Adding Cyber Security to Corporate Risk Management

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/adding-cyber-security-to-corporate-risk-06027/

Corporate boards and senior management like to focus on business. They love
the numbers, the strategy and the success of a business operation. They
have a passion for it and that is why they are sitting on board or managing
a global company.

They do not like to talk as much about risks, much less plan for them. When
it comes to information governance and protecting the company from hackers
and cyber-intruders who can harm the company, corporate leaders inevitably
turn to their information technology specialists.

This dynamic has to change. Information governance is now part of the
corporate risk management fabric. If you look at all the data breach
incidents, one significant omission is the failure of the company to have
in place an incident response plan to escalate and minimize any damage.

Even more than an incident plan is needed these days – companies have to
devote resources and attention to assessing data vulnerabilities and
protecting against hackers and other intruders. At the same time, companies
face serious internal risks created by BYOD policies and practices, as well
as simple employee mistakes.

Cyber risks have become a fundamental focus for investors, and the SEC
requires disclosures of material events relating to cyber intrusions. So
far, few companies have made such disclosures.

Corporate boards have to become proactive in this area – they need to ask
the tough questions.

- Does the company have an incident response plan in place to reduce the
impact of a security breach?
- Are the key stakeholders assigned specific roles in this process?
- Does the board have a reporting mechanism in place to monitor these
occurrences and ensure that the company responds appropriately to such an
incident?

It is easy to focus on the crisis management scenario without adequately
investing in the up-front measures to protect a cyber intrusion. Companies
have to spend more on the proactive approach to minimize risks. This is a
familiar refrain when addressing a number of risks but when you consider
the financial and reputational damage from a cyber attack, a company has to
prioritize cyber risks.

Cyber security is not just an issue that should be relegated to the
information technology specialists. Board members and senior managers have
to become more familiar with technology issues in order to manage these
risks. Reporting lines and authorities have to be made clear well in
advance of cyber attack so that the risks can be managed.

Finally, once a governance structure is put in place to address these
issues, the company has to devote time and energy to test its incident
responses. Companies will quickly learn some strategies that work and some
that do not. Call it a cyber-fire drill but such exercises are well worth
the time and attention in order to avoid disastrous events.

In addressing cyber risks, companies often ignore the risks created by
their vendors. Companies have to assess the risks that vendors create for
their companies. It is too easy to ignore vendor risks and focus on
internal risks. A vendor-created cyber security risk complicates risk
management and a response and usually spills into lengthy and complex
litigation.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!