Priorities are a nasty thing and often executives and boards can be so overwhelmed with tactical problems tied to revenue generation, customer acquisition and retention and new products that they simply don't have the time to look at anything else until there is a crisis. That's when their perspective suddenly changes, often with their long-term job prospects.
Cyber risk is one of those things that has the potential for jumping up out of nowhere, particularly with groups like Anonymous active, and biting these unsuspecting leaders on the butt with a vengeance. Yet, at RSA, the cyber survey funded by EMC Carnegie Mellon's CyLab once again showcases that top executives continue to ignore huge risks that could cost them their jobs and, in extreme cases, even force the firm into bankruptcy protection.
This is the first worldwide survey and it clearly showcases the unfortunate lack of focus and concern is not just a U.S. problem but could represent a level of global exposure that could be catastrophic for many governments if adequate protections aren't put in place. Given this isn't a one-company problem, it also suggests contingency plans be put in place to allow a firm and its employees to survive a successful national or global infrastructure attack and failure.
Let's explore this.
The key findings are pretty simple and concrete - and troubling. The recommended process is to have in place solid oversight such as setting key top-level policies on security and privacy, and overseeing and assuring the related budgets are adequate. Much like assuring the company's intellectual property is adequately insured, it is critical to make sure the firm is adequately protected against breaches and that related financial losses won't cause the firm to fail. The good news in this survey is that nearly one third of the boards and senior executives are looking at these risks aggressively, suggesting that should a successful attack occur, this same number might survive the attack. While the survey also found that risk committees and cross-organizational teams were formed and in place, neither was seen as adequate.