[BreachExchange] Identifying Cyber Risks: The Important Role of Senior Management

[Audrey McNeil]

http://www.tripwire.com/state-of-security/risk-based-security-for-executives/risk-management/identifying-cyber-risks-the-important-role-of-senior-management/

It is becoming more and more evident that cybersecurity is one of the focal
points regarding security risks in the twenty-first century for all
organisations.

It is understandable that almost every organisation which has access to any
kind of computing devices will be at risk and will probably experience
harmful cyber incidents. Hackers, whether individually or state-sponsor
cyber-attacks, are increasingly finding ever more creative methods to bring
cyber mayhem. This is ever more likely with expansion of mobile devices and
the evolution of computing capabilities through the introduction of
advanced technologies such as, the Internet of Things, cloud computing and
big data.

This brings risk management to the top of agenda in large organisations.

We know that the goal of risk management is to maximise the output of the
organisation that includes services, products, revenue, and so on, while
minimising the risk for unanticipated results.

Information security and cyber security programs are successful if they are
strategically aligned with organisations’ risk management strategies.
Senior executives should recognise this dependencies and plan adequately
for cyber threats.

However, based on the “Cyber Security Breaches Surveys, 2016,” cyber
security, which should be part of the big risk management strategy, it has
only been highlighted by 69% businesses whom believe cyber security is a
priority for senior managers. Therefore, 31% of them even do not recognise
the cyber security as a priority.

The other main problem which has been identified by this report was only
51% of companies have taken recommended actions to identify cyber risk

The accountability lies with senior management.

The senior management team has a broad and clear view of the organisation
strategic planning. Therefore, they are the only people who can effectively
address and manage complex cyber security threats. But this requires an
ongoing collaboration, clear communication channels and adequate security
awareness by senior management team. Major information security risk
factors may be left unchecked without coordinated oversight of senior
management team and the rest of organisation.

The importance of such close cooperation becomes even more critical if an
enterprise do business globally. There are various forces beyond the
control of senior management team which make it impossible to deal with the
threats of cyber space, using traditional risk management. It requires,
agility and has great dependency on senior management involvement with
clear security awareness.

Organisations can and should build a strong security awareness foundation
that be able to provide adequate cyber resilience. Senior management team
should also evaluate threat trajectories from a position of risk profiling
and business acceptability. This leads organisations to a position in which
the can address cyber hygiene, cyber resilience and cyber warfare that
would affect organisations as well as governments.

It can be concluded that senior management team is not just responsible for
establishing the risk framework that will be used to define risk
assumptions, risk constraints, risk tolerances, and risk priorities. But
senior management team has a greater responsibility beyond risk framework.
It must be fully engaged with all aspects of cyber risk factors and
establishment of a clear coordinated efforts within organisations and all
internal components of it.

In addition, creating an environment of security awareness and creating a
clear communication channels should also be considered.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160802/84709d5c/attachment.html>