Understanding cyber-risks means knowing what questions to ask
A good place for senior executives to start in trying to understand their companies' financial exposure to cyberthreats is by getting an overall assessment — not just from IT, but also from business units and corporate operations such as the human resources, legal and public relations departments.
That piece of advice is contained in an information guide that the American National Standards Institute (ANSI) and the Internet Security Alliance (ISA) jointly released today in an effort to help high-level execs prepare for the financial implications of possible cyberattacks.
But as fundamental as that notion might seem, the guide says that the continued failure of chief financial officers and other corporate executives to gather a multidimensional view of IT security threats often leaves companies dangerously unprepared for the sometimes staggering costs that can result when their systems are attacked.
The 40-page guide was put together by a task force of risk management executives from more than two-dozen organizations, including Carnegie Mellon University, IBM, insurers American International Group (AIG) and State Farm Insurance, defense contractor Lockheed Martin and consulting firms Booz Allen Hamilton and KPMG. The document lists a series of 50 questions that CFOs and other executives should be asking the leaders of various internal groups, according to ANSI and the ISA.
The questions are designed to elicit information that can help provide a more holistic picture of a company's exposure to security threats, and the potential costs of either ignoring or mitigating those threats, said Ty Sagalow, president of product development at AIG's general insurance group.
Sagalow, who led a series of workshops that resulted in the new guide, said a lesson that the participants quickly learned during the sessions was that "cybersecurity, which has been traditionally viewed by some companies as an IT issue, is not just an IT issue." Just like, he added, it isn't purely a legal or PR issue.
As for the possibility that some IT managers could view increased involvement in security issues by other departments as encroaching on their turf, Sagalow and other members of the task force said they don't expect that to be an issue. Many IT departments already recognize that they're only part of the solution to cybersecurity issues, said Edward Stull, a software architect at Direct Computer Resources Inc. and chairman of an IT security best-practices group for the InterNational Committee on Information Technology Standards.
According to Sagalow, this is the first time that an effort is being made to provide CFOs, who ultimately have to sign the checks for security investments, with a means for better understanding the financial ramifications of cyberthreats.
But the broader issue of finding a way to more reliably quantify the risks posed by cyberattacks isn't new. For years, companies have been using various models and metrics to try to determine how effective their security controls are and how much they should spend to guard against attacks.
Most of the existing efforts are geared toward giving security managers new tools that can better estimate and justify the costs of implementing IT and process controls. In the past, other initiatives have taken a stab at developing risk prediction models that insurance companies, for instance, could use in underwriting cyberinsurance policies.
The new guide being offered by ANSI and the ISA recommends that CFOs ask their technology team questions about the biggest threats to data confidentiality, integrity and availability, and the controls that are in place to protect against those threats.
Similarly, security-related questions about business continuity and recoverability need to be asked of business managers, the guide says. And internal compliance officers should be asked for information on industry or government regulations that their companies are required to comply with as well as internal data collection, retention and destruction practices and the penalties for failing to comply with them.
In addition, CFOs should ask corporate legal counsels about the exposure of their companies to shareholder lawsuits and other legal actions stemming from data breaches, and they should request information about the laws governing the company's data use policies, according to the guide. In the same manner, the document advises that crisis management and PR teams be queried on issues such as the existence of a crisis communications plan and the financial implications of delaying or mishandling breach notifications.
An analysis of such information can help CFOs put the risks associated with cyberthreats into monetary terms, Sagalow said. He noted that companies have all sorts of tools and methodologies for measuring the financial risks associated with events such as floods, fires, storms and even employee defections. But they don't have a framework for evaluating the risks posed by security threats, he said, adding that such a framework is vital because of the escalating costs associated with cyberattacks.
Larry Clinton, the ISA's president, said the goal of putting the guide together was to give CFOs a tool for better estimating the potential costs of attacks. That information, he said, can help move the "locus of control" for cybersecurity from the CIO and chief information security officer to the CFO.
"Businesses make decisions based on their financial self-interest," Clinton said. "Unless we're properly appreciating the financial impact and risk associated with cyberattacks, we're not going to properly manage them."
And getting CFOs more involved in security matters may not be a bad thing for IT departments, according to Clinton. Many are underfunded now, he said, adding that increased attention from the CFO could result in more funding and a heightened focus on IT needs.
Reproduced from an article published by ComputerWorld
© ComputerWorld
The original article can be viewed here:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&art...
Permalink Bookmark Digg this story
