Cybersecurity risks must be addressed at the executive level through an enterprise-wide risk management framework. While cybersecurity has traditionally been viewed as a technical issue managed by IT, it is critical that top management be fully engaged in cybersecurity risk governance to ensure proper protection is incorporated as a business goal. There are various models for integrating cybersecurity management into risk management structures, with the most effective approach ensuring board visibility, balanced governance of both IT and non-IT risks, and authority across the organization to enforce protocols.
Risk management is one of the main concepts that have been used by most of the organisations to protect their assets and data. One such example would be INSURANCE. Most of the insurance like Life, Health, and Auto etc have been formulated to help people protect their assets against losses. Risk management has also extended its roots to physical devices, such as locks and doors to protect homes and automobiles, password protected vaults to protect money and jewels, police, fire, security to protect against other physical risks. Dr. C. Umarani | Shriniketh D "Risk Management" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd37916.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-security/37916/risk-management/dr-c-umarani
To ensure security, it is important to build-in security in both the planning and the design phases and adapt a security architecture which makes sure that regular and security related tasks, are deployed correctly. Security requirements must be linked to the business goals. We identified four domains that affect security at an organization namely, organization governance, organizational culture, the architecture of the systems, and service management. In order to identify and explore the strength and weaknesses of particular organization’s security, a wide range model has been developed. This model is proposed as an information security maturity model (ISMM) and it is intended as a tool to evaluate the ability of organizations to meet the objectives of security.
Businesses of all sizes are targeted by hackers to gain access to proprietary and customer data, threatening your ability to operate or even remain open for business.
Learn how to protect your business from threats and position it for growth.
SBIC Report : Transforming Information Security: Future-Proofing ProcessesEMC
This report from the Security for Business Innovation Council (SBIC), sponsored by RSA, contends that keeping pace with cyber threats requires an overhaul of information-security processes and provides actionable guidance for change.
Risk management is one of the main concepts that have been used by most of the organisations to protect their assets and data. One such example would be INSURANCE. Most of the insurance like Life, Health, and Auto etc have been formulated to help people protect their assets against losses. Risk management has also extended its roots to physical devices, such as locks and doors to protect homes and automobiles, password protected vaults to protect money and jewels, police, fire, security to protect against other physical risks. Dr. C. Umarani | Shriniketh D "Risk Management" Published in International Journal of Trend in Scientific Research and Development (ijtsrd), ISSN: 2456-6470, Volume-5 | Issue-1 , December 2020, URL: https://www.ijtsrd.com/papers/ijtsrd37916.pdf Paper URL : https://www.ijtsrd.com/computer-science/computer-security/37916/risk-management/dr-c-umarani
To ensure security, it is important to build-in security in both the planning and the design phases and adapt a security architecture which makes sure that regular and security related tasks, are deployed correctly. Security requirements must be linked to the business goals. We identified four domains that affect security at an organization namely, organization governance, organizational culture, the architecture of the systems, and service management. In order to identify and explore the strength and weaknesses of particular organization’s security, a wide range model has been developed. This model is proposed as an information security maturity model (ISMM) and it is intended as a tool to evaluate the ability of organizations to meet the objectives of security.
Businesses of all sizes are targeted by hackers to gain access to proprietary and customer data, threatening your ability to operate or even remain open for business.
Learn how to protect your business from threats and position it for growth.
SBIC Report : Transforming Information Security: Future-Proofing ProcessesEMC
This report from the Security for Business Innovation Council (SBIC), sponsored by RSA, contends that keeping pace with cyber threats requires an overhaul of information-security processes and provides actionable guidance for change.
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
This paper discusses the emerging issue of Board of Directors Governance and Cybersecurity. Originally presented to the Boards of Directors of the IRC http://www.isorto.org/Pages/Home in May 2014. The paper is in a continuous improvement mode ultimately targeting being a resource for Boards of Directors in the energy (electricity and natural gas) industry. Suggested updates and improvements are welcome at PaulFeldman@Gmail.com The current copy is always at http://www.EnergyCollection.us/456.pdf
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
Hundreds of companies, and the most demanding Federal agencies rely on DMI for Mobile Security services and solutions. And with more than 500,000 devices under management, we know how to do it right.
Now we’ve distilled 9 years of Mobile Security best practices into a white paper you can download. The paper lays out a smart, sensible approach to managing mobile risk without unnecessary cost and business disruption.
Please be our guest and check out the white paper. You’ll learn:
How to identify and protect against the threats that matter the most
What to do about “the hottest new technologies”
How to get the most protection for the least cost and disruption
The key differences and similarities between Mobile and traditional cybersecurity
- See more at: http://dminc.com/solutions/enterprise-mobility-services/mobilesecuritywp/#sthash.yTptNZRw.dpuf
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
Information technology experts can now take advantage of How To Handle Cybersecurity Risk PowerPoint Presentation Slides. This information security PPT theme infuses top-quality design with data obtained by industry experts. Explain the present situation of the target firm’s information security management employing this PowerPoint layout. The data visualizations featured here simplify the elucidation of complex data such as the analysis of the current IT department. Showcase the cybersecurity framework roadmap and risks of the internet using our PPT presentation. Elaborate on the cybersecurity risk management action plan using the tabular format via this PowerPoint slideshow. Demonstrate the cybersecurity contingency plan with appreciable ease. Our information security management system PPT templates deck assists you in assigning risk handling responsibilities to the staff. Explain the duties of the management in successful information security governance. This PowerPoint presentation also addresses the cost of cybersecurity management and staff training. Hit the download icon and start personalization. Our How To Handle Cybersecurity Risk PowerPoint Presentation Slides are explicit and effective. They combine clarity and concise expression. https://bit.ly/3o0xDkR
Risk Management and Security in Strategic PlanningKeyaan Williams
This content was originally presented to the DFW chapter of the Society for Information Management. The presentation evaluates the role of risk management and security in the strategic planning process that defines the direction and prioritization of resources used by an organization.
CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students.
Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP.
IN THIS ISSUE:
Domain 3: Information Security Governance and Risk Management
- Security and Audit Frameworks and Methodologies
- COSO
- CobiT
- Frameworks Relationship
- ITIL
- ISO/IEC 27000 Series
Security Framework for Digital Risk ManagmentSecurestorm
A cyber security governance framework and digital risk management process for OFFICIAL environments in UK Government. A pragmatic and proportional information risk management process which can be used at speed, and is compatible with Agile projects. This is released under a Creative Commons; Attribution-Non Commercial-Share Alike 4.0 International License.
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi gestiti. - by Hitachi Systems - festival ICT 2015
Relatore: Denis Cassinerio
Security Business Unit Director di Hitachi Systems CBT
The importance of role management in information security. In today's world, information security and management of information security is an important aspect. Therefore, it is very important to understand the importance of role assignment and role management while considering the implementation of security policies and standards.
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
When a security program isn't as good as it should be it can be tempting to conclude that it needs more resources and solutions. Jack Nichelson decided to take a different approach: simplification. By focusing on fewer problems with bigger returns, he was able to reduce malware by 60 percent and improve the results of his annual pen report. He’ll share a back-to-the-basics case study for removing complexity and running a simple, effective, start-up worthy security program.
This Talk is for - Security Managers looking to better focus on the real vulnerabilities and more effectively communicate your progress
The Goals of this talk – Find the real problems, create a formal plan, build support for the plan, and report the progress
Simplifying Security for Cloud Adoption - Defining your game planSecurestorm
An approach to cloud adoption is a secure way. As security is a major concern for many organisations adopting cloud services, this is a way of starting the cloud adoption security strategy in a cost effective way. Basically leveraging existing standards and approaches.
Event security companies in london want www.ieventsecurity.co.ukAhsan Gill
FIRST Security is UK largest provider of Security Services, Mobile Patrols, Alarm Response, Prisoner Escort and Court Custodial Services. http://www.ieventsecurity.co.uk
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
This paper discusses the emerging issue of Board of Directors Governance and Cybersecurity. Originally presented to the Boards of Directors of the IRC http://www.isorto.org/Pages/Home in May 2014. The paper is in a continuous improvement mode ultimately targeting being a resource for Boards of Directors in the energy (electricity and natural gas) industry. Suggested updates and improvements are welcome at PaulFeldman@Gmail.com The current copy is always at http://www.EnergyCollection.us/456.pdf
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
Hundreds of companies, and the most demanding Federal agencies rely on DMI for Mobile Security services and solutions. And with more than 500,000 devices under management, we know how to do it right.
Now we’ve distilled 9 years of Mobile Security best practices into a white paper you can download. The paper lays out a smart, sensible approach to managing mobile risk without unnecessary cost and business disruption.
Please be our guest and check out the white paper. You’ll learn:
How to identify and protect against the threats that matter the most
What to do about “the hottest new technologies”
How to get the most protection for the least cost and disruption
The key differences and similarities between Mobile and traditional cybersecurity
- See more at: http://dminc.com/solutions/enterprise-mobility-services/mobilesecuritywp/#sthash.yTptNZRw.dpuf
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
Information technology experts can now take advantage of How To Handle Cybersecurity Risk PowerPoint Presentation Slides. This information security PPT theme infuses top-quality design with data obtained by industry experts. Explain the present situation of the target firm’s information security management employing this PowerPoint layout. The data visualizations featured here simplify the elucidation of complex data such as the analysis of the current IT department. Showcase the cybersecurity framework roadmap and risks of the internet using our PPT presentation. Elaborate on the cybersecurity risk management action plan using the tabular format via this PowerPoint slideshow. Demonstrate the cybersecurity contingency plan with appreciable ease. Our information security management system PPT templates deck assists you in assigning risk handling responsibilities to the staff. Explain the duties of the management in successful information security governance. This PowerPoint presentation also addresses the cost of cybersecurity management and staff training. Hit the download icon and start personalization. Our How To Handle Cybersecurity Risk PowerPoint Presentation Slides are explicit and effective. They combine clarity and concise expression. https://bit.ly/3o0xDkR
Risk Management and Security in Strategic PlanningKeyaan Williams
This content was originally presented to the DFW chapter of the Society for Information Management. The presentation evaluates the role of risk management and security in the strategic planning process that defines the direction and prioritization of resources used by an organization.
CISSPills are short-lasting presentations covering topics to study in order to prepare CISSP exam. CISSPills is a digest of my notes and doesn't want to replace a studybook, it wants to be only just another companion for self-paced students.
Every issue covers different topics of CISSP's CCBK and the goal is addressing all the 10 domains which compose CISSP.
IN THIS ISSUE:
Domain 3: Information Security Governance and Risk Management
- Security and Audit Frameworks and Methodologies
- COSO
- CobiT
- Frameworks Relationship
- ITIL
- ISO/IEC 27000 Series
Security Framework for Digital Risk ManagmentSecurestorm
A cyber security governance framework and digital risk management process for OFFICIAL environments in UK Government. A pragmatic and proportional information risk management process which can be used at speed, and is compatible with Agile projects. This is released under a Creative Commons; Attribution-Non Commercial-Share Alike 4.0 International License.
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati attraverso i servizi gestiti. - by Hitachi Systems - festival ICT 2015
Relatore: Denis Cassinerio
Security Business Unit Director di Hitachi Systems CBT
The importance of role management in information security. In today's world, information security and management of information security is an important aspect. Therefore, it is very important to understand the importance of role assignment and role management while considering the implementation of security policies and standards.
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
When a security program isn't as good as it should be it can be tempting to conclude that it needs more resources and solutions. Jack Nichelson decided to take a different approach: simplification. By focusing on fewer problems with bigger returns, he was able to reduce malware by 60 percent and improve the results of his annual pen report. He’ll share a back-to-the-basics case study for removing complexity and running a simple, effective, start-up worthy security program.
This Talk is for - Security Managers looking to better focus on the real vulnerabilities and more effectively communicate your progress
The Goals of this talk – Find the real problems, create a formal plan, build support for the plan, and report the progress
Simplifying Security for Cloud Adoption - Defining your game planSecurestorm
An approach to cloud adoption is a secure way. As security is a major concern for many organisations adopting cloud services, this is a way of starting the cloud adoption security strategy in a cost effective way. Basically leveraging existing standards and approaches.
Event security companies in london want www.ieventsecurity.co.ukAhsan Gill
FIRST Security is UK largest provider of Security Services, Mobile Patrols, Alarm Response, Prisoner Escort and Court Custodial Services. http://www.ieventsecurity.co.uk
future internetArticleERMOCTAVE A Risk Management Fra.docxgilbertkpeters11344
future internet
Article
ERMOCTAVE: A Risk Management Framework for IT
Systems Which Adopt Cloud Computing
Masky Mackita 1, Soo-Young Shin 2 and Tae-Young Choe 3,*
1 ING Bank, B-1040 Brussels, Belgium; [email protected]
2 Department of IT Convergence Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea;
[email protected]
3 Department of Computer Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea
* Correspondence: [email protected]; Tel.: +82-54-478-7526
Received: 22 June 2019; Accepted: 3 September 2019; Published: 10 September 2019
����������
�������
Abstract: Many companies are adapting cloud computing technology because moving to the cloud
has an array of benefits. During decision-making, having processed for adopting cloud computing,
the importance of risk management is progressively recognized. However, traditional risk management
methods cannot be applied directly to cloud computing when data are transmitted and processed by
external providers. When they are directly applied, risk management processes can fail by ignoring
the distributed nature of cloud computing and leaving numerous risks unidentified. In order to fix
this backdrop, this paper introduces a new risk management method, Enterprise Risk Management
for Operationally Critical Threat, Asset, and Vulnerability Evaluation (ERMOCTAVE), which combines
Enterprise Risk Management and Operationally Critical Threat, Asset, and Vulnerability Evaluation for
mitigating risks that can arise with cloud computing. ERMOCTAVE is composed of two risk management
methods by combining each component with another processes for comprehensive perception of risks.
In order to explain ERMOCTAVE in detail, a case study scenario is presented where an Internet seller
migrates some modules to Microsoft Azure cloud. The functionality comparison with ENISA and
Microsoft cloud risk assessment shows that ERMOCTAVE has additional features, such as key objectives
and strategies, critical assets, and risk measurement criteria.
Keywords: risk management; ERM; OCTAVE; cloud computing; Microsoft Azure
1. Introduction
Cloud computing is a technology that uses virtualized resources to deliver IT services through the
Internet. It can also be defined as a model that allows network access to a pool of computing resources
such as servers, applications, storage, and services, which can be quickly offered by service providers [1].
One of properties of the cloud is its distributed nature [2]. Data in the cloud environments had become
gradually distributed, moving from a centralized model to a distributed model. That distributed nature
causes cloud computing actors to face problems like loss of data control, difficulties to demonstrate
compliance, and additional legal risks as data migration from one legal jurisdiction to another. An example
is Salesforce.com, which suffered a huge outage, locking more than 900,000 subscribers out of important
resources needed for business trans.
Most organizations have good enterprise-level security policies that define their approach to maintaining, improving, and securing their information and information systems. However, once the policies are signed by senior leadership and distributed throughout the organization, significant cybersecurity governance challenges remain. In this workshop I will explain the transforming organizational security to strengthen defenses and integrate cybersecurity with the overall approach toward security governance, risk management and compliance.
future internetArticleERMOCTAVE A Risk Management FraDustiBuckner14
future internet
Article
ERMOCTAVE: A Risk Management Framework for IT
Systems Which Adopt Cloud Computing
Masky Mackita 1, Soo-Young Shin 2 and Tae-Young Choe 3,*
1 ING Bank, B-1040 Brussels, Belgium; [email protected]
2 Department of IT Convergence Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea;
[email protected]
3 Department of Computer Engineering, Kumoh National Institute of Technology, Gumi 39177, Korea
* Correspondence: [email protected]; Tel.: +82-54-478-7526
Received: 22 June 2019; Accepted: 3 September 2019; Published: 10 September 2019
����������
�������
Abstract: Many companies are adapting cloud computing technology because moving to the cloud
has an array of benefits. During decision-making, having processed for adopting cloud computing,
the importance of risk management is progressively recognized. However, traditional risk management
methods cannot be applied directly to cloud computing when data are transmitted and processed by
external providers. When they are directly applied, risk management processes can fail by ignoring
the distributed nature of cloud computing and leaving numerous risks unidentified. In order to fix
this backdrop, this paper introduces a new risk management method, Enterprise Risk Management
for Operationally Critical Threat, Asset, and Vulnerability Evaluation (ERMOCTAVE), which combines
Enterprise Risk Management and Operationally Critical Threat, Asset, and Vulnerability Evaluation for
mitigating risks that can arise with cloud computing. ERMOCTAVE is composed of two risk management
methods by combining each component with another processes for comprehensive perception of risks.
In order to explain ERMOCTAVE in detail, a case study scenario is presented where an Internet seller
migrates some modules to Microsoft Azure cloud. The functionality comparison with ENISA and
Microsoft cloud risk assessment shows that ERMOCTAVE has additional features, such as key objectives
and strategies, critical assets, and risk measurement criteria.
Keywords: risk management; ERM; OCTAVE; cloud computing; Microsoft Azure
1. Introduction
Cloud computing is a technology that uses virtualized resources to deliver IT services through the
Internet. It can also be defined as a model that allows network access to a pool of computing resources
such as servers, applications, storage, and services, which can be quickly offered by service providers [1].
One of properties of the cloud is its distributed nature [2]. Data in the cloud environments had become
gradually distributed, moving from a centralized model to a distributed model. That distributed nature
causes cloud computing actors to face problems like loss of data control, difficulties to demonstrate
compliance, and additional legal risks as data migration from one legal jurisdiction to another. An example
is Salesforce.com, which suffered a huge outage, locking more than 900,000 subscribers out of important
resources needed for business trans ...
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
Companies are under increasing risks of breaches, theft of intellectual property and erosion of customer trust. CIOs and CISOs need to be able to explain to executive management what's being done to shore up their company's security strategy and defenses.
In January-February 2016, the EIU, surveyed 1,100 senior executives on data security practices within their firms. The survey’s primary objective was to analyse the differences, if any, between the C-suite and senior IT executives on data security.
The survey sample was recruited from companies with between $500 million and $10 billion in revenues, and is equally representative of the Americas, Asia-Pacific and European regions. The panel came from 20 industries, with no single industry accounting for more than 14% of the total.
This was a survey of senior executives. The C-suite segment, sometimes referred to herein as senior management or corporate leadership, consisted exclusively of C-suite executives (eg CEOs, CFO, COOs). The security segment, sometimes referred to herein as the security executives, consisted of the CIO and those who identified themselves as Chief Data Officers or Chief Information Security Officers (CISOs).
Each panel was asked an identical set of 20 questions, and the results have been reviewed for insight and commentary by a panel of independent experts.
For Corporate Boards, a Cyber Security Top 10David X Martin
Corporate boards of directors have a fiduciary duty to understand and oversee cyber security. For most effective oversight, boards should approach cyber security from a good management-practices perspective rather than a technical perspective.
Cyber-security is the number one technology issue in the C-suite and Board Room. No wonder that many senior executives are asking what they can be doing to stem the tide of cyber-attacks on their firms.
DEPARTMENT CYBERSECURITY What’s Your IT Risk ApproaLinaCovington707
DEPARTMENT: CYBERSECURITY
What’s Your IT Risk
Approach?
Risk is the likelihood that a loss will occur. Losses occur
when a threat exposes vulnerability. To identify risks, you
need to identify the threats and vulnerabilities and then
estimate the likelihood of a threat-exploiting vulnerability.
Risk management starts with an understanding of the
threats and vulnerabilities, after which the appropriate
mitigation action is identified. It is a series of coordinated
activities to direct and control challenges or threats to
achieving an organization’s goals. Enterprise Risk
Management (ERM) is an organization-wide approach to
addressing the full spectrum of the organization’s
significant risks by understanding the combined impact of risks as an interrelated portfolio,
rather than addressing risks only within silos.
Cybersecurity risk is the risk to an organizational operation’s mission, function, image,
reputation, organizational assets, individuals, and the nation due to the potential for unauthorized
access, use, disclosure, disruption, modification, or destruction of information and/or
information systems. Information system–related security risks are those that arise through the
loss of confidentiality, integrity, or availability of information systems. Cyber risk, like any other
type of risk, cannot be eliminated—it must be managed. Effective cybersecurity demands the
shared responsibility of all. The management of organizational risk is a key element of an
enterprise-wide information security program that provides an effective framework for
minimizing risks from security threat.
The objective of a cybersecurity risk-management program is to provide an integrated view of IT
risk across the entire organization and to ensure that risk issues are integrated into the strategic
decision-making process to further the achievement of performance goals. Within the US
Department of Education’s Federal Student Aid (FSA) cybersecurity risk-management program,
the objective is to strengthen information technology systems’ security through effective risk
management, understand the threats and vulnerabilities, and then mitigate the risks or reduce the
potential impacts. Effectively managing cybersecurity risk is a continuous activity and requires
communication across all levels of an organization.
OMB Circular A-123’s Management’s Responsibility for Enterprise Risk Management and
Internal Control1 requires all federal agencies to implement an ERM capability. ERM is the
discipline that identifies, assesses, and manages risks to all concentration of efforts toward key
points of failure and reduces or eliminates potential disruptive events. ERM is part of the overall
governance process and is an integral part of cybersecurity risk management, ensuring that
actions taken support the enterprise mission and goals. It provides a holistic approach to
managing risk opportunistically to achieve maximum results for the ...
SpringOne 2021
Session Title: Treating Security Like a Product
Speakers: Alex Barbato, Solutions Architect at VMware; Hannah Hunt, Chief Product and Innovation Officer at U.S. Army Software Factory
Assessing and Managing IT Security RisksChris Ross
Data privacy and protection has become the gold standard in IT. Scale Venture Partners and Wisegate share what they learned from over 100 IT professionals questioned about the risks and technology trends driving their security programs. Read about the move towards data centric security and the need for improvement in automated security controls and metrics reporting.
Similar to AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016 (20)
1. 1
INSIGHT
Information Management
March 2016
Cybersecurity and Risk
Management: Lead from the C-suite
Today’s increasing reliance on information technology and
industrial control systems in both the private and public sectors
means cybersecurity risks must be addressed like any other
business risk—and integrated into an enterprise-wide risk
management framework. Many top management teams still view
cybersecurity as too technical an issue to manage at the executive
level, but it’s more vital than ever that procedures for handling such
concerns get incorporated into an overall risk management regime.
It’s more than a question of semantics. Enterprise risk
management frameworks fit different standards and definitions
as stipulated by international certification bodies and national
regulators for dealing with a vast array of legal, compliance, and
international certification issues. Those frameworks, standards,
and definitions in turn affect how litigation, insurance, and
organizational liability get determined.
Most important is the fact that organizations that apply globally
recognized enterprise risk management standards and practices to
cybersecurity issues are offering their clients and customers the
most thorough level of protection—one that reflects best practices.
The scope of cyber risk management and best practices has
evolved beyond mere ‘prevention’ of cyberrisks; it now
encompasses responsibility for the detection of and the capability
to respond to cybersecurity incidents. And that detection and that
response require a more nuanced approach to risk management.
Every company in a connected world faces threats that can imperil
the very lifebloods of a modern business: its data and its brand.
And the constant increase in cyberattacks means it’s not a matter of
whether one occurs. One will definitely occur—sooner or later.
A company’s response to making cybersecurity preparations has
implications for the entire organization. Top management must be
fully engaged so as to make proper use of the people, process, and
technology controls that address the threats while incorporating the
goal of protection into the business’s overall aims.
Several models of effective cybersecurity risk governance plans
are available that can fulfill the requirements of effective overall
enterprise risk management. Certain guidelines help do that
effectively by addressing cybersecurity issues from preventive,
detective, and reactive perspectives, thereby forming a
well-defined first line of cyberdefense. That first line of
cyberdefense includes the establishment and implementation
of access controls, a security operations center, security incident
management processes, and vulnerability assessments and
penetration tests. Those things are usually put in place and
managed by a team of people with cybersecurity technical
backgrounds. In most cases, a cybersecurity operations team
reports to the chief information officer, chief technology officer,
or IT department.
A cybersecurity management team of people with backgrounds
in business cybersecurity is required in order to provide the
second line of cyberdefense. It monitors the effectiveness of
the technical controls the operations team has implemented,
and it makes sure the company satisfies regulatory requirements
while managing cybersecurity risks.
Cybersecurity risks have caused concern ever since 1969, when the first nodes of
data were transmitted through the precursor to the World Wide Web. The
World Economic Forum1
now ranks those risks as the fifth-greatest threat to
global stability—bested only by war, drought, climate change, and widespread
unemployment. The relentless evolution of cybersecurity threats should prompt
corporate leaders to deal with them from the C-suite rather than leaving their
risk management to the information technology (IT) department.
1 World Economic Forum, The Global Risks Landscape 2015,” accessed January 20, 2016, http://reports.weforum.org/global-risks-2015/#frame/20ad6.
2. 2
INSIGHT | Cybersecurity and Risk Management: Lead from the C-suite
The cybersecurity management team must be distinct from the
team responsible for the aforementioned technical activities. In
some cases, it’s better when the two functions do not share the
same reporting chain. That’s because specifying that only one
of them is to report to the chief information officer inculcates
cybersecurity responsibility through a wider swath of top
management and avoids potential conflicts of interest.
An enterprise risk management framework gives greater legal
and regulatory protection, but it’s not a cure-all for the ever–
expanding range of cyberthreats. Assessing the likelihood of
cybersecurity risks is inherently difficult because available
historical data on cybersecurity incidents is limited, because
detected incidents represent only a small portion of those that
actually occur, and because technical vulnerabilities are always
on the increase. In general, it’s safe to assume the risk is about
20% greater than what can be observed.
There are several models of cybersecurity risk governance plans
that can reach throughout a business. Even though none are
perfect, their differences reflect variations in company size, in
the number of people involved, and in the cost of implementing
a regime that follows the enterprise risk model.
FIGURE 1: Cybersecurity management and operations
within IT
Infrastructure
CEO Board
Risk
Management
IT
Internal
Audit
Application
Support
Application
Development
Cybersecurity
Management
and Operations
Small and medium–size enterprises generally follow a model
that makes no distinction between cybersecurity management
and operations (figure 1). Although a commonly used model, it
sometimes prevents a deep–rooted cybersecurity and risk
management focus throughout the entire business.
Pro Cons
Fewer resources required because it’s
only one team
Violates the segregation principle,
meaning that cybersecurity is
in the hands of the same people
who must define, implement, and
assess the organizational risk
controls
Enables close management of
cybersecurity risks related to IT assets
Top management lacks visibility
on cybersecurity risks. Makes
it difficult to create a business
case, limits internal investment,
and eventually increases overall
exposure to cybersecurity risks
Lack of integration between
cybersecurity risks and other
enterprise risks
Governance of cybersecurity risks
limited to IT assets
No enforcement authority or
ability to collaborate with other
business units
FIGURE 2: Cybersecurity management segregated from
operations but within IT
Cybersecurity
Management
CEO Board
Risk
Management
IT
Internal
Audit
Application
Support
Application
Development
Cybersecurity
Operations
Infrastructure
In this scenario, the cybersecurity management team and the
cybersecurity operations team are separate, but both of them
report to the IT manager (figure 2). That structure can help with
the technical aspects of risk management, but it might not give
top management enough visibility about cybersecurity risks—
and those cybersecurity risks may not be considered in
alignment with other business risks.
Pro Cons
Keeps governance and operations
separate, enabling more-effective
management of cybersecurity risks
No board and top management
awareness of cybersecurity risks,
limits internal investment, and
eventually increases overall risk
exposure
Good management of cybersecurity
risks related to IT assets
Lack of integration between
cybersecurity risks and other
enterprise risks
Governance of cybersecurity risks
limited to IT assets
Limited authority to enforce risk
protocols or to collaborate with
other business units
3. 3
INSIGHT | Cybersecurity and Risk Management: Lead from the C-suite
FIGURE 3: Cybersecurity management within risk management
Infrastructure
Cybersecurity
Management
CEO Board
Risk
Management
IT
Internal
Audit
Application
Support
Application
Development
Cybersecurity
Operations
In this scenario, the cybersecurity management team and the
cybersecurity operations team are completely segregated—both
operationally and in their reporting chains (figure 3). Most likely,
cybersecurity risks have been integrated into the overall enterprise
risk management framework. In some cases, the cybersecurity
management team will be installed within risk management.
Pro Cons
Separate governance and operations
enables more-effective management of
cybersecurity risks
Limited board and top management
awareness of cybersecurity risks
Balanced management of cybersecurity
risks between IT and non-IT assets
Limited authority to enforce risk
protocols or to collaborate with
other business units
Integrates cybersecurity risks and other
enterprise risks
FIGURE 4: Cybersecurity management reporting to the CEO
Application
Development
Infrastructure
Cybersecurity
Management
CEO Board
Risk
Management
IT
Internal
Audit
Application
Support
Cybersecurity
Operations
In this scenario, the cybersecurity governance team reports
directly to the CEO, with a dotted line reporting to internal audit
(figure 4).
Pro Cons
Top management fully aware of
cybersecurity risks
Lack of integration between
cybersecurity risks and other
enterprise risks
Separate governance and operations
enable more-effective management of
cybersecurity risks
Balanced management of cybersecurity
risks between IT and non-IT assets
Authority to enforce risk protocols or to
collaborate with other business units
Organizing the governance of cybersecurity risks would likely
require variations on these frameworks to suit individual
companies. In that same vein, following are guidelines for
defining a medium–term cybersecurity road map with the
appropriate budget. A company must prepare a list of initiatives
that explain how to reduce risk within the risk appetite limits
defined by the enterprise risk management framework. Here are
some essential steps to follow:
}} Define and quantify the required investment. This is
the money required to buy hardware, software, or services
needed. It may be divided into operating expenses and
capital expenditures.
}} Determine the level of effort required. This is the
number of man-hours required of internal employees to
implement the plan. The number might be divided
between the cybersecurity operations team, IT personnel,
business lines, and, eventually, external service providers.
}} Describe the desired risk reduction. This is a
description of the intended extent of risk reduction.
}} Set the elapsed time for accomplishment. This is the
amount of high-level-management time required to deliver
the initiative.
A cost–benefit analysis, performed possibly by using a data
visualization tool, can demonstrate the cost of each part of the
initiative and compare it with its projected benefits. The analysis
can lead to a two- or three-year plan that stands as a robust
cybersecurity road map for the entire organization. Don’t be
surprised to discover that the initiatives with the best cost–benefit
ratio come from the people category, because the human factor
is typically the weakest link in the cybersecurity chain.
Monitoring implementation of the road map
Finally, and most important, monitor the implementation of the
framework according to the established road map. This can be
supported by a business’s internal audit function for achieving
consistency and maximum effectiveness. Perform annual risk
assessment exercises, and periodically reevaluate the company’s
current risk posture. Cybersecurity risks are always evolving,
external threats are always broadening, and a business’s
vulnerabilities are always changing. But with top management
and board involvement as an integral part of the risk management
process, companies that apply international enterprise risk
management standards to cybersecurity risks acquire a coherent
and comprehensive organizational defensive posture for
navigating the rapidly evolving, connected business climate.