TechTalk Blog: Fight Cyber Terrorists through Integrated Corporate Resilience, Not Just IT Controls

By Brad Monterio posted 07-15-2015 02:51 PM

  

In the latest McKinsey Quarterly there is a excerpt from a new book (“Beyond Cybersecurity: Protecting Your Digital Business”) that tackles the ever-present topic of cyber security and what companies can do to protect their critical information assets. 

The opening paragraph of the article should worry you if you’re a CFO.  Maybe even keep you up at night.  Hopefully scary enough to help you realize that you need to make sure your company has the proper internal controls and data governance policies to help protect against attacks.  But, as the article goes on to point out, this is clearly not enough to protect the organization. 

“For many businesses, the next wave of innovation and growth will likely involve intelligent analytics, rich mobile experiences, and “one touch” processes that require no further manual intervention. Success will depend on maintaining trust: consumers and business customers alike will accept nothing less than a complete assurance that the companies they engage with protect their highly sensitive data carefully in the hyperconnected information systems powering the digital economy.” 

Authors Tucker Bailey, James M. Kaplan and Chris Rezek make a case for the need to shift perspective on how the company views cyber risks.  And how to mitigate them.  Companies relying on internal controls to protect them from cyber risks are looking at it as an IT challenge, and they’re missing the point.  Bailey, Kaplan and Rezek are trying to help CFOs and executive management evolve from a control-oriented approach towards one of digital, corporate resilience.

If, as the authors state, “nearly 80 percent of technology executives surveyed report that their organizations cannot keep up with the attackers’ increasing sophistication,” it seems to me that robust internal controls will not be effective at keeping out the unwanted guests poking around your digital assets.

So what is digital corporate resilience? The authors say it’s the ability to design customer applications, business processes, technology architectures, and cybersecurity defenses with the protection of critical information assets in mind.  According to these experts, there are six critical actions for any organization planning to achieve digital resilience:

  1. Identify all the issues: know which information assets are at risk, understand how your controls (for intrusion detection, identity and access management, data protection, incident response etc.) interrelate and impact each other, and address a more comprehensive set of issues, including existing protocols, personnel, tools, governance, controls, the security architecture, and delivery systems.
  2. Aim high but toward a well-defined target: make the plan reachable but set a high target – and get buy in from the top level of the organization.
  3. Work out how best to deliver the new cybersecurity system: recognize that the process will not be without bumps in the road.Push your organization more aggressively in designing the protections.
  4. Establish the risk–resource trade-offs: Understand your company’s risk tolerance levels and offer senior leadership a few “pragmatic options representing different levels of risk reduction and resource commitments”.
  5. Develop a plan that aligns business and technology: Once the company has assessed its cybersecurity capabilities, defined the risk appetite, and agreed on a model, a plan needs to be created that aligns the business and the technology.
  6. Ensure sustained business engagement: digital resilience cannot come about without buy-in and support from the CEO. Cybersecurity is a material risk for companies today, and it should have the CEO and Board’s attention.
There’s no denying that corporate resilience is emerging as a ‘hot topic’ – focusing resilience on cyber risk management is certainly to be expected as a natural outgrowth of this discussion.  What I would like to know is how well equipped is your organization to evolve from a controls-based solution to risks like Cybersecurity to one of integrated resilience permeating throughout your organization?

#IT #CMA #corporateresilience #governance #TechTalk #Accounting #HotTopic #technology #risk #ERM #IMA #Cyber #cybersecurity #cfo #resilience
1 comment
75 views

Permalink

Comments

07-15-2015 03:02 PM

Thanks Brad - CFOs need to use multiple lines of defense and are being called to account in boards of directors. Convergence between CFOs and CIOs is continuing. High priority issue!