There’s an awkward moment after you tell a Fortune 100 company, who spends $90M a year on people and “best in class” security technologies, that 10,000 of their 25,000 endpoints are at various degrees of compromise. A flash of anger, fatigue, and disbelief is mixed with a frustrated lack of surprise. That awkward moment epitomizes 2016 as the year of the breach, the serial failure to compensate for a mismatch in threat, technology, and strategy. Security is not in a box, so what do we do now? We lead.

Cybersecurity is a fascinating leadership challenge because the need is absolutely “no fail”…without digital and network integrity, we struggle to survive in a global predatory jungle. This year, relentless leading news stories reminded us our lives exist in state of ubiquitous digital risk and ubiquitous digital vulnerability. (Article) In 2016, the public realized cyber security is the nexus of defense from vulnerability and aggression between global threat actors and the average person.

“Organizations depend on information technology and the information systems that are developed from that technology to successfully carry out their missions and business functions. Information systems can include as constituent components, a range of diverse computing platforms from high-end supercomputers to personal digital assistants and cellular telephones. Information systems can also include very specialized systems and devices (e.g., telecommunications systems, industrial/process control systems, testing and calibration devices, weapons systems, command and control systems, and environmental control systems). Federal information and information systems6 are subject to serious threats that can have adverse impacts on organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation by compromising the confidentiality, integrity, or availability of information being processed, stored, or transmitted by those systems. Threats to information and information systems include environmental disruptions, human or machine errors, and purposeful attacks.”

Cyber attacks on information systems today are often aggressive, disciplined, well-organized, well-funded, and in a growing number of documented cases, very sophisticated. Successful attacks on public and private sector information systems can result in serious or grave damage to the national and economic security interests of the United States. Given the significant and growing danger of these threats, it is imperative that leaders at all levels of an organization understand their responsibilities for achieving adequate information security and for managing information system-related security risks.” NIST SP 800-37

Our lives and our businesses have been virtually exposed into a digital jungle filled with nation-state competitors, criminals, malcontents, idealists, guardians, corporate giants, family businesses, all employees, all customers, all patients, and even little old ladies. Yes, there have been many awkward moments in 2016 for sure. A new path is required for cyber risk management beyond information technology and across the entire organization.

A New Path, Cyber Risk Governance- Coup d’Oeil

Cyber risk is a board issue requiring oversight to ensure a unified and integrated effort reduces that risk across the company. Cyber risk permeates companies beyond traditional network risk. A cyber risk mitigation strategy needs to be developed, implemented, and sustained across the entire corporate organization. Cyber security is the nexus of businesses’ network defense between information and communication technologies (ICT) and operational technologies (OT). The network is the gateway into the kingdom. Cyber risks must look at the matrix of organizational risks and vulnerabilities driving insecurity through people, processes, technologies, and products. Those organizational risks are beyond the purview of IT. The finance and insurance industries offer insightful paths for other industries to consider.

Cyber Risk Governance: Ubiquitous Cyber Threat + Ubiquitous Cyber Vulnerability + Ubiquitous Cyber Risk = Cyber Business Risk Management

In business, we follow the money. An Advance Notice of Proposed Rulemaking (ANPR) was jointly issued by the Federal Reserve, the Federal Deposit Insurance Corporation (FDIC) and the Office of the Comptroller of the Currency (OCC) on October 19, 2016. Cyber risk management and improving organizational resiliency is the focus of the notice for banking institutions. The document foreshadows the future ahead for those financial institutions with over $50B in assets. Their premise is simple- cyber risks are strategic risks. The notice elevates cyber risk directly to the Board for oversight and seeks to normalize the enterprise risk management approach across the C-Suite. A frustrating reality facing CIO’s and CISO’s for some time is the responsibility to reduce cyber risk beyond their ability to control, in areas clearly beyond their authority, and even sometimes beyond their influence. The ANPR notice elevates cyber risk beyond the CIO by outlining enhanced risk standards and expectations in five categories:

  • Cyber risk governance (How does the Board govern cyber risk?)
  • Cyber risk management (How does the business manage cyber risk?)
  • Internal dependency management (How does the business manage internal assets, plans, practices, technologies, procedures, etc. that create cyber risk?)
  • External dependency management (How does the business manage external assets, plans, structures, 3rd Parties, etc. that create cyber risk?)
  • Incident Response, cyber resilience, and situational awareness (What’s the CIO and CISO’s plan to identify, defend, mitigate, and recover from threats? How do they maintain organizational visibility on emerging cyber threats, and how does that effect business operations and continuity?)

Conspicuously, cyber risk insurers look to organizational risk management, or enterprise risk management (ERM) not technology to reduce cyber insecurity. The National Association of Insurance Commissioners addressed reducing corporate cyber risk in 2 of the 12 principles (below) in a 2015 report. The Geneva Association’s landmark report on cyber risk and cyber insurance emphasizes the paramount importance, “The first and maybe most important aspect for sound cyber risk management is that cyber risk management is not the responsibility of the IT department, but a cross-company risk dialogue is necessary (e.g. sensitization trainings etc.). The topic also should be embedded at the C-level.” Both align, support, and compliment a new approach to reduce risk through cyber governance. There is a necessary expectation by insurers that a compliment of security technologies and expertise will vigilantly defend the network, but it’s through organizational risk management that insurers lower their cyber risk. At face value, this may seem as an indictment to the security industry, but 2016 demonstrates security appliances cannot compensate for unmanaged organizational risk. More boxes, more people, and next generation technology will not reduce cyber risks or bring better security. Cyber risk is an cross-organizational challenge.

Original article continues HERE

This article was originally posted, December 6, 2016 on Linkedin and Huffington Post.