[BreachExchange] How much security is enough?

Mon May 16 18:35:57 EDT 2016

http://fedscoop.com/how-much-security-is-enough

Not long ago, a chief risk officer might often have felt like a salmon
swimming upstream. Also known, tongue in cheek, as “business prevention
officers,” CROs for many years may have been relegated to the sidelines,
their advice lost in the press of doing business, University of Maryland
business professor Clifford Rossi wrote in American Banker.

But large-scale “black swan” events in recent years demonstrated to
organizations the perils of leaping after business capital without first
taking a long, hard look at risk. As a result, CROs have gained enormously
in respect and prestige, no longer seen as “business preventers” but as
“business protectors” who are essential to success.

The risk profession has come into its own. A number of organizations have
increased their risk-management budgets, some by as much as 100 percent,
including raising CROs’ pay. CROs have gained influence, as well. More have
a seat on their institution’s board of directors, and many now report
directly to a C-level executive, the Wall Street Journal reported.

Ditto for the CISO?

The chief information security officer may be on a similar path.

Cybersecurity has often been regarded as an IT problem — with a price tag
that can make executives cringe. CISOs’ warnings of system vulnerabilities
sometimes do not even get reported, as their superiors — often, the CIO —
may be reluctant to request the funds needed for a fix, according to a
Business Insider report.

Large-scale data breaches of recent years have shown business leaders the
dangers of turning a blind eye to cyber. Security can be expensive, but the
alternative may be worse: Estimates place the costs to business of
cyberattacks at upwards of $500 million a year, Forbes reported in 2013.
The reputational toll may be high, as well.

And a major reason for weak security, one study shows, is a lack of funding.

As a result, Forbes reported, organizations large and small are upping the
cybersecurity ante, with some major banks investing hundreds of millions of
dollars this year, even doubling expenditures in some cases.

But is spending money enough? Some say increasing the cyber budget is a
good first step, but protecting our systems requires systemic change.
Organizations do need great security and IT staff and top-notch
cybersecurity tools, but they also need comprehensive risk-management
strategies devised, and implemented, at the board level, according to
Cyberpolicy Magazine.

For a truly effective security program, CISOs must discuss the
organization’s security posture openly, honestly and regularly with the
board, a recent book on cybersecurity asserts. After years of debate, the
time may have come for CISOs to join their boards of directors — as chief
risk officers started doing when risk management was deemed crucial to
business success.

Giving CISOs a seat on the board would almost certainly help the C-suite
keep current on ever-changing cybersecurity challenges and solutions, and
improve organizational resiliency and response should threats or breaches
occur.

Some suggest that reporting hierarchies ought to change, as well, so that
the CISO reports directly to the CEO — something that happens now only 22
percent of the time, according to the Governance of Cybersecurity 2015
Report from the Georgia Tech Information Security Center.

Engaging the CISO at the highest levels may reap many benefits for an
organization, including a more productive, collaborative approach to
security — so that, rather than having a lone-salmon CISO fighting against
the current, organizations and their security teams work more like a school
of fish swimming in sync, moving with the flow, toward common goals.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160516/7d108748/attachment.html>