In this issue of the CyberSurance newsletter we discuss an evolving topic that should be at the forefront of every board of directors meeting – “Managing Cyber Risk”.
Risk Management is a process aimed at reducing an organization’s threat exposure to an acceptable level for sustained business operations. The process should start with risk identification and assessment, and progress with a risk strategy, and ultimately a risk treatment plan.
By taking a proactive approach to identifying threats and vulnerabilities, there is an opportunity to not only minimize the associated risks, but also an opportunity to
reduce the costs associated with managing overall security and business operations.
With the explosion in emerging internet based technologies, public cloud based computing services, social networking, and other applications — the business and consumer world is changing at an astonishing pace. The result is that attack surfaces keep expanding, cybercriminals keep developing new tricks (and new ways to use old tricks), and security professionals are facing a threat landscape that has outgrown traditional solutions.
Therefore risk management of cyber threats is especially challenging given that global threats from cybercriminals, nation states, cyber-spies, hacktivists, malicious users, and cyber-terrorists have raised the stakes and the urgency associated with maintaining a strong security posture.
Additionally, organizations should not only be concerned with the cyber risks associated with their own infrastructure, platforms, applications, processes, and human factors directly, but also must consider the effects of cyber risks associated with their supply chain or other partnership extensions to their enterprise. This upstream liability adds another layer of complexity to the
cyber risk management puzzle and further elevates the importance of a formal cyber risk management program.
Current working practices and the evolving digital landscape make it impossible for organizations to adopt a traditional fortress mentality.
Add to this how state, federal, and industry regulations continue to roll out to make it mandatory for public and private companies to disclose and manage data breaches. Having a formal Cyber Risk Management plan will allow an organization to effectively communicate between audit committees, senior management, C-Level executives, the board of directors, and regulators. The Board of Directors will need lots of information about the status of data exposures in order to make sound decisions. As a consequence, the role of the CISO (Chief Information Security Officer) will continue to grow in significance as the point person for providing leadership and formal governance programs to address security and cyber risk management needs.
It is important to remember that even with all of the best technology and formal processes in place, people are still the weakest link to managing cyber risk. Despite all of the focus on human resources policies and ongoing security awareness training, social engineering is still a major threat today. So what are the additional steps organizations can take to mitigate this problem? First, information handling is critical. Too often, private information ends up on publicly available servers, even social networks. Consistent, real-world education is an important mitigation factor, but the only way to validate the effectiveness of this training and strive for continual improvement is through proactive penetration testing, periodic security assessments, and regular risk assessments.
CyberSurance is a leader in the cyber-security consulting arena and has served as a strategic partner to many top companies in the financial, healthcare, defense, transportation, communications, entertainment, and ecommerce industries. Our cyber-security consultants have served as Chief Information Security Officers (CISO) and are certified and experienced in ethical hacking, risk management, security management, security auditing, and business consulting. At CyberSurance we develop risk management strategies that take a holistic approach to examining risk factors associated with an organization’s People, Processes, as well as Technology.
For organizations that currently do not have the on-staff expertise of a Chief Information Security Officer (CISO), CyberSurance offers a ‘CISO-as-a-Service’ program that provides strategic vision, tactical expertise, and management oversight. CyberSurance has the expertise and experience to put your overall security management program on the right track – consulting services for a secure and resilient cyber-space.