Tuesday, March 24, 2015

Does cybersecurity start in the corner office?

While the buck stops at the CEO's desk, are they really the ones who should be driving corporate cybersecurity? Today, since the damage caused by a cyber breach rivals that of a terrible business decision, it only makes sense that the c-suite should


be fully invested in corporate cybersecurity.

The only thing that's keeping pace with increase in security threats is the cost of a data breach. A Ponemom Institute study for IBM showed an average cost of each stolen record rising 15% from 2013 to 2014. In the US, the cost per record was about $200. And US companies lead the world in the number of records stolen with an average 29,000 records per incident. Do the math and remember that these are averages. It can be worse -- think Target. These are events that impact the bottom line and get the attention of investors.

So how does a CEO get involved? The US Department of Homeland Security published five questions every CEO should ask about their cybersecurity risk:

  1. How is our executive leadership informed about the current level and business impact of cyber risks to our company? 
  2. What is the current level and business impact of cyber risks to our company? What is our plan to address identified risks? 
  3. How does our cybersecurity program apply industry standards and best practices? 
  4. How many and what types of cyber incidents do we detect in a normal week? What is the threshold for notifying our executive leadership? 
  5. How comprehensive is our cyber incident response plan? How often is it tested?
In addition to a number of suggestions about elevating cybersecurity risk assessment and planning to the level it receives c-suite oversight, Homeland Security stresses to implement industry standards and best practices, but not to rely on compliance alone.

As security consultant George Grachis puts it: “Compliance is backward-looking and static, and security is forward-looking, dynamic, and intelligent. Compliance is the foundation for security, it’s the minimum."

Finally, along with the buck stopping with the CEO, they can also start a corporate culture of cyber awareness. The Center for Infrastructure Protection and Homeland Security at George Mason University June 2014 CIP Report summarized the CEO's role as internal cybersecurity champion:
"To be successful in the quickly changing cyber landscape, a CEO should have ongoing dialogue with staff about cybersecurity. CEOs must ensure that the company culture internalizes the potential for harm to the enterprise posed by data breaches, compromise, or theft of intellectual property through cyber means. Further, employees must recognize the role of access controls, social media policy, and business partners in maintaining cybersecurity. A CEO should consider what policies, awareness efforts, and training would help the company with its cyber efforts. Employees also need to know that the CEO expects employees to implement and follow the policies and practices in the workplace regarding internet hygiene and safety."

ABOUT UPLOGIX
Uplogix is a key component of managing a secure network infrastructure. A secure appliance, certified to the FIPS 140-2 Level 2 standard, Uplogix provides secure remote access and enforcement of IT policies whether the network is up or down. Deployed in networks from Wall Street to battlefields as well as in retail locations on Main Street, Uplogix locks down console access to network devices and provides secure access and automation for remote management.
Read more at uplogix.com