|
CEO, Enterprise Architect, Strategist, Adjunct Prof.
|
- Apr 30, 201638 views
Cyber security or the lack thereof has topped the agenda, in many surveys, from Government leaders to CEOs to CIOs to a humble consumer. It is often treated as a technology issue or an IT problem but its recognition as a corporate threat and associated risks and responsibility goes all the way to the top. Often, it is everybody’s problem, but nobody seems responsible.
Here are 9 steps the business and IT leaders, at all levels, need to follow to fulfil cyber security related obligations, duties and responsibilities.
1. Clearly understand how to protect an organization’s assets from cyber-attacks.
Given the damaging nature of cyber-security, it is foremost critical to understand it fully and implement appropriate protections for organisations assets. Learn from mistakes, us and others have committed and harden the assets within and outside the enterprise from that experience. Cyber Intelligence takes this awareness and action a step further to predict and manage cyber threats. Invest in it.
2. Understand reputation, legal and regulatory risks associated with cyber security breaches.
As we have seen from notorious attacks on many well known corporations, business reputation damage is the major fall-out from cyber attacks. Rightly so. Who can trust the business where your private data as customers and partners are open to criminal manipulations?
Increasingly, immediate reputational damage, even if well managed, fall further foul of legal and regulatory risks, attracting major enquiries and penalties from governmental agencies, industry watch-dogs and stakeholder groups.
3. Identify cyber security as an important requirement of enterprise risk management and governance framework.
Often, cyber-security is an afterthought, a result of an attack or panic caused by a regulatory compulsion. Leaders need to identify cyber-security as a critical business requirement, an integral part of Governance, Risk and Compliance management process. Business Architects need to include cyber-security as integral requirement of building business/operating models and capabilities. Given the rapid push in digital transformations and associated business process changes, cyber security needs to be part of its design and not a bolt-on fix.
4. Include cyber security in the CEO’s risk management objectives and performance goals. Do not just delegate responsibility to the CIOs.
Cyber security needs to be part of the corporate strategy and the structure, to be an effective protection. The culture needs to reflect this change. The best way to make this possible is to include cyber-security as part of CEO’s risk management objective and performance goals. If not, it gets pushed down to technology, to CIO and eventually to some IT security analyst. KPIs do get percolated down, but the Board and CEOs need to own this as part of their performance goals.
5. Gain a good understanding of the organization’s action plans in the event of major cyber-attacks and disruption of business services. Put these plans to the test at least twice a year.
Once top-down KPIs are clear, the Action Plans for attack prediction and recovery falls into place. Plans need to be tested at least twice a year as part of business continuity.
6. Ensure all cyber security breaches (no matter how small) are reported to the board of directors with a full explanation of actions taken.
In spite of preparedness, attacks do occur as cyber criminals become more sophisticated and more unpredictable. Thus an ongoing breach escalation and management is critical to ensure senior leaders right up to board of directors and Chair persons are aware of the problem and solutions. This helps ongoing corporate wide learning and evolution.
7. Leverage internal audit and external audit functions to review cyber security.
Just as audit and control functions are regular and common for various processes, they must be applied to cyber-security as well. This cyber auditors, both internal and external need to bring the latest assessments to strengthen corporate assets.
8. Use independent, external expertise to provide advice and guidance to CXOs about cyber security and technology governance matters.
CXOs and the Board of Directors need twice a year update on cyber-security, from threats levels, intelligence to protection and plans. These are critical governance matters that CXOs need to keep up-to-date, so they can invest in right strategies and capabilities. This sends a strong message to all the stakeholders and threat-actors that the corporation is serious about cyber-security and its assets and people are well protected.
9. Educate all stakeholders on cyber security awareness and action
Prime all the stakeholders, internal and external, connecting to the enterprise on the cyber security preparedness, precautions, plans, procedures and alerts. Given the agility and scale of these attacks, a system of quick alertness and action is vital to seal any cracks. Learn and keep strengthening the defences.
I wish to acknowledge seminars and articles by The Australian Institute of Company Directors (AICD) on Cyber Security. I’m a member of AICD.