risk
Many of the discussions around risk and cybersecurity dive down in the weeds. It's time for managers to take a step back and breathe PHOTO: hellolapomme

It feels like almost every week yet another ransomware attack strikes. The recent Petya attack spanned the globe and eluded detection and prevention by corporate defenses. 

All indications show our ability to address the mounting threats is insufficient. The recent survey, "Majority of organizations are in the dark regarding daily network attacks" illustrates the point.

So what should the board, top management, risk practitioners and internal auditors do?

Board members, executives and practitioners need to take a breath and step back.

Look at the Big Picture, Not the Weeds

Ask yourselves these questions:

  • We are being attacked constantly. What would happen if and when there is a breach of our defenses and we are held to ransom? What would the consequences be? How would our corporate objectives be affected by an inability to use the systems until the threat is removed, probably by paying the ransom? Do we have a response plan and process in place to act quickly enough?
  • What if the breach led to a longer period of disruption? How would that affect our business and our ability to achieve our strategic objectives? How confident are we in our ability to respond and bring our systems back quickly?
  • On the other hand, what if the hackers wanted to steal confidential information, our intellectual property, or information they could use to attack our partners and customers? How confident are we that we would be able to prevent or detect a breach by such hackers, know what they have taken, and then respond to mitigate any damage? How would our business be affected? What strategic objectives might fail?

Then ask how much you would be willing to pay to prevent any of the above. Is it more than currently dedicated? Would committing additional funds and resources reduce the risk sufficiently?

I am not persuaded that any but a few massive organizations can afford all the resources, including tools, to satisfactorily address the risk. I would ask whether it would make more sense to use a cybersecurity service provider. They have the specialists with current knowledge and the tools necessary.

But first you have to know how the business would be affected: what effect would one or more cyber breaches have on the business?

Cybersecurity and Cyber Risk

Risk and audit professionals should be paying attention to cyber risk.

  1. Does the organization have a good handle on the organization’s cyber-related business risk, as discussed above?
  2. Does leadership, from the CEO down to and including the information security team, have confidence that there is an acceptable level of prevention and detection, that the risk they are taking is acceptable?
  3. Is the information security team sufficiently resourced, in their opinion? If not, why do they believe there are gaps and why has management not provided additional funding? Is it because the practitioners and executives have a different view of cyber risk; is it because resources need to be allocated to more important areas — and that is appropriate? Can the risk or audit practitioner help bridge the gap in understanding between management and the information security team?

Only after addressing these questions and related issues would I dive into assessing individual or groups of weeds — the detail.

Understand the big picture and the level of cyber-related business risk before assessing individual vulnerabilities, defense, detection and response mechanisms.

Do you agree? I welcome your views.