cyber threat the entire
nation is under — and the fact that while business remains the lead target,
hackers are actively penetrating the core of American enterprises.

What’s not getting a lot of attention is how top management at
organizations continue to treat these incidents as an IT problem rather
than a strategic challenge that, among other things, requires the kind of
project management resources that routinely go into critical investments.

Businesses are starting to get the message, but government agencies need to
as well. A Risk Based Security study of 2013 data breaches found that the
business sector was the biggest target of cyber attacks, followed by the
government, then health care and education.

Let’s consider two incidents in the government sector. The first incident
involved hackers who breached the computer networks at the White House. The
second breach occurred at the U.S. Nuclear Regulatory Commission.

While no classified documents appear to have been stolen from either of
these breaches, the unsettling fact that hackers were able to penetrate
systems in these organizations, which demand best-in-class security
measures, speaks volumes about the ability of cyber attackers to crack even
the most sophisticated defenses and the cyber threat level as a whole.

A better indicator comes from a Government Accountability Office report
released in April. The GAO report disclosed security incidents involving
personally identifiable information reported by federal agencies had more
than doubled over the past five years to 25,566 in 2013.

Many attribute the frequency of cyber incidents and data breaches to the
sophistication of the cyber attacks. But what’s less apparent is the cost
of the incidents to organizations and the economy as a whole.

The Ponemon Institute’s 2014 “Cost of a Data Breach” study released in May
estimated that on a global basis, the mean annualized cost for
organizations to respond to cyber attacks averaged $7.6 million per year.
The average in the U.S. was a bit less, at $5.9 million. Those figures are
for cyber incidents and data breaches involving 100,000 PII records, not
the mega breaches that involve tens of millions of records that have
received the vast majority of media attention.

All this signals the fact that data breaches are more than a chief
information officer or even a chief financial office issue. They have
become a management issue that impacts entire organizations and their
partners. As a result, more cyber incidents and data breaches, in fact, are
not only landing on the desks of CEOs and senior management within breached
organizations but also their boards of directors.

It’s obvious all organizations — governmental and private sector — must
improve their responses to cyber incidents and data breaches, and begin to
treat them as a strategic management imperative not just a forensics and
mitigation project.

But think of it another way: How many initiatives have an annual budget of
$7.6 million and go without formal management practices being applied?

Multimillion-dollar projects usually call for a dedicated program or
project manager. This isn’t an option. And it shouldn’t be an option
managing a host of decisions that must be made in responding to cyber
incidents.

For years, the usual response to data breaches fell under the purview of
the technology department. But those days are clearly over. The costs,
complexity and overall consequences of these events have grown to the point
where they now demand — or should elicit — the appropriate attention of the
senior executives within most organizations.

Experienced professional program and project managers are beginning to be
put in place to manage the complexity of these and related initiatives, and
hopefully reduce the overall risk.

Given the complexity, scope and potential costs of cyber attacks, PMs will
certainly have their hands full; in many ways, their challenges are far
greater than for typical projects in part because the span of players that
inevitably must respond to a cyber attack. However, their role is essential
to keep organizations focused on the right things, getting those things
done correctly and making sure they’re addressed in the proper sequence.

Organizations also must begin thinking about creating a cyber incident
response team that answers the call to sudden requests to respond to
suspected or confirmed cyber incidents and data breaches. Legal,
communications, public relations, operations and finance departments and,
of course, the IT department have become common participants, all play
major roles in the cyber incidents and data breaches that occur today.

While most incidents share some common factors, the truth is, each also has
unique characteristics that influence the way the organization responds to
and manages these events.

This much you can count on: Sooner or later, your organization will get
attacked, it will take time to respond and recover, and it is going to cost
a fair amount of money.

Cyber incidents and data breaches are a fact of the modern online,
technologically sophisticated and connected world in which we live and
work. Failure to enact formal response practices, including project
management disciplines in response to these costly events is clearly a
material weakness that must be rectified.

As one management consultant put it, it’s not hard to understand how a $7.6
million project mysteriously becomes a $12 million disaster when proper
project management is not applied.

The biggest challenge we all face at this point is the limited number of
project managers who have actual experience dealing with the challenges of
a cyber incident or data breach. That said, given the frequency of
successful attacks, it won’t be long before organizations get the message
and the shortage of cyber response project managers begins to correct
itself — hopefully sooner than later.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!