Fight Cyber-Attacks With an Executive Risk CouncilPosted 2013-05-15 Email Print
An effective executive risk council can help reduce the impact of a potentially devastating cyber-attack, and maintain that ever-important bond of trust.
Risk: Some companies have a chief risk officer, but many that don’t have the chief financial officer serve in that role. Every breach results in a cost to the company—that’s a post-breach consideration. It is also important to have the CFO on the council because that officer can be influential in making budget available for preventative measures.
Security: Information security must contain three specific characteristics: physical security, technical or logical security, and administrative security. The regulators refer to these aspects of security, and each should have equal measure. In many companies, a wide gulf exists between physical security and technical and administrative security. This is a weakness that increases the likelihood of breach success, particularly when an intrusion involves physical penetration of the target company.
IT Infrastructure: Technology infrastructure is vital to the council because just about every activity the company engages in involves a computer, a tablet, a smart phone, the network, the Internet, servers, etc. IT touches everything, so be sure the CIO or CTO is included in the council.
Information and Records Management: Most environments currently are a mix of paper and electronic records, which magnifies the risk. So a records management executive should be included.
Business Continuity Planning/Disaster Recovery: BCP/DR is critical to the council, and the absence of their representative on the council may result in increased risk impact. BCP/DR should include issues such as workplace violence, terrorist attacks, natural disasters, utility outages and other factors.
Marketing and Sales: Although these functions are not often included in risk councils, it is important to remember that marketing and sales are intimately related to the company’s reputation. In the event of a breach, it is necessary to address this issue with customers.
Human Resources: Get the entire employee base onboard with the security message. HR is often the organization that has the greatest reach to all employees, so it needs to be part of the risk management and prevention solution.
Privacy: Someone on the council should have responsibility for making sure that information privacy is understood and that the associated policies are in place. Also, remember that privacy includes not only employee and customer information, but intellectual property and trade secrets as well.
Internal Audit: A representative from internal audit will add substantial value, making certain that the internal audit plan embraces the full scope and dimension of the risk. Also, the internal audit function has direct linkage to the audit committee of the board of directors.
Corporate Communications: Developing a media response plan before a breach takes place is fundamental and should be part of every company’s corporate governance initiative. If perception is reality, then perception should not be left for others to define, lest that become the reality.
Alliance Management: Strategic-alliance and joint-venture partner relationships are at risk in the event of an inadequately managed breach. Having an alliance management executive participate in the council allows for proper messaging (working with corporate communications) to the various companies that may have skin—and risk—in the breach.
Compliance: A compliance representative is critical, particularly if the breach involves PII or PHI. Depending on the size of the company, compliance may be part of the legal office. If not, someone from compliance will be able to convey to the council the regulatory requirements associated with managing data and what to do in the event of a breach.
Senior Management: The more senior the title of the executive sponsor, the better. For smaller organizations, it may be the CEO. But whether it's the director of internal audit, general counsel or CFO, the executive sponsor should have direct access to the board and to the executive management team. This is invaluable for budgetary approvals. A council member will have a strong understanding of the need to prevent breaches and reduce the impact of one.
The goal of an executive risk council is to reduce to the lowest degree possible the impact of a breach. The council needs to understand the fundamentals of cyber-threats, and how to defend against legal, financial, regulatory and reputation risk, and risk impact.
This forces the team to confront the impact of potential losses associated with a cyber-breach, such as loss of market share, sales, company value, market positioning and dominance, customer and alliance concerns, investor confidence and even insurability. While an executive risk council may not be a silver bullet against hackers, t it is a good starting point for building awareness where it counts.
All companies targeted by cyber-attacks face one great commonality: compromise of reputation, that is, reputation risk. The best advice is to always “think post-breach” and “act pre-breach.” An effective executive risk council can help reduce the impact of a potentially devastating cyber-attack, and maintain that ever-important bond of trust, which defines an organization's reputation.
MacDonnell Ulsch is the CEO and chief analyst of ZeroPoint Risk Research in Boston. He is the author of the book THREAT! Managing Risk in a Hostile World.