Data breaches are costly, high-profile incidents. CEOs are more concerned today than ever before, and the threat is only getting worse. In fact, the number of records compromised as a result of hacking or malware attacks in 2015 grew by more than 128% over the previous year, according to information compiled by Privacy Rights Clearinghouse.
Given the loss potential and headline-making nature of a major data breach, it’s no surprise that cybersecurity has become a boardroom topic. No leader wants to see their company exploited by creative cyber villains. As a result, senior executives are looking to CISOs for forward-looking insight and proactive action. For their influence to grow, CISOs must be prepared to articulate and to defend their strategic plan. And the best way to do that is to manage the message before the breach happens.
Regulations play an important role in protecting information. HIPAA, PCI-DSS, FISMA, and other industry standards help to ensure appropriate measures are in place to handle, transmit, and store company and consumer data properly. Complying with standards is non-negotiable, but it’s only the beginning.
Compliance-based security models are presumptive and can give senior management an artificial sense of security. Controls are defined based on known issues and change slowly over time. But new malware variants are created almost daily. According to recent data from Symantec, there were 19.2 million new malware variants discovered just in the month of February 2016.
While a control may protect against today’s threats, it may prove to be ineffective one month, six months, or a year from now. Meeting the requirements of standards is essential. But relying solely on compliance with a standard as the measure of your security program is risky, because compliance-based models are too rigid to address new threats as they emerge.
Risk and Reasonableness
Without question, cyberattacks pose a significant risk to every company, causing problems ranging anywhere from annoyance, lost productivity, and disrupted operations to stolen records, lost revenue, a tarnished brand image, and expensive lawsuits—as well as many points in between.
Last December, Reuters reported that so far Target had spent $290 million related to its well-publicized 2013 data breach, and more shareholder lawsuits were still pending.
But business risk is gray and malleable, not black and white. It’s different for each business, which is one reason companies should not rely on compliance alone. Every organization must assess the risk of a data breach based on the nature of its business and industry requirements and implement “reasonable” security measures to protect its information assets.
While the concept of reasonableness is somewhat subjective, the questions for CISOs to ponder are these: Does my security program constitute reasonable protections for a company in my industry and would the legal system agree? If my company is breached, and I have to explain my actions a year from now in front of a court, will those actions show that I did what was reasonable to protect my company’s information assets?
To answer these questions, CISOs should establish an InfoSec program based on a proven framework, such as ISO 27001, COBIT, NIST, or COSO, and develop a clear implementation roadmap. Using a framework as a best practices guide, CISOs can implement effective internal controls and manage risk. And by developing a roadmap, CISOs are able to track activities over time, to adjust priorities and make course corrections as needed, and to report progress and status to senior management and the board with confidence.
The cyber-threat map is always changing. New threats continue to emerge from both inside and outside organizations. And senior management must be apprised of the risks.
In order to manage the message before the breach, CISOs must communicate regularly with senior management and do so in business terms. By explaining threats in the context of business impact, CISOs are able to communicate more effectively with their senior counterparts.
But managing the message before the breach also means CISOs must take a hard look at their InfoSec program. Is it built on a proven framework? Does it address industry mandates for information security? Would it be considered reasonable if challenged? Is there a well-defined implementation plan and can it be articulated?
Answering these and other questions before a breach occurs could make all the difference.
- Avoiding Legal Landmines in Data Breach Response
- Why You Can't Ignore Privacy Shield
- From NY To Bangladesh: Inside An Inexcusable Cyber Heist