Survey: Cyber Risks Ignored by Boards Could Contribute to National Catastrophe - Page 2

For instance, and this isn't in the report, we learned risk managers were popular in financial firms before the collapse last decade and it is believed that all they did was make those who were making the decisions feel that someone else owned the risk. This made the actual decision makers more likely to take unreasonable risks, so, instead of mitigating the problem, risk managers actually unintentionally contributed to the collapse. The survey unfortunately also showcased that the security teams were underfunded and under-resourced with only part-time poorly trained personnel in most cases.

 

Even if one third of the companies are protected, if two thirds of the utilities, government agencies and global corporations (like, say, the phone/network infrastructure companies) fail, it is doubtful the remaining third will be able to continue regardless of the work they have done.

 

Recommendations

 

I ran a security team at IBM and the security service at Giga Information group years ago, and I'm going to enhance the recommendations made in the survey with some of my own. (We put up a slideshow of the survey's recommendations if you want to share it with your people.)

 

The importance of strong security has to happen from the top. Executives and board members need to understand that they will be the ones explaining to customers, investors and government enforcement agencies why they didn't adequately protect their firms, especially given a third of their peers are.


 

Make sure security rules and requirements are in place and set from the top. Internal audit should be commissioned in firms where they are not (and it was part of my mission when I was an auditor in charge) to confirm adequate protections are in place and to report to the board on the adequacy of security. This should be done no less than annually and the board should receive progress reports no less than monthly on any open critical exposures until they are mitigated.

 

Boards should ask for and receive regular reports (at least quarterly) on known threats and whether the firm is mitigating them adequately.

 

The security budget should be broken out of the CIO's budget, aggregated and both physical and electronic methods assured. This is not a "discretionary" expense anymore than insurance is and it must be adequate to protect against a catastrophic event. And this also means that actual insurance against related loss should be in place as well.

 

Finally, disaster recovery plans should include the likely failure of key portions of the firm's infrastructure from utilities to suppliers should a regional or national attack be successful. These plans shouldn't just include the site, either, but what employees should do if telephones and Internet services go down or their work sites become non-viable.

 

Wrapping Up: Out of Sight Shouldn't Be Out of Mind

 

With governments moving to cyber attacks, which can expand beyond their intended targets, Anonymous-like organizations picking broad targets and criminal attacks becoming more prevalent (and expensive), boards and executives ignore this risk at their, and their firms', peril. This survey showcases that the time to get moving to mitigate these exposures was years ago and that if companies don't come up to speed they may not be around to regret their lack of focus. It also suggests that an attack, were it collectively damaging, could wipe out businesses and infrastructure on a national, if not global, scale. This suggests our very survival may depend on companies and governments becoming more serious about making sure they don't become part of the coming catastrophe.



Add Comment      Leave a comment on this blog post

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.