Current IT-related news is a non-stop parade of data theft and cyber security breaches. It isn’t really that the threat of attack has gotten worse as much as accountability expectations have risen due to exposure by the media. Since the big Target breach nearly 2 years ago the media has reported on an ever growing number of breaches and the cost of dealing with those breaches after they occur. This media coverage is making a lot of business leaders sit up and take notice, though maybe not for the right reasons. The potential risk to operations in real dollars has caught the attention of nearly everyone. Recovering from the 2013 breach has cost Target over $200 Million. That is a serious threat to investors and the bottom line. Target isn’t the first to be caught having to deal with these unexpected blows to their wallets and they won’t be the last. Target does however seem to be the tipping point that has pushed cyber security out of the sole domain of IT and into the domain of operational risk management where frankly it should have been all along.
Presidents, CEO’s, and boards of directors are calling for strategies to manage and mitigate what they now perceive and understand to be a real risk to their companies. Small businesses too are starting to take notice of the very high cost of a breach and how devastating that cost would be to recover from a breach.
It is a very long road from where most businesses are in developing cyber risk management policies and where they need to go. One stop gap measure that has gained traction is the purchase of cyber risk insurance. These policies cover costs related to data breach and data loss that are incurred when going through the data breach notification process as well as some compensation for loss of business due to loss of customer confidence. While this is a great first step in protecting the business from risk it doesn’t reduce or manage the risk it just offloads it someplace else. A strategic approach to managing, mitigating, and minimizing risk. This strategy needs to take a holistic view of the business and the data within. Prioritizing this data and the processes that are the most sensitive will help to manage the cost and reduce time and resources wasted securing systems and data that don’t need as much attention.
Once you have a clear strategy, the next step is to begin implementing best practices and reviewing the outcomes. This is where a cyber-security framework would come in very handy. Most businesses have to develop their own starting nearly from scratch for each new project. In 2014 the National Institute of Standards and Technology or NIST released a Cyber Security Framework in an effort to fill this need though adoption has been slow due to the limited resources available to support it when it is implemented. The framework does have merit and is built on a clear repeatable structure with clear goals and measurable outcomes that the business leaders want to be able to see. The NIST framework is built on 5 core functions and relates to managing and mitigating cyber security risk: Identify, Protect, Detect, Respond, Recover. These functions are supported by a number of existing IT governance frameworks like COBiT and ITIL as well as Industry best practices that have been categorized under each function.
Using existing best practices and implementing them as well as governance frameworks as part of a cyber-security risk management strategy will reduce the cost over time of implementing the strategy and when used as part of a cyber-security framework will give IT a clear way to track outcomes and data related to the effectiveness of the strategy to business leaders who now need to make decisions about cyber security risk they once left up to IT. Cyber security is not just an IT problem and now more than ever communicating with business leaders about cyber security in a way they understand is of the highest importance.