As we have witnessed in the last few years, the cost of cyber threats has grown to be a substantial risk that all organizations face. According to Forbes, cybercrimes are projected to reach $2 trillion globally by 2019. The attempt to mitigate cyber risks through the use of anti-virus software and other turnkey solutions has been proven to be inadequate when faced with today’s threats.
In the past, risk mitigation could be achieved by employing a single dedicated department. That is no longer the case. Executive management and the Board of Directors (“BOD”) must collaborate with Information Technology (“IT”) personnel to develop a dynamic plan that considers both current and future threats. The scale of the plan should not be disproportionately weighted on the financial goals of the company, but should be aligned with the organizations business or mission objectives, regulatory requirements, and threat environment.
On February 12, 2014, the National Institute of Standards and Technology (“NIST”) released the Framework for Improving Critical Infrastructure Cybersecurity. This voluntary guidance should be a roadmap for the Chief Financial Officer (“CFO”) when recommending a robust cybersecurity IT plan. The NIST Framework is divided into four tiers to provide context on how an organization views cybersecurity risk and the effort to mitigate those risk.
Tier 1: Partial
- Risk Management Process – Organizational cybersecurity risk management practices are not formalized, and risk is managed in an ad hoc and sometimes reactive manner. Prioritization of cybersecurity activities may not be directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
- Integrated Risk Management Program – There is limited awareness of cybersecurity risk at the organizational level and an organization-wide approach to managing cybersecurity risk has not been established. The organization implements cybersecurity risk management on an irregular, case-by-case basis due to varied experience or information gained from outside sources. The organization may not have processes that enable cybersecurity information to be shared within the organization.
- External Participation – An organization may not have the processes in place to participate in coordination or collaboration with other entities.
Tier 2: Risk Informed
- Risk Management Process – Risk management practices are approved by management but may not be established as organizational-wide policy. Prioritization of cybersecurity activities is directly informed by organizational risk objectives, the threat environment, or business/mission requirements.
- Integrated Risk Management Program – There is an awareness of cybersecurity risk at the organizational level but an organization-wide approach to managing cybersecurity risk has not been established. Risk-informed, management-approved processes and procedures are defined and implemented, and staff has adequate resources to perform their cybersecurity duties. Cybersecurity information is shared within the organization on an informal basis.
- External Participation – The organization knows its role in the larger ecosystem, but has not formalized its capabilities to interact and share information externally.
Tier 3: Repeatable
- Risk Management Process – The organization’s risk management practices are formally approved and expressed as policy. Organizational cybersecurity practices are regularly updated based on the application of risk management processes to changes in business/mission requirements and a changing threat and technology landscape.
- Integrated Risk Management Program – There is an organization-wide approach to manage cybersecurity risk. Risk-informed policies, processes, and procedures are defined, implemented as intended, and reviewed. Consistent methods are in place to respond effectively to changes in risk. Personnel possess the knowledge and skills to perform their appointed roles and responsibilities.
- External Participation – The organization understands its dependencies and partners and receives information from these partners that enables collaboration and risk-based management decisions within the organization in response to events.
Tier 4: Adaptive
- Risk Management Process – The organization adapts its cybersecurity practices based on lessons learned and predictive indicators derived from previous and current cybersecurity activities. Through a process of continuous improvement incorporating advanced cybersecurity technologies and practices, the organization actively adapts to a changing cybersecurity landscape and responds to evolving and sophisticated threats in a timely manner.
- Integrated Risk Management Program – There is an organization-wide approach to managing cybersecurity risk that uses risk-informed policies, processes, and procedures to address potential cybersecurity events. Cybersecurity risk management is part of the organizational culture and evolves from an awareness of previous activities, information shared by other sources, and continuous awareness of activities on their systems and networks.
- External Participation – The organization manages risk and actively shares information with partners to ensure that accurate, current information is being distributed and consumed to improve cybersecurity before a cybersecurity event occurs.
Once an initial tier has been selected, the CFO and the Chief Information Officer (“CIO”) should collaborate frequently to determine if the initially selected tier is sufficient based upon the achievement of the organization’s target profile. The decision to progress to a higher tier should only be made if the change would reduce the organization’s risk and would be cost effective to do so. As a result, justifying the progression to the BOD may be difficult, especially if the current tier appears to be providing the security necessary to meet the organization’s goals. Utilizing the expertise of the CFO, who understands the financial implications of a breach, and the CIO, who can provide valuable insight based upon observations within the organization and trends that are occurring within the industry, a business case can be presented that addresses the risks, costs, and benefits.
The damage that occurs as a result of a cyber-attack is often embarrassing and in many cases could have been prevented if the proper precautions were taken. Performing a risk assessment is not only considered a best practice, in many cases it is a required step to meet many compliance obligations. Placing emphasis on strategic risks focuses on risks that can have the largest impact on the organizations value, well-being, and reputation.
For more information, please contact a member of the Whitley Penn Risk Advisory Services Team.