Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

The Questions All Organizations Need to Answer When it Comes to Cybersecurity

By Chris Moschovitis, Chairman & CEO of tmg-emedia, inc. 

“What we’ve got here is failure to communicate!”

– The Captain, Cool Hand Luke

This failure between cybersecurity professionals on one hand, and business and government leaders on the other, is costing us billions and putting our institutions and democracies in harm’s way.

According to ISACA’s State of Cybersecurity survey, cyber-attacks are on the rise and will continue to increase, with 50% of security leaders experiencing a higher volume of attacks in 2018 than in 2017.

ISACA’s State of Cyber report 2018

If we stand a chance of managing the rising volume of attacks, we must firstly define how best to communicate as an industry. How do we bridge this gap and build effective cybersecurity programs?

We start by developing a common language – a way for both of us to engage in this shared responsibility. Think of it this way, we all know enough about our car to talk to our car mechanic, maybe even change the occasional tire. We all know enough about medicine to have a meaningful conversation with our doctors (thank you Dr. Google!) And, we know enough about law to call our lawyer when we’re in trouble!

cyberattacksI’ll go a step further: There is no CEO worthy of the “C” that can’t “speak” fairly fluently finance, marketing, strategy and operations. But… the moment we bring up cybersecurity, eyes glaze over, palms sweat, bodies start fidgeting in place. Frequently, the answer might as well be something like: “IT will take care of this! We keep them in a dark room with lots of tiny blinking lights and throw them some raw meat every other day. They keep us running and protected. No worries!”

Wrong answer!

To begin with, IT creates value and cybersecurity protects value – two parallel tracks. You should not have one reporting into the other; there is an obvious conflict of interest! The way we need to be thinking about cybersecurity, from a governance perspective, is not as a technology problem, but as a risk management problem. And, who’s responsible for risk management? If you said the board of directors, you are right! In their absence, it is the owners of the firm. Sometimes the owners are themselves members of the C-Suite, other times, not. Irrespectively, the only ones that can accept risk, including cybersecurity risk, are the owners.

Accept risk? How about eliminate risk? Therein lies the rub. Risk can never be zero. It is all about your specific risk appetite that guides the development of the specific cybersecurity program for your firm, your institution, or your country.

Getting in touch with your inner risk acceptance is not enough. We need to understand what we are protecting – our assets. What are they, exactly? What is their value? How long can we be without them?  How fast do we need to recover? Questions like these help us develop the business impact analysis, unit-by-unit, department-by-department, and ultimately company-wide, or country-wide.

What are we protecting these assets from? What are the threats? Who’s out to get you? Why? In this step, we ask all sorts of questions like these to help us develop our threat and risk assessment. These questions have very different answers when you are a law firm, a hospital, a school, or a municipality. And, yes, of course size matters. A multinational concern has a very different risk register than the local bakery. But, don’t think for a minute that your baguette is not at risk.

Armed with all this due diligence, we can take the next step: develop a defense-in-depth cybersecurity strategy that deploys a range of preventive, detective, corrective and compensating controls. Not surprisingly, ISACA’s State of Cyber survey reveals that active defense strategies are highly effective (according to the 87% of respondents who use them), but they are not used widely enough, with 40% of respondents saying they are not familiar with active defense strategies.

barriersISACA’s State of Cyber report 2018

Once we take that next step in a implementing a defense-in-depth cybersecurity strategy, the real fun begins. We need to engage our people in frequent cybersecurity awareness training, we need to develop our incident response plans, we need to train our teams, and practice, practice, practice! Only then can we begin to sleep somewhat easier knowing that we’ve exercised our due care and that we’re prepared to respond to any attack. Only then can we begin to “live” cybersecure.

Author’s note: I am honored to present “Challenges in Cybersecurity Program Development” at ISACA’s 2018 CSX Europe conference, to take place 29-31 October in London. The session is specifically designed for business executives who need to understand how to complete the handshake with cybersecurity professionals, understand what they need to know to be successful, devoid of techno-jargon-speak, and develop a pragmatic approach for their cybersecurity program. The presentation will be based on my recent book “Cybersecurity Program Development for Business: The Essential Planning Guide”(Wiley 2018).