Cyber threats constantly evolve with increasing intensity and complexity; and the ability to achieve mission objectives and deliver business functions is becoming more reliant on information systems and the Internet.
Organizations will face a host of cyber threats, some with severe impacts that will require security measures that extend beyond compliance. According to a 2019 Ponemon Institute Study, the average total cost of a data breach is $3.92 million, and the average size of a breach is 25,575 records.
In an effort to support organizations, we’ve provided 5 Key Discussion Questions for leadership and Key Cyber Risk Management Concepts which support this information.
According to Homeland Security, these are the 5 Questions Leadership Should Ask About Cyber Risks:
- How is our executive leadership informed about the current level and business impact of cyber risks to our company?
- What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks?
- How does our cybersecurity program apply industry standards and best practices?
- How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership?
- How comprehensive is our cyber incident response plan? How often is it tested?
Key Cyber Risk Management Concepts
Incorporate cyber risks into existing risk management and governance processes.
Cybersecurity is NOT implementing a checklist of requirements; rather it is managing cyber risks to an acceptable level. Managing cybersecurity risk as part of an organization’s governance, risk management, and business continuity frameworks provides the strategic framework for managing cybersecurity risk throughout the enterprise.
Elevate cyber risk management discussions to the leadership team.
Executive engagement in defining the risk strategy and levels of acceptable risk enables more cost effective management of cyber risks that is aligned with the business needs of the organization. Regular communication between leaders and those held accountable for managing cyber risks provides awareness of current risks affecting their organization and associated business impact.
Implement industry standards and best practices, don’t rely on compliance.
A comprehensive cybersecurity program leverages industry standards and best practices to protect systems and detect potential problems, along with processes to be informed of current threats and enable timely response and recovery. Compliance requirements help to establish a good cybersecurity baseline to address known vulnerabilities, but do not adequately address new and dynamic threats, or counter sophisticated adversaries. Using a risk based approach to apply cybersecurity standards and practices allows for more comprehensive and cost effective management of cyber risks than compliance activities alone.
Evaluate and manage your organization’s specific cyber risks.
Identifying critical assets and associated impacts from cyber threats are critical to understanding a company’s specific risk exposure– whether financial, competitive, reputational, or regulatory. Risk assessment results are key to identifying and prioritizing specific protective measures, allocating resources, informing long-term investments, and developing policies and strategies to manage cyber risks to an acceptable level.
Provide oversight and review.
Executives are responsible to manage and oversee enterprise risk management. Cyber oversight activities include the regular evaluation of cybersecurity budgets, IT acquisition plans, IT outsourcing, cloud services, incident reports, risk assessment results, and top-level policies.
Develop and test incident response plans and procedures.
Even a well-defended organization will experience a cyber incident at some point. When network defenses are penetrated, the leadership group should be prepared to answer, “What is our Plan B?” Documented cyber incident response plans that are exercised regularly help to enable timely response and minimize impacts.
Coordinate cyber incident response planning across the enterprise.
Early response actions can limit or even prevent possible damage. A key component of cyber incident response preparation is planning in conjunction with the Chief Information Officer/Chief Information Security Officer, business leaders, continuity planners, system operators, general counsel, and public affairs. This includes integrating cyber incident response policies and procedures with existing disaster recovery and business continuity plans.
Maintain situational awareness of cyber threats.
Situational awareness of an organization’s cyber risk environment involves timely detection of cyber incidents, along with the awareness of current threats and vulnerabilities specific to that organization and associated business impacts. Analyzing, aggregating, and integrating risk data from various sources and participating in threat information sharing with partners helps organizations identify and respond to incidents quickly and ensure protective efforts are commensurate with risk.
A network operations center can provide real-time and trend data on cyber events. Business-line managers can help identify strategic risks, such as risks to the supply chain created through third party vendors or cyber interdependencies. Sector Information-Sharing and Analysis Centers, government and intelligence agencies, academic institutions, and research firms also serve as valuable sources of threat and vulnerability information that can be used to enhance situational awareness.
Original article published by the Department of Homeland Security https://www.dhs.gov/sites/default/files/publications/Cybersecurity%20Questions%20for%20CEOs_0.pdf
