Cybersecurity risk is ever-changing and pervasive. Given that it is a difficult and an intimidating topic for most organizational boards to consider, it is critically essential today that members of organizational boards, along with their executives and managers, have a comprehensive and basic understanding of cybersecurity and a risk management program that includes more than just an information technology component.
This event has ended.
Abstract:
The global cybersecurity market reached $75 billion for 2015 and is expected to hit $170 billion in 2020, according to Forbes.
Cybersecurity risk is ever-changing and pervasive. Given that it is a difficult and an intimidating topic for most organizational boards to consider, it is critically essential today that members of organizational boards, along with their executives and managers, have a comprehensive and basic understanding of cybersecurity and a risk management program that includes more than just an information technology component.
Recall when the Institutional Shareholder Services, who provide counsel to investors, recommended that most of the Target board of directors be replaced following the 2014 report of the Target data breach, explaining that the company along with their board was inadequately prepared for risks of doing business in today’s electronic commerce environment.
Other organizations with cybersecurity incidents are DSW, Dave & Buster’s, Lifelock, Accretive Health, FBI and Homeland Security, Seagate, IRS, FDIC, Anthem, Advocate Health Care, and this list can go on. The total cost of a cybersecurity breach can range from $1.5 million to $36.5 million when all costs from several business areas are included.
Who has the ultimate responsibility?
Laws, such as the recent one in the state of New York, DFS[masked]-A effective March 1, 2017, for all organizations in banking, insurance, and financial services regulated by the State of New York Department of Financial Services, hold the board of directors as the ultimate and final ones responsible for adherence to all the terms in this new law. In addition, there are other regulations that detail what and how tasks in a cybersecurity risk management plan are to be completed.
Therefore, education of the board of directors and executives is needed. They do not have to become experts but should have a high-level understanding of cybersecurity risk management. This management program includes processes, trainings, reports, tasks outside of the IT department managed by the CIO that need to be occurring. This also includes an organization-wide cybersecurity incident response plan.
This session presents a high-level description and suggested components of this risk management function. While IT security is a critical role, it is not all that needs to be done. The SPOTT® Gap Analysis will be explained as a pragmatic tool in order to identify all tasks in all areas. A challenge for developing, and the ongoing management and execution for an organizations cybersecurity risk management plan is that support and agreement is required by leaders from different professions who have been taught different logical processes. The identified board member, executive, manager, project manager, etc. in leadership roles need to be able to communicate and influence them in order to gain needed support and agreement.
