PROACTIVE CYBER RISK MANAGEMENT
It is important to incorporate discussion of cybersecurity risk in all business decisions, from the beginning, because it is much harder and far less effective to consider cybersecurity after the fact. Whether a decision has to do with corporate strategy, new product launches, facilities, customer interaction, M&A, legal or financial issues, management should always proactively consider cybersecurity risk. As an example, take the white-hot Omni channel marketing trend, which has retailers using mobile technology to collect data from their customers, and then exploiting that knowledge to better target marketing and promotions—sometimes, at the moment a customer walks into the store. Obviously, such retailers are gathering more information about their customers than ever before. How will they protect it? Do the mobile applications that make these approaches possible expose their organizations to new vulnerabilities? No matter how exciting the revenue-driving opportunity, these are questions that retail boards should be asking management as part of the decision to pursue such initiatives.
Management should respond with some variation of, “Our software vendor says their security, and in addition, we’re doing our own testing to see how vulnerable the software may be before we introduce it to our customers.” Boards should extrapolate the thinking in the above example to all aspects of their business decision-making.
To apply proactive thinking to cyber strategy, consider growth through M&A. Boards should think through M&A cybersecurity risks in multiple dimensions. To name three: adding cybersecurity analysis of the target to their diligence process; protecting their M&A process from cyber breaches; and potential cyber exposure resulting from post-deal integration. In both of these examples, it should be clear how challenging it would be to address cybersecurity concerns after the initiative gets underway.
Management should respond with some variation of, “Our software vendor says their security, and in addition, we’re doing our own testing to see how vulnerable the software may be before we introduce it to our customers.” Boards should extrapolate the thinking in the above example to all aspects of their business decision-making.
To apply proactive thinking to cyber strategy, consider growth through M&A. Boards should think through M&A cybersecurity risks in multiple dimensions. To name three: adding cybersecurity analysis of the target to their diligence process; protecting their M&A process from cyber breaches; and potential cyber exposure resulting from post-deal integration. In both of these examples, it should be clear how challenging it would be to address cybersecurity concerns after the initiative gets underway.
Everyone’s resources are limited. Because there are an infinite number of cybersecurity measures in which a company can invest, the trick is to prioritize such measures based on a customized assessment of the most serious threats facing your organization. Such assessments should be approached along two primary dimensions: your organization’s most valuable assets and its greatest cyber vulnerabilities. Often, your most critical assets are obvious: payment card data for a retailer, the script of an upcoming franchise sequel for a movie studio, the source code at the heart of a software company’s bestselling product.
Conclusively:
Every board’s cybersecurity review must ask management what measures are being taken to protect a company’s most critical assets, beginning with development and on through production and distribution. Beyond the most critical are other assets that require differentiated gradations of protection. Identifying and prioritizing those assets is an information governance challenge, so the board also has to understand the organization’s information governance policy and have a sense for the quality of its execution.
By: ULAYA SIJALI A, (BAPRM 42681)
No comments:
Post a Comment