eBook - ePub

Cybersecurity for Business

Name: Cybersecurity for Business
Author: Larry Clinton, Larry Clinton

Organization-Wide Strategies to Ensure Cyber Risk Is Not Just an IT Issue

Larry Clinton, Larry Clinton

Partager le livre

English
ePUB (adapté aux mobiles)
Disponible sur iOS et Android

eBook - ePub

Cybersecurity for Business

Organization-Wide Strategies to Ensure Cyber Risk Is Not Just an IT Issue

Larry Clinton, Larry Clinton

Détails du livre

Aperçu du livre

Table des matières

Citations

À propos de ce livre

FINALIST: International Book Awards 2023 - Business: General
FINALIST: American Book Fest Best Book Award 2023 - Business: General Balance the benefits of digital transformation with the associated risks with this guide to effectively managing cybersecurity as a strategic business issue. Important and cost-effective innovations can substantially increase cyber risk and the loss of intellectual property, corporate reputation and consumer confidence. Over the past several years, organizations around the world have increasingly come to appreciate the need to address cybersecurity issues from a business perspective, not just from a technical or risk angle. Cybersecurity for Business builds on a set of principles developed with international leaders from technology, government and the boardroom to lay out a clear roadmap of how to meet goals without creating undue cyber risk.This essential guide outlines the true nature of modern cyber risk, and how it can be assessed and managed using modern analytical tools to put cybersecurity in business terms. It then describes the roles and responsibilities each part of the organization has in implementing an effective enterprise-wide cyber risk management program, covering critical issues such as incident response, supply chain management and creating a culture of security. Bringing together a range of experts and senior leaders, this edited collection enables leaders and students to understand how to manage digital transformation and cybersecurity from a business perspective.

Foire aux questions

Comment puis-je résilier mon abonnement ?

Il vous suffit de vous rendre dans la section compte dans paramètres et de cliquer sur « Résilier l’abonnement ». C’est aussi simple que cela ! Une fois que vous aurez résilié votre abonnement, il restera actif pour le reste de la période pour laquelle vous avez payé. Découvrez-en plus ici.

Puis-je / comment puis-je télécharger des livres ?

Pour le moment, tous nos livres en format ePub adaptés aux mobiles peuvent être téléchargés via l’application. La plupart de nos PDF sont également disponibles en téléchargement et les autres seront téléchargeables très prochainement. Découvrez-en plus ici.

Quelle est la différence entre les formules tarifaires ?

Les deux abonnements vous donnent un accès complet à la bibliothèque et à toutes les fonctionnalités de Perlego. Les seules différences sont les tarifs ainsi que la période d’abonnement : avec l’abonnement annuel, vous économiserez environ 30 % par rapport à 12 mois d’abonnement mensuel.

Qu’est-ce que Perlego ?

Nous sommes un service d’abonnement à des ouvrages universitaires en ligne, où vous pouvez accéder à toute une bibliothèque pour un prix inférieur à celui d’un seul livre par mois. Avec plus d’un million de livres sur plus de 1 000 sujets, nous avons ce qu’il vous faut ! Découvrez-en plus ici.

Prenez-vous en charge la synthèse vocale ?

Recherchez le symbole Écouter sur votre prochain livre pour voir si vous pouvez l’écouter. L’outil Écouter lit le texte à haute voix pour vous, en surlignant le passage qui est en cours de lecture. Vous pouvez le mettre sur pause, l’accélérer ou le ralentir. Découvrez-en plus ici.

Est-ce que Cybersecurity for Business est un PDF/ePUB en ligne ?

Oui, vous pouvez accéder à Cybersecurity for Business par Larry Clinton, Larry Clinton en format PDF et/ou ePUB ainsi qu’à d’autres livres populaires dans Business et Insurance. Nous disposons de plus d’un million d’ouvrages à découvrir dans notre catalogue.

Informations

Éditeur

Kogan Page

Année

2022

ISBN

9781398606395

Édition

Sujet

Business

Sous-sujet

Insurance

Cybersecurity is (Not) an IT Issue

BY LARRY CLINTON, PRESIDENT AND CEO, INTERNET SECURITY ALLIANCE, AND CARTER ZHENG, ISA RESEARCH ASSOCIATE

Five Key Ideas to Take Away from This Chapter

Organizations have made little progress in addressing cyber risk in large part because they have viewed the issue with an excessively narrow focus as just a technical/operational issue.
To compete in the modern economy, enterprises must engage in digital transformation.
Digital transformation can generate a substantial increase in growth and profitability but can also vastly increase risk.
Foundational technical security measures are necessary, but alone are not sufficient to address cyber threats. Cybersecurity must be an enterprise-wide risk management issue.
Organizations cannot completely secure themselves, but they can manage their cyber risk with appropriate understanding, structure, investment, and risk-management methods.

Introduction

One of the most incontrovertible facts in the field of cybersecurity is that the attack community is winning the battle for cyberspace—and winning by a large and growing margin.

In February 2020, the Executive Director of the World Economic Forum’s Cybersecurity Center, Troels Oerting, addressed the G-20’s Digital Economy Working Group in Riyadh, Saudi Arabia and reported that cybercrime in the previous year had cost the world’s economy $2 trillion. The WEF estimated that the losses will increase to $6 trillion in three years.¹

The G-20 is a group of the world’s largest economies. Although the cybercrime nation does not have a GDP, the damages from cybercrime as a whole rank equivalently to the GDP of the top 10 G-20 countries—just ahead of the United Kingdom.²

There are a number of reasons why cybercrime is such an enormous and growing problem, but none is more fundamental than the fact that the cybersecurity issue is wildly misunderstood. Most governments, enterprises, and individuals think of cybersecurity as a technical or IT problem. That is a misnomer. Cybersecurity is an enterprise-wide risk management issue. Obviously, technology is an important part of that issue, but it is not the only part of the issue—perhaps not even the most important part.

According to the Cyber Risk Oversight Handbook published by the National Association of Corporate Directors (NACD):

Historically, many companies and organizations categorized information security as a technical or operational issue to be handled by the information technology (IT) department. This misunderstanding was fed by siloed operating structures that left functions and business units within the organization feeling disconnected from responsibility for the security of their own data. Instead, this critical responsibility was handed off to IT, a department that in most organizations is strapped for resources and budget authority. Furthermore, deferring responsibility to IT inhibited critical analysis of—and communication about—security issues, and hampered the adoption of effective, organization-wide security strategies.³

Consequently, the vast majority of initiatives designed to address cybersecurity concerns are technical and operational, and the individuals selected to manage the problem are almost always IT specialists.

The result of this historic pattern was revealed in a recent study by EY, one of the Big-4 audit firms:

77% of organizations are still operating with only limited cybersecurity and resilience [against cyber threats], while 87% of organizations warn they do not yet have sufficient budget to provide the levels of cybersecurity and resilience they want.⁴

Why we are not Making Progress in Securing Cyberspace

While this traditional, largely tactical approach to cybersecurity needs to be part of a comprehensive cyber risk management program, it is insufficient to create a resilient organization. The reality is that cybersecurity is not just an IT issue. It needs to be understood as a strategic, enterprise risk, not just as an IT risk.

There are multiple different types of risks that poor cybersecurity can generate: loss of data, corruption of data, blackmail, damage to the organization’s reputation as well as legal and compliance risks. The responsibility for managing these cyber-related risks extends throughout the organization. For example, many studies have shown that half, or more, of cyber breaches are caused by human failure—the realm of the HR department—not technical breakdowns. The defining characteristic of the internet is a broad interconnection between vendors, partners, customers, etc. These relationships are typically defined by contracts or service agreements, which means it is the legal department—perhaps in tandem with a separate vendor management team—who may be the nexus of the cybersecurity issue. When (not if) cyber breaches occur, most enterprises are rightly concerned with the reputational impacts of the breach. So, managing the cybersecurity risk at this stage is largely a function of the communications/PR department.

Unfortunately, relationships between the cybersecurity function and other critical elements of the business are often fraught with misunderstanding and mistrust. A 2020 survey by EY found that, in most organizations, there was a systemic failure in communication between the cybersecurity function and the business units. For example, EY found that in 74% of organizations the relationship between the cybersecurity function and marketing department was characterized as—at best—neutral to mistrustful or non-existent. Nearly half of HR departments characterized their relationship with the cybersecurity function the same way, as did R and D departments and finance departments.⁵

In short, cybersecurity is everyone’s responsibility. But, as the old saying goes: to a hammer, everything looks like a nail. If an organization views cybersecurity as essentially a technical issue and vests cyber risk management solely with the IT departments, it is going to get primarily IT solutions that are unlikely to be sufficient to address their full cyber risk.

As another old saying goes: if you ask the wrong questions, you get the wrong answers. To better assure that an organization is asking the right questions about cybersecurity, the organization’s leaders need to understand that cybersecurity is not going to be handled by the IT guys. Cybersecurity needs to be understood and managed comprehensively as an integral element of the organization’s business and mission.

ESI ThoughtLab completed a study of over a thousand companies in early 2020, concluding that to reduce risk probabilities Chief Information Security Officers (CISOs) must go well beyond compliance with technical frameworks.⁶ Cybersecurity leaders need to integrate these technical frameworks into their business goals, strategies, and individual risk profiles.

Digital Transformation Makes Cybersecurity a Business Issue

One of the most important questions enterprises face in the 21st century is how they can balance the economic imperative for digital transformation with the substantial cybersecurity risks that come with such transformation.

Melissa Hathaway, the Chief Cybersecurity Advisor for both President George W Bush and President Obama, noted that:

Corporations have embraced, adopted and embedded information and communication technology into their network environments and infrastructures and realized phenomenal business and economic growth through improved services increased productivity and reduced costs… Yet this digital transformation underpinned by affordable communications and cheap devices has introduced new risks.⁷

The NACD Cyber Risk Handbook points out that in the past 25 years, the nature of corporate asset value has changed significantly, shifting away from the physical and toward the virtual.⁸ This rapid digitization of corporate assets has resulted in a corresponding transformation of strategies and business models—as well as the digitization of corporate risk. Organizations are taking advantage of entirely new ways to connect with customers and suppliers, engage with employees and improve the efficiency and effectiveness of internal processes.