eBook - ePub

Cybersecurity for Business

Name: Cybersecurity for Business
Author: Larry Clinton, Larry Clinton

Organization-Wide Strategies to Ensure Cyber Risk Is Not Just an IT Issue

Larry Clinton, Larry Clinton

Share book

English
ePUB (mobile friendly)
Available on iOS & Android

eBook - ePub

Cybersecurity for Business

Organization-Wide Strategies to Ensure Cyber Risk Is Not Just an IT Issue

Larry Clinton, Larry Clinton

Book details

Book preview

Table of contents

Citations

About This Book

FINALIST: International Book Awards 2023 - Business: General
FINALIST: American Book Fest Best Book Award 2023 - Business: General Balance the benefits of digital transformation with the associated risks with this guide to effectively managing cybersecurity as a strategic business issue. Important and cost-effective innovations can substantially increase cyber risk and the loss of intellectual property, corporate reputation and consumer confidence. Over the past several years, organizations around the world have increasingly come to appreciate the need to address cybersecurity issues from a business perspective, not just from a technical or risk angle. Cybersecurity for Business builds on a set of principles developed with international leaders from technology, government and the boardroom to lay out a clear roadmap of how to meet goals without creating undue cyber risk.This essential guide outlines the true nature of modern cyber risk, and how it can be assessed and managed using modern analytical tools to put cybersecurity in business terms. It then describes the roles and responsibilities each part of the organization has in implementing an effective enterprise-wide cyber risk management program, covering critical issues such as incident response, supply chain management and creating a culture of security. Bringing together a range of experts and senior leaders, this edited collection enables leaders and students to understand how to manage digital transformation and cybersecurity from a business perspective.

Frequently asked questions

How do I cancel my subscription?

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.

Can/how do I download books?

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

What is the difference between the pricing plans?

Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.

What is Perlego?

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Do you support text-to-speech?

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Is Cybersecurity for Business an online PDF/ePUB?

Yes, you can access Cybersecurity for Business by Larry Clinton, Larry Clinton in PDF and/or ePUB format, as well as other popular books in Business & Insurance. We have over one million books available in our catalogue for you to explore.

Information

Publisher

Kogan Page

Year

2022

ISBN

9781398606395

Edition

Topic

Business

Subtopic

Insurance

Index

Business

Cybersecurity is (Not) an IT Issue

BY LARRY CLINTON, PRESIDENT AND CEO, INTERNET SECURITY ALLIANCE, AND CARTER ZHENG, ISA RESEARCH ASSOCIATE

Five Key Ideas to Take Away from This Chapter

Organizations have made little progress in addressing cyber risk in large part because they have viewed the issue with an excessively narrow focus as just a technical/operational issue.
To compete in the modern economy, enterprises must engage in digital transformation.
Digital transformation can generate a substantial increase in growth and profitability but can also vastly increase risk.
Foundational technical security measures are necessary, but alone are not sufficient to address cyber threats. Cybersecurity must be an enterprise-wide risk management issue.
Organizations cannot completely secure themselves, but they can manage their cyber risk with appropriate understanding, structure, investment, and risk-management methods.

Introduction

One of the most incontrovertible facts in the field of cybersecurity is that the attack community is winning the battle for cyberspace—and winning by a large and growing margin.

In February 2020, the Executive Director of the World Economic Forum’s Cybersecurity Center, Troels Oerting, addressed the G-20’s Digital Economy Working Group in Riyadh, Saudi Arabia and reported that cybercrime in the previous year had cost the world’s economy $2 trillion. The WEF estimated that the losses will increase to $6 trillion in three years.¹

The G-20 is a group of the world’s largest economies. Although the cybercrime nation does not have a GDP, the damages from cybercrime as a whole rank equivalently to the GDP of the top 10 G-20 countries—just ahead of the United Kingdom.²

There are a number of reasons why cybercrime is such an enormous and growing problem, but none is more fundamental than the fact that the cybersecurity issue is wildly misunderstood. Most governments, enterprises, and individuals think of cybersecurity as a technical or IT problem. That is a misnomer. Cybersecurity is an enterprise-wide risk management issue. Obviously, technology is an important part of that issue, but it is not the only part of the issue—perhaps not even the most important part.

According to the Cyber Risk Oversight Handbook published by the National Association of Corporate Directors (NACD):

Historically, many companies and organizations categorized information security as a technical or operational issue to be handled by the information technology (IT) department. This misunderstanding was fed by siloed operating structures that left functions and business units within the organization feeling disconnected from responsibility for the security of their own data. Instead, this critical responsibility was handed off to IT, a department that in most organizations is strapped for resources and budget authority. Furthermore, deferring responsibility to IT inhibited critical analysis of—and communication about—security issues, and hampered the adoption of effective, organization-wide security strategies.³

Consequently, the vast majority of initiatives designed to address cybersecurity concerns are technical and operational, and the individuals selected to manage the problem are almost always IT specialists.

The result of this historic pattern was revealed in a recent study by EY, one of the Big-4 audit firms:

77% of organizations are still operating with only limited cybersecurity and resilience [against cyber threats], while 87% of organizations warn they do not yet have sufficient budget to provide the levels of cybersecurity and resilience they want.⁴

Why we are not Making Progress in Securing Cyberspace

While this traditional, largely tactical approach to cybersecurity needs to be part of a comprehensive cyber risk management program, it is insufficient to create a resilient organization. The reality is that cybersecurity is not just an IT issue. It needs to be understood as a strategic, enterprise risk, not just as an IT risk.

There are multiple different types of risks that poor cybersecurity can generate: loss of data, corruption of data, blackmail, damage to the organization’s reputation as well as legal and compliance risks. The responsibility for managing these cyber-related risks extends throughout the organization. For example, many studies have shown that half, or more, of cyber breaches are caused by human failure—the realm of the HR department—not technical breakdowns. The defining characteristic of the internet is a broad interconnection between vendors, partners, customers, etc. These relationships are typically defined by contracts or service agreements, which means it is the legal department—perhaps in tandem with a separate vendor management team—who may be the nexus of the cybersecurity issue. When (not if) cyber breaches occur, most enterprises are rightly concerned with the reputational impacts of the breach. So, managing the cybersecurity risk at this stage is largely a function of the communications/PR department.

Unfortunately, relationships between the cybersecurity function and other critical elements of the business are often fraught with misunderstanding and mistrust. A 2020 survey by EY found that, in most organizations, there was a systemic failure in communication between the cybersecurity function and the business units. For example, EY found that in 74% of organizations the relationship between the cybersecurity function and marketing department was characterized as—at best—neutral to mistrustful or non-existent. Nearly half of HR departments characterized their relationship with the cybersecurity function the same way, as did R and D departments and finance departments.⁵

In short, cybersecurity is everyone’s responsibility. But, as the old saying goes: to a hammer, everything looks like a nail. If an organization views cybersecurity as essentially a technical issue and vests cyber risk management solely with the IT departments, it is going to get primarily IT solutions that are unlikely to be sufficient to address their full cyber risk.

As another old saying goes: if you ask the wrong questions, you get the wrong answers. To better assure that an organization is asking the right questions about cybersecurity, the organization’s leaders need to understand that cybersecurity is not going to be handled by the IT guys. Cybersecurity needs to be understood and managed comprehensively as an integral element of the organization’s business and mission.

ESI ThoughtLab completed a study of over a thousand companies in early 2020, concluding that to reduce risk probabilities Chief Information Security Officers (CISOs) must go well beyond compliance with technical frameworks.⁶ Cybersecurity leaders need to integrate these technical frameworks into their business goals, strategies, and individual risk profiles.

Digital Transformation Makes Cybersecurity a Business Issue

One of the most important questions enterprises face in the 21st century is how they can balance the economic imperative for digital transformation with the substantial cybersecurity risks that come with such transformation.

Melissa Hathaway, the Chief Cybersecurity Advisor for both President George W Bush and President Obama, noted that:

Corporations have embraced, adopted and embedded information and communication technology into their network environments and infrastructures and realized phenomenal business and economic growth through improved services increased productivity and reduced costs… Yet this digital transformation underpinned by affordable communications and cheap devices has introduced new risks.⁷

The NACD Cyber Risk Handbook points out that in the past 25 years, the nature of corporate asset value has changed significantly, shifting away from the physical and toward the virtual.⁸ This rapid digitization of corporate assets has resulted in a corresponding transformation of strategies and business models—as well as the digitization of corporate risk. Organizations are taking advantage of entirely new ways to connect with customers and suppliers, engage with employees and improve the efficiency and effectiveness of internal processes.