eBook - ePub

Cybersecurity for Business

Name: Cybersecurity for Business
Author: Larry Clinton, Larry Clinton

Organization-Wide Strategies to Ensure Cyber Risk Is Not Just an IT Issue

Larry Clinton, Larry Clinton

Condividi libro

English
ePUB (disponibile sull'app)
Disponibile su iOS e Android

eBook - ePub

Cybersecurity for Business

Organization-Wide Strategies to Ensure Cyber Risk Is Not Just an IT Issue

Larry Clinton, Larry Clinton

Dettagli del libro

Anteprima del libro

Indice dei contenuti

Citazioni

Informazioni sul libro

FINALIST: International Book Awards 2023 - Business: General
FINALIST: American Book Fest Best Book Award 2023 - Business: General Balance the benefits of digital transformation with the associated risks with this guide to effectively managing cybersecurity as a strategic business issue. Important and cost-effective innovations can substantially increase cyber risk and the loss of intellectual property, corporate reputation and consumer confidence. Over the past several years, organizations around the world have increasingly come to appreciate the need to address cybersecurity issues from a business perspective, not just from a technical or risk angle. Cybersecurity for Business builds on a set of principles developed with international leaders from technology, government and the boardroom to lay out a clear roadmap of how to meet goals without creating undue cyber risk.This essential guide outlines the true nature of modern cyber risk, and how it can be assessed and managed using modern analytical tools to put cybersecurity in business terms. It then describes the roles and responsibilities each part of the organization has in implementing an effective enterprise-wide cyber risk management program, covering critical issues such as incident response, supply chain management and creating a culture of security. Bringing together a range of experts and senior leaders, this edited collection enables leaders and students to understand how to manage digital transformation and cybersecurity from a business perspective.

Domande frequenti

Come faccio ad annullare l'abbonamento?

È semplicissimo: basta accedere alla sezione Account nelle Impostazioni e cliccare su "Annulla abbonamento". Dopo la cancellazione, l'abbonamento rimarrà attivo per il periodo rimanente già pagato. Per maggiori informazioni, clicca qui

È possibile scaricare libri? Se sì, come?

Al momento è possibile scaricare tramite l'app tutti i nostri libri ePub mobile-friendly. Anche la maggior parte dei nostri PDF è scaricabile e stiamo lavorando per rendere disponibile quanto prima il download di tutti gli altri file. Per maggiori informazioni, clicca qui

Che differenza c'è tra i piani?

Entrambi i piani ti danno accesso illimitato alla libreria e a tutte le funzionalità di Perlego. Le uniche differenze sono il prezzo e il periodo di abbonamento: con il piano annuale risparmierai circa il 30% rispetto a 12 rate con quello mensile.

Cos'è Perlego?

Perlego è un servizio di abbonamento a testi accademici, che ti permette di accedere a un'intera libreria online a un prezzo inferiore rispetto a quello che pagheresti per acquistare un singolo libro al mese. Con oltre 1 milione di testi suddivisi in più di 1.000 categorie, troverai sicuramente ciò che fa per te! Per maggiori informazioni, clicca qui.

Perlego supporta la sintesi vocale?

Cerca l'icona Sintesi vocale nel prossimo libro che leggerai per verificare se è possibile riprodurre l'audio. Questo strumento permette di leggere il testo a voce alta, evidenziandolo man mano che la lettura procede. Puoi aumentare o diminuire la velocità della sintesi vocale, oppure sospendere la riproduzione. Per maggiori informazioni, clicca qui.

Cybersecurity for Business è disponibile online in formato PDF/ePub?

Sì, puoi accedere a Cybersecurity for Business di Larry Clinton, Larry Clinton in formato PDF e/o ePub, così come ad altri libri molto apprezzati nelle sezioni relative a Business e Insurance. Scopri oltre 1 milione di libri disponibili nel nostro catalogo.

Informazioni

Editore

Kogan Page

Anno

2022

ISBN

9781398606395

Edizione

Argomento

Business

Categoria

Insurance

Cybersecurity is (Not) an IT Issue

BY LARRY CLINTON, PRESIDENT AND CEO, INTERNET SECURITY ALLIANCE, AND CARTER ZHENG, ISA RESEARCH ASSOCIATE

Five Key Ideas to Take Away from This Chapter

Organizations have made little progress in addressing cyber risk in large part because they have viewed the issue with an excessively narrow focus as just a technical/operational issue.
To compete in the modern economy, enterprises must engage in digital transformation.
Digital transformation can generate a substantial increase in growth and profitability but can also vastly increase risk.
Foundational technical security measures are necessary, but alone are not sufficient to address cyber threats. Cybersecurity must be an enterprise-wide risk management issue.
Organizations cannot completely secure themselves, but they can manage their cyber risk with appropriate understanding, structure, investment, and risk-management methods.

Introduction

One of the most incontrovertible facts in the field of cybersecurity is that the attack community is winning the battle for cyberspace—and winning by a large and growing margin.

In February 2020, the Executive Director of the World Economic Forum’s Cybersecurity Center, Troels Oerting, addressed the G-20’s Digital Economy Working Group in Riyadh, Saudi Arabia and reported that cybercrime in the previous year had cost the world’s economy $2 trillion. The WEF estimated that the losses will increase to $6 trillion in three years.¹

The G-20 is a group of the world’s largest economies. Although the cybercrime nation does not have a GDP, the damages from cybercrime as a whole rank equivalently to the GDP of the top 10 G-20 countries—just ahead of the United Kingdom.²

There are a number of reasons why cybercrime is such an enormous and growing problem, but none is more fundamental than the fact that the cybersecurity issue is wildly misunderstood. Most governments, enterprises, and individuals think of cybersecurity as a technical or IT problem. That is a misnomer. Cybersecurity is an enterprise-wide risk management issue. Obviously, technology is an important part of that issue, but it is not the only part of the issue—perhaps not even the most important part.

According to the Cyber Risk Oversight Handbook published by the National Association of Corporate Directors (NACD):

Historically, many companies and organizations categorized information security as a technical or operational issue to be handled by the information technology (IT) department. This misunderstanding was fed by siloed operating structures that left functions and business units within the organization feeling disconnected from responsibility for the security of their own data. Instead, this critical responsibility was handed off to IT, a department that in most organizations is strapped for resources and budget authority. Furthermore, deferring responsibility to IT inhibited critical analysis of—and communication about—security issues, and hampered the adoption of effective, organization-wide security strategies.³

Consequently, the vast majority of initiatives designed to address cybersecurity concerns are technical and operational, and the individuals selected to manage the problem are almost always IT specialists.

The result of this historic pattern was revealed in a recent study by EY, one of the Big-4 audit firms:

77% of organizations are still operating with only limited cybersecurity and resilience [against cyber threats], while 87% of organizations warn they do not yet have sufficient budget to provide the levels of cybersecurity and resilience they want.⁴

Why we are not Making Progress in Securing Cyberspace

While this traditional, largely tactical approach to cybersecurity needs to be part of a comprehensive cyber risk management program, it is insufficient to create a resilient organization. The reality is that cybersecurity is not just an IT issue. It needs to be understood as a strategic, enterprise risk, not just as an IT risk.

There are multiple different types of risks that poor cybersecurity can generate: loss of data, corruption of data, blackmail, damage to the organization’s reputation as well as legal and compliance risks. The responsibility for managing these cyber-related risks extends throughout the organization. For example, many studies have shown that half, or more, of cyber breaches are caused by human failure—the realm of the HR department—not technical breakdowns. The defining characteristic of the internet is a broad interconnection between vendors, partners, customers, etc. These relationships are typically defined by contracts or service agreements, which means it is the legal department—perhaps in tandem with a separate vendor management team—who may be the nexus of the cybersecurity issue. When (not if) cyber breaches occur, most enterprises are rightly concerned with the reputational impacts of the breach. So, managing the cybersecurity risk at this stage is largely a function of the communications/PR department.

Unfortunately, relationships between the cybersecurity function and other critical elements of the business are often fraught with misunderstanding and mistrust. A 2020 survey by EY found that, in most organizations, there was a systemic failure in communication between the cybersecurity function and the business units. For example, EY found that in 74% of organizations the relationship between the cybersecurity function and marketing department was characterized as—at best—neutral to mistrustful or non-existent. Nearly half of HR departments characterized their relationship with the cybersecurity function the same way, as did R and D departments and finance departments.⁵

In short, cybersecurity is everyone’s responsibility. But, as the old saying goes: to a hammer, everything looks like a nail. If an organization views cybersecurity as essentially a technical issue and vests cyber risk management solely with the IT departments, it is going to get primarily IT solutions that are unlikely to be sufficient to address their full cyber risk.

As another old saying goes: if you ask the wrong questions, you get the wrong answers. To better assure that an organization is asking the right questions about cybersecurity, the organization’s leaders need to understand that cybersecurity is not going to be handled by the IT guys. Cybersecurity needs to be understood and managed comprehensively as an integral element of the organization’s business and mission.

ESI ThoughtLab completed a study of over a thousand companies in early 2020, concluding that to reduce risk probabilities Chief Information Security Officers (CISOs) must go well beyond compliance with technical frameworks.⁶ Cybersecurity leaders need to integrate these technical frameworks into their business goals, strategies, and individual risk profiles.

Digital Transformation Makes Cybersecurity a Business Issue

One of the most important questions enterprises face in the 21st century is how they can balance the economic imperative for digital transformation with the substantial cybersecurity risks that come with such transformation.

Melissa Hathaway, the Chief Cybersecurity Advisor for both President George W Bush and President Obama, noted that:

Corporations have embraced, adopted and embedded information and communication technology into their network environments and infrastructures and realized phenomenal business and economic growth through improved services increased productivity and reduced costs… Yet this digital transformation underpinned by affordable communications and cheap devices has introduced new risks.⁷

The NACD Cyber Risk Handbook points out that in the past 25 years, the nature of corporate asset value has changed significantly, shifting away from the physical and toward the virtual.⁸ This rapid digitization of corporate assets has resulted in a corresponding transformation of strategies and business models—as well as the digitization of corporate risk. Organizations are taking advantage of entirely new ways to connect with customers and suppliers, engage with employees and improve the efficiency and effectiveness of internal processes.