Manage Tomorrow's Surprises Today

Steven Minsky

Why Mitigating Cyber Risk Should Be a Top Executive Priority

user-pic
Vote 0 Votes

Cyber Risk Needs to Be Prioritized: Points for Improvement

Cyber risk.jpg

Cyber risks like data breaches and ransomware are too often shrugged aside. The possibility of a cyberattack is rarely ignored, but it also rarely receives the attention it deserves. There are a few reasons for this:

  • Risk-based governance vs technology. Cybersecurity incidents result from internal governance deficiencies as often as from vulnerable technology. 63% of data breaches are caused by weak or infrequently changed internal passwords, according to Verizon's 2016 Data Breach Investigations Report.
  • Some companies delegate cybersecurity responsibilities to one department. In these cases, one person (a chief technology officer (CTO) or chief information security officer (CISO), for example) heads the whole initiative. This individual is not directly connected to other senior executives. This siloed approach is inefficient for all business processes, not just cybersecurity. Risk should be a part of everyone's job description; a true risk-based process cuts across silos.
  • Key personnel overestimate the strength of their cyber programs, increasing the likelihood that an incident will take them by surprise. According to a report by BAE systems, 96% of survey respondents report their companies' information security is good or excellent, but nearly 70% of companies leave themselves vulnerable to attacks by holding cyber training programs semi-annually at best.
  • Organizations naturally assume data is secure and that the chance of a breach is very small. It's a mistake to think the strength of your cybersecurity defenses doesn't come into play unless your organization suffers an attack. For one, a clean track record doesn't mean there's nothing to worry about. This year alone there have been nearly 700 data breaches and 30,000,000 records exposed, according to the ITRC, and Dwolla was fined by the CFPB for misleading customers about their data security practices although no breach occurred.


Minimize Cyber Risk with a Dynamic, Risk-Based Approach


There's another motivation for developing a strong answer to cyber risk, as we discussed in a joint webinar - How to Strengthen Cybersecurity with a Risk-Based Approach - with OCEG in September. You can be slapped with hefty risk-management negligence penalties even if there is no attack. As Dwolla - a small, private company - found out the hard way, regulators like the Consumer Financial Protection Bureau (CFPB) randomly select companies to evaluate.

Executives have a personal stake in this process, since "liability for data breaches that affect customers leads directly to the C-suite," according to the Harvard Business Review. Risk management negligence is much easier to prove than fraud, and standards like the Yates Memo and the SEC's proxy disclosure enhancements make it ever more difficult for culpable individuals to hide behind the company.

It's not enough to schedule annual security assessments and then tend to other responsibilities. Cyber threats are constantly proliferating (see our previous post, "New Technology Brings New Risks"). Executives need to start by understanding their current procedures.

The best way to accomplish this first step is by adopting a root-cause risk library, which can be used to push risk assessments to different areas. Risk assessments are the foundation of threat mitigation, and when they reach all the way down to the front lines, they're indispensable tools. As we discussed in our recent webinar with OCEG, risk management creates a common framework for all governance areas to help manage risk and allocate resources towards more effective controls, starting with risk identification.

Executives clearly can't be directly involved in mitigating every cyber risk, but by pushing out standardized risk assessments, they can:

  1. Control the frequency of assessments (rather than being set at once a year, risk assessments can be pushed out at smaller intervals or in response to particular events).
  2. Receive information from front-line managers that demonstrates the alignment between objectives and day-to-day operations.

Designing your cybersecurity program with a risk-based approach makes it standardized, regular, and easy for different departments to understand. It also makes it easy for senior executives to ensure their strategic objectives are incorporated into day-to-day operations.

The majority of breaches can be prevented with an enterprise risk management approach. TargetWendy's, and many others were breached not because of technology, but because of poor third-party risk management. Cyber insurance is immature and doesn't currently provide protection over third-party breach risks, punitive damages, or class action law suits. All of these are avoided with evidence of an effective risk management program.

Assess the effectiveness of your ERM program here.

The uniformity of the risk-based approach allows for the most specialized cyber officials, like the CTO or CISO, to take the lead but still "work with each team to determine ways to reach goals in the most secure fashion," according to the Harvard Business Review.


To learn more about taking a risk-based approach to cybersecurity, download our free eBook, SEC Cybersecurity: An Annotated GuideAlso download our presentation with OCEG, How to Strengthen Cybersecurity with a Risk-Based Approach.



Leave a comment

In this blog, risk expert Steven Minsky highlights the differences between traditional risk management and true enterprise risk management, which is about helping things happen rather than preventing them from happening. Manage Tomorrow's Surprises Today is designed to help you think about risk in new ways and learn how to benefit practically from this rapidly evolving field.

Steven Minsky

Steven is the CEO of LogicManager, Inc. the leading provider of ERM software solutions. Steven is the architect of the RIMS Risk Maturity Model for ERM, author of the RIMS State of ERM Report among many other papers, and a RIMS Fellow (RF) instructor on ERM. Steven has conducted ERM and RIMS Risk Maturity Model training for hundreds of organizations around the globe. Steven is a patent author of risk and process management technology and holds MBA and MA degrees from the University of Pennsylvania’s Wharton School of Business and The Joseph H. Lauder Institute of International Management. You can reach Steven at steven.minsky@logicmanager.com.

Recently Commented On

Monthly Archives

Blogs

ADVERTISEMENT