Many organizations say it’s a struggle to contain cyberattacks and nearly impossible to prevent them due to the constant evolving nature of cyberthreats. President Barack Obama identified cybersecurity as a top issue in his 2015 State of the Union address, and it’s quickly becoming a top priority for corporate boards, too.
Given the significant impact a breach can have on the overall business, cybersecurity threats are not simply an information technology (IT) challenge. The advent of new technologies and an ecosystem of digital interconnectedness significantly increase a company’s exposure to theft of its most valuable assets—which can include confidential customer data and vital information, such as intellectual property or corporate strategy.
A cyberattack can erode a company’s competitive advantage, shareholder value and reputation. EY, where I work, houses the EY Center for Board Matters, which focuses on identifying trends and emerging corporate governance issues. The center has found that boards are starting to take note of this new risk—particularly members of the audit committee, who increasingly list cybersecurity among their top concerns and as a business imperative.
So what should boards do?
First, keep cybersecurity “top of mind” at their companies and incorporate it as part of the overall corporate governance. A new report from our center explores how boards can help take cybersecurity out of the silos of the IT department. They can help shape a mindset that cybersecurity is a business imperative that is fundamental to the business strategy and operations—and therefore a risk that requires an enterprise-wide response. Boards can accomplish this by regularly discussing cybersecurity risks in the boardroom and actively overseeing cybersecurity strategy, planning and execution.
It starts with knowing where the threats originate and creating a framework for evaluating and prioritizing each risk. This process will help corporate boards set the tone for enhancing cybersecurity and determine oversight responsibility, while giving organizations the appropriate flexibility to embrace the power of technology.
1. Prepare the Company To Be in a Proactive State of Readiness
A company’s board can help its organization move to a state of readiness against cyberthreats by fostering an environment in which cyberthreats are anticipated and proactively addressed. Since companies likely will never be able to prevent a cyberattack, the best alternative is to prepare in advance with a well-integrated response plan for managing these incidents. Boards should encourage management to have a well-established response plan in place for any potential cyberbreaches that may arise. Boards can consider hiring external experts to review the company’s cybersecurity plans and benchmark those plans against comparable companies.
Many boards proactively foster relationships with government agencies such as the U.S. Department of Homeland Security, the U.S. Department of Justice and the Federal Bureau of Investigation before a crisis. These boards strive to thoroughly understand and address risks facing the company. Companies can develop protective controls and rehearse crisis response by understanding other breaches and collecting information. Companies also can leverage forensic data analytics, cyberthreat intelligence and other tools to help get ahead of threats.
2. Instill a Culture of Monitoring and Accountability
Boards are encouraged to engage in the oversight of cybersecurity programs and provide a heightened level of accountability around performance measurements relating to cybersecurity. To increase the effectiveness of board oversight, board members can actively monitor metrics like the number, nature and extent of cyberbreaches and establish these benchmarks for their organizations. Determining benchmarks will allow boards to assess whether responses were swift and successful, and furthermore help assess if identified gaps are tolerable.
Instilling metrics to monitor cyberthreats and responses will help the board determine whether management is appropriately addressing risks in a timely manner and further help the board define future cyber-related priorities and actions.
3. Confirm Appropriate Resource Allocation
Given the prominence of cyberrisk, organizations need to confirm there is appropriate resource allocation commensurate with the risk. Despite the greater risk and recent attention garnered with cybercrime, this has not resulted in additional funding to address the problem. According to EY’s “Global Information Security Survey 2014,” 43 percent of respondents noted their organization’s total information security budget would stay about the same in the coming year, while another 4 percent noted their budget would actually decrease.
Board members should confirm that appropriate investments and resources are allocated to IT infrastructure to address known and emerging risks. Given the fact that technology transcends and impacts all departments, boards should address whether management’s cybersecurity plan incorporates a cross-functional team involving business leaders of all key departments—such as IT, finance, legal, internal audit and human resources. Involving the legal department at the outset is crucial to ensuring that all legal and regulatory aspects associated with cybersecurity risk are appropriately addressed.
Not only are cyberthreats growing, but often organizations are not able to quickly respond to known vulnerabilities in their cyberdefenses. Accordingly, the foundation of information security will need to continuously evolve and adapt, keeping pace with the changing business environments. Additionally, with a host of cybersecurity, data security and related privacy legislation currently contemplated by Congress, general counsel and board members will need to ensure that they maintain and improve their situational awareness around cybersecurity.
The goalposts keep moving, so companies and their boards need to cope with a never-ending cycle of improvement and re-evaluation of cyberrisks. Accordingly, board members should work to redefine cybergovernance and confirm that cybersecurity risks are not managed separately, but rather integrated as another important business component to be managed and mitigated like all other enterprise risks.
Ruby Sharma, principal at Ernst & Young, has 20 years of experience working with management and boards. She engages with and assists corporate boards and audit committees on a broad range of governance topics, including composition and structure, self-assessments, charter formation and agendas. She encourages and facilitates the exchange of information about business issues and risks, and she supports corporate boards in their oversight role. Her experience also includes providing assistance to boards and management on financial statement accounting practices and procedures, internal corporate investigations, white-collar fraud, damage assessments and contract disputes. Sharma is on the board of the Princeton HealthCare System and is chair of its audit committee.
View the original content and more from this author here: /http://ift.tt/1FUbGFW
from cyber security caucus http://ift.tt/1FUbGFY
via IFTTT
No comments:
Post a Comment