SlideShare une entreprise Scribd logo

AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016

Ben Browning
Ben Browning
1  sur  4
Télécharger pour lire hors ligne
1 INSIGHT Information Management March 2016 Cybersecurity and Risk Management: Lead from the C-suite Today’s increasing reliance on information technology and industrial control systems in both the private and public sectors means cybersecurity risks must be addressed like any other business risk—and integrated into an enterprise-wide risk management framework. Many top management teams still view cybersecurity as too technical an issue to manage at the executive level, but it’s more vital than ever that procedures for handling such concerns get incorporated into an overall risk management regime. It’s more than a question of semantics. Enterprise risk management frameworks fit different standards and definitions as stipulated by international certification bodies and national regulators for dealing with a vast array of legal, compliance, and international certification issues. Those frameworks, standards, and definitions in turn affect how litigation, insurance, and organizational liability get determined. Most important is the fact that organizations that apply globally recognized enterprise risk management standards and practices to cybersecurity issues are offering their clients and customers the most thorough level of protection—one that reflects best practices. The scope of cyber risk management and best practices has evolved beyond mere ‘prevention’ of cyberrisks; it now encompasses responsibility for the detection of and the capability to respond to cybersecurity incidents. And that detection and that response require a more nuanced approach to risk management. Every company in a connected world faces threats that can imperil the very lifebloods of a modern business: its data and its brand. And the constant increase in cyberattacks means it’s not a matter of whether one occurs. One will definitely occur—sooner or later. A company’s response to making cybersecurity preparations has implications for the entire organization. Top management must be fully engaged so as to make proper use of the people, process, and technology controls that address the threats while incorporating the goal of protection into the business’s overall aims. Several models of effective cybersecurity risk governance plans are available that can fulfill the requirements of effective overall enterprise risk management. Certain guidelines help do that effectively by addressing cybersecurity issues from preventive, detective, and reactive perspectives, thereby forming a well-defined first line of cyberdefense. That first line of cyberdefense includes the establishment and implementation of access controls, a security operations center, security incident management processes, and vulnerability assessments and penetration tests. Those things are usually put in place and managed by a team of people with cybersecurity technical backgrounds. In most cases, a cybersecurity operations team reports to the chief information officer, chief technology officer, or IT department. A cybersecurity management team of people with backgrounds in business cybersecurity is required in order to provide the second line of cyberdefense. It monitors the effectiveness of the technical controls the operations team has implemented, and it makes sure the company satisfies regulatory requirements while managing cybersecurity risks. Cybersecurity risks have caused concern ever since 1969, when the first nodes of data were transmitted through the precursor to the World Wide Web. The World Economic Forum1 now ranks those risks as the fifth-greatest threat to global stability—bested only by war, drought, climate change, and widespread unemployment. The relentless evolution of cybersecurity threats should prompt corporate leaders to deal with them from the C-suite rather than leaving their risk management to the information technology (IT) department. 1 World Economic Forum, The Global Risks Landscape 2015,” accessed January 20, 2016, http://reports.weforum.org/global-risks-2015/#frame/20ad6.
2 INSIGHT  |  Cybersecurity and Risk Management: Lead from the C-suite The cybersecurity management team must be distinct from the team responsible for the aforementioned technical activities. In some cases, it’s better when the two functions do not share the same reporting chain. That’s because specifying that only one of them is to report to the chief information officer inculcates cybersecurity responsibility through a wider swath of top management and avoids potential conflicts of interest. An enterprise risk management framework gives greater legal and regulatory protection, but it’s not a cure-all for the ever– expanding range of cyberthreats. Assessing the likelihood of cybersecurity risks is inherently difficult because available historical data on cybersecurity incidents is limited, because detected incidents represent only a small portion of those that actually occur, and because technical vulnerabilities are always on the increase. In general, it’s safe to assume the risk is about 20% greater than what can be observed. There are several models of cybersecurity risk governance plans that can reach throughout a business. Even though none are perfect, their differences reflect variations in company size, in the number of people involved, and in the cost of implementing a regime that follows the enterprise risk model. FIGURE 1: Cybersecurity management and operations within IT Infrastructure CEO Board Risk Management IT Internal Audit Application Support Application Development Cybersecurity Management and Operations Small and medium–size enterprises generally follow a model that makes no distinction between cybersecurity management and operations (figure 1). Although a commonly used model, it sometimes prevents a deep–rooted cybersecurity and risk management focus throughout the entire business. Pro Cons Fewer resources required because it’s only one team Violates the segregation principle, meaning that cybersecurity is in the hands of the same people who must define, implement, and assess the organizational risk controls Enables close management of cybersecurity risks related to IT assets Top management lacks visibility on cybersecurity risks. Makes it difficult to create a business case, limits internal investment, and eventually increases overall exposure to cybersecurity risks Lack of integration between cybersecurity risks and other enterprise risks Governance of cybersecurity risks limited to IT assets No enforcement authority or ability to collaborate with other business units FIGURE 2: Cybersecurity management segregated from operations but within IT Cybersecurity Management CEO Board Risk Management IT Internal Audit Application Support Application Development Cybersecurity Operations Infrastructure In this scenario, the cybersecurity management team and the cybersecurity operations team are separate, but both of them report to the IT manager (figure 2). That structure can help with the technical aspects of risk management, but it might not give top management enough visibility about cybersecurity risks— and those cybersecurity risks may not be considered in alignment with other business risks. Pro Cons Keeps governance and operations separate, enabling more-effective management of cybersecurity risks No board and top management awareness of cybersecurity risks, limits internal investment, and eventually increases overall risk exposure Good management of cybersecurity risks related to IT assets Lack of integration between cybersecurity risks and other enterprise risks Governance of cybersecurity risks limited to IT assets Limited authority to enforce risk protocols or to collaborate with other business units
3 INSIGHT  |  Cybersecurity and Risk Management: Lead from the C-suite FIGURE 3: Cybersecurity management within risk management Infrastructure Cybersecurity Management CEO Board Risk Management IT Internal Audit Application Support Application Development Cybersecurity Operations In this scenario, the cybersecurity management team and the cybersecurity operations team are completely segregated—both operationally and in their reporting chains (figure 3). Most likely, cybersecurity risks have been integrated into the overall enterprise risk management framework. In some cases, the cybersecurity management team will be installed within risk management. Pro Cons Separate governance and operations enables more-effective management of cybersecurity risks Limited board and top management awareness of cybersecurity risks Balanced management of cybersecurity risks between IT and non-IT assets Limited authority to enforce risk protocols or to collaborate with other business units Integrates cybersecurity risks and other enterprise risks FIGURE 4: Cybersecurity management reporting to the CEO Application Development Infrastructure Cybersecurity Management CEO Board Risk Management IT Internal Audit Application Support Cybersecurity Operations In this scenario, the cybersecurity governance team reports directly to the CEO, with a dotted line reporting to internal audit (figure 4). Pro Cons Top management fully aware of cybersecurity risks Lack of integration between cybersecurity risks and other enterprise risks Separate governance and operations enable more-effective management of cybersecurity risks Balanced management of cybersecurity risks between IT and non-IT assets Authority to enforce risk protocols or to collaborate with other business units Organizing the governance of cybersecurity risks would likely require variations on these frameworks to suit individual companies. In that same vein, following are guidelines for defining a medium–term cybersecurity road map with the appropriate budget. A company must prepare a list of initiatives that explain how to reduce risk within the risk appetite limits defined by the enterprise risk management framework. Here are some essential steps to follow: }} Define and quantify the required investment. This is the money required to buy hardware, software, or services needed. It may be divided into operating expenses and capital expenditures. }} Determine the level of effort required. This is the number of man-hours required of internal employees to implement the plan. The number might be divided between the cybersecurity operations team, IT personnel, business lines, and, eventually, external service providers. }} Describe the desired risk reduction. This is a description of the intended extent of risk reduction. }} Set the elapsed time for accomplishment. This is the amount of high-level-management time required to deliver the initiative. A cost–benefit analysis, performed possibly by using a data visualization tool, can demonstrate the cost of each part of the initiative and compare it with its projected benefits. The analysis can lead to a two- or three-year plan that stands as a robust cybersecurity road map for the entire organization. Don’t be surprised to discover that the initiatives with the best cost–benefit ratio come from the people category, because the human factor is typically the weakest link in the cybersecurity chain. Monitoring implementation of the road map Finally, and most important, monitor the implementation of the framework according to the established road map. This can be supported by a business’s internal audit function for achieving consistency and maximum effectiveness. Perform annual risk assessment exercises, and periodically reevaluate the company’s current risk posture. Cybersecurity risks are always evolving, external threats are always broadening, and a business’s vulnerabilities are always changing. But with top management and board involvement as an integral part of the risk management process, companies that apply international enterprise risk management standards to cybersecurity risks acquire a coherent and comprehensive organizational defensive posture for navigating the rapidly evolving, connected business climate.
www.alixpartners.com This article is the property of AlixPartners, and neither the article nor any of its contents may be copied, used, or distributed to any third party without the prior written consent of AlixPartners. The article was prepared by AlixPartners for general information and distribution on a strictly confidential and nonreliance basis. No one in possession of this article may rely on any portion of the article. The article may be based in whole or in part on projections or forecasts of future events. A forecast by its nature is speculative and includes estimates and assumptions that may prove to be wrong. Actual results may and frequently do differ from those projected or forecast. The information in this article reflects conditions and our views as of this date, all of which are subject to change. We undertake no obligation to update or provide any revisions to the article. FOR MORE INFORMATION, CONTACT: Jon Rigby Director jrigby@alixpartners.com +44 (0) 7500 331216 Paolo Borghesi Vice President pborghesi@alixpartners.com +44 (0) 7500 794972 ABOUT ALIXPARTNERS AlixPartners is a leading global business advisory firm of results-oriented professionals who specialize in creating value and restoring performance. We thrive on our ability to make a difference in high-impact situations and deliver sustainable, bottom-line results. The firm’s expertise covers a wide range of businesses and industries whether they are healthy, challenged, or distressed. Since 1981, we have taken a unique, small-team, action- oriented approach to helping corporate boards and management, law firms, investment banks, and investors respond to critical business issues. For more information, visit www.alixpartners.com. AlixPartners. When it really matters. ©2016 AlixPartners, LLP

Recommandé

Risk Management
Risk ManagementRisk Management
Risk Managementijtsrd
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printjames morris
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity ModelCSCJournals
 
Security Best Practices for Small Business
Security Best Practices for Small BusinessSecurity Best Practices for Small Business
Security Best Practices for Small BusinessValiant Technology
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesSBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesEMC
 
Outsourcing
OutsourcingOutsourcing
Outsourcingkarlhennessy
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
Ics white paper report 2017
Ics white paper report 2017Ics white paper report 2017
Ics white paper report 2017Ir. Indin Hasan ST, MT, IPM, ASEAN Eng
 

Recommandé

Risk Management
Risk ManagementRisk Management
Risk Managementijtsrd
 
Bit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printBit defender ebook_secmonitor_print
Bit defender ebook_secmonitor_printjames morris
 
Information Security Maturity Model
Information Security Maturity ModelInformation Security Maturity Model
Information Security Maturity ModelCSCJournals
 
Security Best Practices for Small Business
Security Best Practices for Small BusinessSecurity Best Practices for Small Business
Security Best Practices for Small BusinessValiant Technology
 
SBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesSBIC Report : Transforming Information Security: Future-Proofing Processes
SBIC Report : Transforming Information Security: Future-Proofing ProcessesEMC
 
Outsourcing
OutsourcingOutsourcing
Outsourcingkarlhennessy
 
The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
Ics white paper report 2017
Ics white paper report 2017Ics white paper report 2017
Ics white paper report 2017Ir. Indin Hasan ST, MT, IPM, ASEAN Eng
 
Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Samuel Loomis
 
What Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackWhat Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackBooz Allen Hamilton
 
Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overviewelvinchan
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security RisksEnterprise Security Risk Management
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningKeyaan Williams
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
 
Websense
WebsenseWebsense
WebsenseCMR WORLD TECH
 
Role management
Role managementRole management
Role managementAbidullah Zarghoon
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-FundamentalsGary Hayslip CISSP, CISA, CRISC, CCSK
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectIOSR Journals
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSecurestorm
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills
 
Event security companies in london want www.ieventsecurity.co.uk
Event security companies in london want www.ieventsecurity.co.ukEvent security companies in london want www.ieventsecurity.co.uk
Event security companies in london want www.ieventsecurity.co.ukAhsan Gill
 
Los sistemas neumáticos de envío y su aplicación
Los sistemas neumáticos de envío y su aplicación Los sistemas neumáticos de envío y su aplicación
Los sistemas neumáticos de envío y su aplicación Gabriel Puente
 
Jari litmanen
Jari litmanenJari litmanen
Jari litmanenUrskilehto
 

Contenu connexe

Tendances

Information security governance
Information security governanceInformation security governance
Information security governanceKoen Maris
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Samuel Loomis
 
What Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackWhat Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackBooz Allen Hamilton
 
Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overviewelvinchan
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsPaul Feldman
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementDMIMarketing
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesSlideTeam
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningKeyaan Williams
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...festival ICT 2016
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectIOSR Journals
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSecurestorm
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills
 
Event security companies in london want www.ieventsecurity.co.uk
Event security companies in london want www.ieventsecurity.co.ukEvent security companies in london want www.ieventsecurity.co.uk
Event security companies in london want www.ieventsecurity.co.ukAhsan Gill
 

Tendances (20)

Information security governance
Information security governanceInformation security governance
Information security governance
 
Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016Generic_Sample_incidentresponseplanIRP_ISS_2016
Generic_Sample_incidentresponseplanIRP_ISS_2016
 
What Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target AttackWhat Every CISO Should Learn From the Target Attack
What Every CISO Should Learn From the Target Attack
 
Information Risk Management Overview
Information Risk Management OverviewInformation Risk Management Overview
Information Risk Management Overview
 
Convergence of Security Risks
Convergence of Security RisksConvergence of Security Risks
Convergence of Security Risks
 
Cybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of DirectorsCybersecurity Goverence for Boards of Directors
Cybersecurity Goverence for Boards of Directors
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
 
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation SlidesHow To Handle Cybersecurity Risk PowerPoint Presentation Slides
How To Handle Cybersecurity Risk PowerPoint Presentation Slides
 
Risk Management and Security in Strategic Planning
Risk Management and Security in Strategic PlanningRisk Management and Security in Strategic Planning
Risk Management and Security in Strategic Planning
 
CISSPills #3.02
CISSPills #3.02CISSPills #3.02
CISSPills #3.02
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
 
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
Security Risk Management: ovvero come mitigare e gestire i rischi dei dati at...
 
Websense
WebsenseWebsense
Websense
 
Role management
Role managementRole management
Role management
 
CISO-Fundamentals
CISO-FundamentalsCISO-Fundamentals
CISO-Fundamentals
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your Vulnerabilities
 
Information Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and ProspectInformation Security Management System: Emerging Issues and Prospect
Information Security Management System: Emerging Issues and Prospect
 
Simplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game planSimplifying Security for Cloud Adoption - Defining your game plan
Simplifying Security for Cloud Adoption - Defining your game plan
 
Vskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample MaterialVskills Certified Network Security Professional Sample Material
Vskills Certified Network Security Professional Sample Material
 
Event security companies in london want www.ieventsecurity.co.uk
Event security companies in london want www.ieventsecurity.co.ukEvent security companies in london want www.ieventsecurity.co.uk
Event security companies in london want www.ieventsecurity.co.uk
 

En vedette

Los sistemas neumáticos de envío y su aplicación
Los sistemas neumáticos de envío y su aplicación Los sistemas neumáticos de envío y su aplicación
Los sistemas neumáticos de envío y su aplicación Gabriel Puente
 
kelahiran ilmu tauhid degree
kelahiran ilmu tauhid degreekelahiran ilmu tauhid degree
kelahiran ilmu tauhid degreeSalam Salleh
 
Taulukko väestöstä 3
Taulukko väestöstä 3Taulukko väestöstä 3
Taulukko väestöstä 3Urskilehto
 
Genre photo shoot
Genre photo shootGenre photo shoot
Genre photo shootChloe Wenn
 
James Rodriguez
James RodriguezJames Rodriguez
James RodriguezUrskilehto
 
Tugas besar terminal
Tugas besar terminalTugas besar terminal
Tugas besar terminalJuleha Usmad
 
Presentacion power point_mónica_molina_
Presentacion power point_mónica_molina_Presentacion power point_mónica_molina_
Presentacion power point_mónica_molina_Monica Molina Guerrero
 

En vedette (15)

Los sistemas neumáticos de envío y su aplicación
Los sistemas neumáticos de envío y su aplicación Los sistemas neumáticos de envío y su aplicación
Los sistemas neumáticos de envío y su aplicación
 
Jari litmanen
Jari litmanenJari litmanen
Jari litmanen
 
Bandy liiga
Bandy liigaBandy liiga
Bandy liiga
 
K37.103.529 gioi thieu ve firefox
K37.103.529 gioi thieu ve firefoxK37.103.529 gioi thieu ve firefox
K37.103.529 gioi thieu ve firefox
 
kelahiran ilmu tauhid degree
kelahiran ilmu tauhid degreekelahiran ilmu tauhid degree
kelahiran ilmu tauhid degree
 
Chude1_mcmix_nhom29
Chude1_mcmix_nhom29Chude1_mcmix_nhom29
Chude1_mcmix_nhom29
 
Taulukko väestöstä 3
Taulukko väestöstä 3Taulukko väestöstä 3
Taulukko väestöstä 3
 
Genre photo shoot
Genre photo shootGenre photo shoot
Genre photo shoot
 
Runescape
RunescapeRunescape
Runescape
 
James Rodriguez
James RodriguezJames Rodriguez
James Rodriguez
 
Magazines
MagazinesMagazines
Magazines
 
Tugas besar terminal
Tugas besar terminalTugas besar terminal
Tugas besar terminal
 
Jääkiekkoo
JääkiekkooJääkiekkoo
Jääkiekkoo
 
Presentacion power point_mónica_molina_
Presentacion power point_mónica_molina_Presentacion power point_mónica_molina_
Presentacion power point_mónica_molina_
 
Fonts
FontsFonts
Fonts
 

Similaire à AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016

The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guideSergey Erohin
 
future internetArticleERMOCTAVE A Risk Management Fra.docx
future internetArticleERMOCTAVE A Risk Management Fra.docxfuture internetArticleERMOCTAVE A Risk Management Fra.docx
future internetArticleERMOCTAVE A Risk Management Fra.docxgilbertkpeters11344
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
future internetArticleERMOCTAVE A Risk Management Fra
future internetArticleERMOCTAVE A Risk Management Frafuture internetArticleERMOCTAVE A Risk Management Fra
future internetArticleERMOCTAVE A Risk Management FraDustiBuckner14
 
Future internet articleermoctave a risk management fra
Future internet articleermoctave a risk management fraFuture internet articleermoctave a risk management fra
Future internet articleermoctave a risk management fraarnit1
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityKaryl Scott
 
security-team-guide-reducing-operational-risk.pdf
security-team-guide-reducing-operational-risk.pdfsecurity-team-guide-reducing-operational-risk.pdf
security-team-guide-reducing-operational-risk.pdfgokuforhelp
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessAyham Kochaji
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)ishan parikh production
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The Economist Media Businesses
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfHumphrey Humphrey
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10David X Martin
 
111.pptx
111.pptx111.pptx
111.pptxJESUNPK
 
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseData security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseThe Economist Media Businesses
 
DEPARTMENT CYBERSECURITY What’s Your IT Risk Approa
DEPARTMENT CYBERSECURITY What’s Your IT Risk ApproaDEPARTMENT CYBERSECURITY What’s Your IT Risk Approa
DEPARTMENT CYBERSECURITY What’s Your IT Risk ApproaLinaCovington707
 
Treating Security Like a Product
Treating Security Like a ProductTreating Security Like a Product
Treating Security Like a ProductVMware Tanzu
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security RisksChris Ross
 

Similaire à AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016 (20)

The security risk management guide
The security risk management guideThe security risk management guide
The security risk management guide
 
future internetArticleERMOCTAVE A Risk Management Fra.docx
future internetArticleERMOCTAVE A Risk Management Fra.docxfuture internetArticleERMOCTAVE A Risk Management Fra.docx
future internetArticleERMOCTAVE A Risk Management Fra.docx
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
future internetArticleERMOCTAVE A Risk Management Fra
future internetArticleERMOCTAVE A Risk Management Frafuture internetArticleERMOCTAVE A Risk Management Fra
future internetArticleERMOCTAVE A Risk Management Fra
 
Future internet articleermoctave a risk management fra
Future internet articleermoctave a risk management fraFuture internet articleermoctave a risk management fra
Future internet articleermoctave a risk management fra
 
What CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber SecurityWhat CIOs Need To Tell Their Boards About Cyber Security
What CIOs Need To Tell Their Boards About Cyber Security
 
security-team-guide-reducing-operational-risk.pdf
security-team-guide-reducing-operational-risk.pdfsecurity-team-guide-reducing-operational-risk.pdf
security-team-guide-reducing-operational-risk.pdf
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
 
Cyber Risks - Maligec and Eskins
Cyber Risks - Maligec and EskinsCyber Risks - Maligec and Eskins
Cyber Risks - Maligec and Eskins
 
Integrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-EffectivenessIntegrating-Cyber-Security-for-Increased-Effectiveness
Integrating-Cyber-Security-for-Increased-Effectiveness
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 
case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)case studies on risk management in IT enabled organisation(vadodara)
case studies on risk management in IT enabled organisation(vadodara)
 
The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...The cyber-chasm: How the disconnect between the C-suite and security endanger...
The cyber-chasm: How the disconnect between the C-suite and security endanger...
 
Module 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdfModule 2 - Cybersecurity On the Defense.pdf
Module 2 - Cybersecurity On the Defense.pdf
 
For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10For Corporate Boards, a Cyber Security Top 10
For Corporate Boards, a Cyber Security Top 10
 
111.pptx
111.pptx111.pptx
111.pptx
 
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterpriseData security: How a proactive C-suite can reduce cyber-risk for the enterprise
Data security: How a proactive C-suite can reduce cyber-risk for the enterprise
 
DEPARTMENT CYBERSECURITY What’s Your IT Risk Approa
DEPARTMENT CYBERSECURITY What’s Your IT Risk ApproaDEPARTMENT CYBERSECURITY What’s Your IT Risk Approa
DEPARTMENT CYBERSECURITY What’s Your IT Risk Approa
 
Treating Security Like a Product
Treating Security Like a ProductTreating Security Like a Product
Treating Security Like a Product
 
Assessing and Managing IT Security Risks
Assessing and Managing IT Security RisksAssessing and Managing IT Security Risks
Assessing and Managing IT Security Risks
 

AP_Cybersecurity_and_Risk_Management_Lead_from_the_C-suite_Mar_2016

  • 1. 1 INSIGHT Information Management March 2016 Cybersecurity and Risk Management: Lead from the C-suite Today’s increasing reliance on information technology and industrial control systems in both the private and public sectors means cybersecurity risks must be addressed like any other business risk—and integrated into an enterprise-wide risk management framework. Many top management teams still view cybersecurity as too technical an issue to manage at the executive level, but it’s more vital than ever that procedures for handling such concerns get incorporated into an overall risk management regime. It’s more than a question of semantics. Enterprise risk management frameworks fit different standards and definitions as stipulated by international certification bodies and national regulators for dealing with a vast array of legal, compliance, and international certification issues. Those frameworks, standards, and definitions in turn affect how litigation, insurance, and organizational liability get determined. Most important is the fact that organizations that apply globally recognized enterprise risk management standards and practices to cybersecurity issues are offering their clients and customers the most thorough level of protection—one that reflects best practices. The scope of cyber risk management and best practices has evolved beyond mere ‘prevention’ of cyberrisks; it now encompasses responsibility for the detection of and the capability to respond to cybersecurity incidents. And that detection and that response require a more nuanced approach to risk management. Every company in a connected world faces threats that can imperil the very lifebloods of a modern business: its data and its brand. And the constant increase in cyberattacks means it’s not a matter of whether one occurs. One will definitely occur—sooner or later. A company’s response to making cybersecurity preparations has implications for the entire organization. Top management must be fully engaged so as to make proper use of the people, process, and technology controls that address the threats while incorporating the goal of protection into the business’s overall aims. Several models of effective cybersecurity risk governance plans are available that can fulfill the requirements of effective overall enterprise risk management. Certain guidelines help do that effectively by addressing cybersecurity issues from preventive, detective, and reactive perspectives, thereby forming a well-defined first line of cyberdefense. That first line of cyberdefense includes the establishment and implementation of access controls, a security operations center, security incident management processes, and vulnerability assessments and penetration tests. Those things are usually put in place and managed by a team of people with cybersecurity technical backgrounds. In most cases, a cybersecurity operations team reports to the chief information officer, chief technology officer, or IT department. A cybersecurity management team of people with backgrounds in business cybersecurity is required in order to provide the second line of cyberdefense. It monitors the effectiveness of the technical controls the operations team has implemented, and it makes sure the company satisfies regulatory requirements while managing cybersecurity risks. Cybersecurity risks have caused concern ever since 1969, when the first nodes of data were transmitted through the precursor to the World Wide Web. The World Economic Forum1 now ranks those risks as the fifth-greatest threat to global stability—bested only by war, drought, climate change, and widespread unemployment. The relentless evolution of cybersecurity threats should prompt corporate leaders to deal with them from the C-suite rather than leaving their risk management to the information technology (IT) department. 1 World Economic Forum, The Global Risks Landscape 2015,” accessed January 20, 2016, http://reports.weforum.org/global-risks-2015/#frame/20ad6.
  • 2. 2 INSIGHT  |  Cybersecurity and Risk Management: Lead from the C-suite The cybersecurity management team must be distinct from the team responsible for the aforementioned technical activities. In some cases, it’s better when the two functions do not share the same reporting chain. That’s because specifying that only one of them is to report to the chief information officer inculcates cybersecurity responsibility through a wider swath of top management and avoids potential conflicts of interest. An enterprise risk management framework gives greater legal and regulatory protection, but it’s not a cure-all for the ever– expanding range of cyberthreats. Assessing the likelihood of cybersecurity risks is inherently difficult because available historical data on cybersecurity incidents is limited, because detected incidents represent only a small portion of those that actually occur, and because technical vulnerabilities are always on the increase. In general, it’s safe to assume the risk is about 20% greater than what can be observed. There are several models of cybersecurity risk governance plans that can reach throughout a business. Even though none are perfect, their differences reflect variations in company size, in the number of people involved, and in the cost of implementing a regime that follows the enterprise risk model. FIGURE 1: Cybersecurity management and operations within IT Infrastructure CEO Board Risk Management IT Internal Audit Application Support Application Development Cybersecurity Management and Operations Small and medium–size enterprises generally follow a model that makes no distinction between cybersecurity management and operations (figure 1). Although a commonly used model, it sometimes prevents a deep–rooted cybersecurity and risk management focus throughout the entire business. Pro Cons Fewer resources required because it’s only one team Violates the segregation principle, meaning that cybersecurity is in the hands of the same people who must define, implement, and assess the organizational risk controls Enables close management of cybersecurity risks related to IT assets Top management lacks visibility on cybersecurity risks. Makes it difficult to create a business case, limits internal investment, and eventually increases overall exposure to cybersecurity risks Lack of integration between cybersecurity risks and other enterprise risks Governance of cybersecurity risks limited to IT assets No enforcement authority or ability to collaborate with other business units FIGURE 2: Cybersecurity management segregated from operations but within IT Cybersecurity Management CEO Board Risk Management IT Internal Audit Application Support Application Development Cybersecurity Operations Infrastructure In this scenario, the cybersecurity management team and the cybersecurity operations team are separate, but both of them report to the IT manager (figure 2). That structure can help with the technical aspects of risk management, but it might not give top management enough visibility about cybersecurity risks— and those cybersecurity risks may not be considered in alignment with other business risks. Pro Cons Keeps governance and operations separate, enabling more-effective management of cybersecurity risks No board and top management awareness of cybersecurity risks, limits internal investment, and eventually increases overall risk exposure Good management of cybersecurity risks related to IT assets Lack of integration between cybersecurity risks and other enterprise risks Governance of cybersecurity risks limited to IT assets Limited authority to enforce risk protocols or to collaborate with other business units
  • 3. 3 INSIGHT  |  Cybersecurity and Risk Management: Lead from the C-suite FIGURE 3: Cybersecurity management within risk management Infrastructure Cybersecurity Management CEO Board Risk Management IT Internal Audit Application Support Application Development Cybersecurity Operations In this scenario, the cybersecurity management team and the cybersecurity operations team are completely segregated—both operationally and in their reporting chains (figure 3). Most likely, cybersecurity risks have been integrated into the overall enterprise risk management framework. In some cases, the cybersecurity management team will be installed within risk management. Pro Cons Separate governance and operations enables more-effective management of cybersecurity risks Limited board and top management awareness of cybersecurity risks Balanced management of cybersecurity risks between IT and non-IT assets Limited authority to enforce risk protocols or to collaborate with other business units Integrates cybersecurity risks and other enterprise risks FIGURE 4: Cybersecurity management reporting to the CEO Application Development Infrastructure Cybersecurity Management CEO Board Risk Management IT Internal Audit Application Support Cybersecurity Operations In this scenario, the cybersecurity governance team reports directly to the CEO, with a dotted line reporting to internal audit (figure 4). Pro Cons Top management fully aware of cybersecurity risks Lack of integration between cybersecurity risks and other enterprise risks Separate governance and operations enable more-effective management of cybersecurity risks Balanced management of cybersecurity risks between IT and non-IT assets Authority to enforce risk protocols or to collaborate with other business units Organizing the governance of cybersecurity risks would likely require variations on these frameworks to suit individual companies. In that same vein, following are guidelines for defining a medium–term cybersecurity road map with the appropriate budget. A company must prepare a list of initiatives that explain how to reduce risk within the risk appetite limits defined by the enterprise risk management framework. Here are some essential steps to follow: }} Define and quantify the required investment. This is the money required to buy hardware, software, or services needed. It may be divided into operating expenses and capital expenditures. }} Determine the level of effort required. This is the number of man-hours required of internal employees to implement the plan. The number might be divided between the cybersecurity operations team, IT personnel, business lines, and, eventually, external service providers. }} Describe the desired risk reduction. This is a description of the intended extent of risk reduction. }} Set the elapsed time for accomplishment. This is the amount of high-level-management time required to deliver the initiative. A cost–benefit analysis, performed possibly by using a data visualization tool, can demonstrate the cost of each part of the initiative and compare it with its projected benefits. The analysis can lead to a two- or three-year plan that stands as a robust cybersecurity road map for the entire organization. Don’t be surprised to discover that the initiatives with the best cost–benefit ratio come from the people category, because the human factor is typically the weakest link in the cybersecurity chain. Monitoring implementation of the road map Finally, and most important, monitor the implementation of the framework according to the established road map. This can be supported by a business’s internal audit function for achieving consistency and maximum effectiveness. Perform annual risk assessment exercises, and periodically reevaluate the company’s current risk posture. Cybersecurity risks are always evolving, external threats are always broadening, and a business’s vulnerabilities are always changing. But with top management and board involvement as an integral part of the risk management process, companies that apply international enterprise risk management standards to cybersecurity risks acquire a coherent and comprehensive organizational defensive posture for navigating the rapidly evolving, connected business climate.
  • 4. www.alixpartners.com This article is the property of AlixPartners, and neither the article nor any of its contents may be copied, used, or distributed to any third party without the prior written consent of AlixPartners. The article was prepared by AlixPartners for general information and distribution on a strictly confidential and nonreliance basis. No one in possession of this article may rely on any portion of the article. The article may be based in whole or in part on projections or forecasts of future events. A forecast by its nature is speculative and includes estimates and assumptions that may prove to be wrong. Actual results may and frequently do differ from those projected or forecast. The information in this article reflects conditions and our views as of this date, all of which are subject to change. We undertake no obligation to update or provide any revisions to the article. FOR MORE INFORMATION, CONTACT: Jon Rigby Director jrigby@alixpartners.com +44 (0) 7500 331216 Paolo Borghesi Vice President pborghesi@alixpartners.com +44 (0) 7500 794972 ABOUT ALIXPARTNERS AlixPartners is a leading global business advisory firm of results-oriented professionals who specialize in creating value and restoring performance. We thrive on our ability to make a difference in high-impact situations and deliver sustainable, bottom-line results. The firm’s expertise covers a wide range of businesses and industries whether they are healthy, challenged, or distressed. Since 1981, we have taken a unique, small-team, action- oriented approach to helping corporate boards and management, law firms, investment banks, and investors respond to critical business issues. For more information, visit www.alixpartners.com. AlixPartners. When it really matters. ©2016 AlixPartners, LLP