16 Jun. 2014 | Comments (0)
|Editor's Note: Additional resources on cybersecurity from The Conference Board can be found here.|
1. Duties and obligations of companies wherever they operate 2. The “technical debt” (the cost of deferred maintenance on technical projects that remain incomplete) 3. The identity of threat adversaries and actors (i.e. countries, hacktivists, employees) 4. How the company should think about cyber threats in terms of risk tolerance 5. The element of time (for larger companies, a cyber risk plan may take years)“Cyber attacks are not only a clear and present danger; they are a permanent danger,” Ridge said. “Companies need to look to see that they have a cybersecurity risk plan embedded in their overall risk plan.” Ridge called the NIST framework a modest step toward minimizing the cyber threat, and added that it should be used as a way for companies to start looking at their critical assets and how to protect them from hackers. The framework includes a taxonomy and a risk management tool that can help companies to describe their current cybersecurity condition, assess progress toward their desired cybersecurity state, identify and prioritize opportunities for improvement, and communicate cybersecurity risks to stakeholders. Additionally, the Department of Homeland Security (DHS) created the Critical Infrastructure Cyber Community (C3) Voluntary Program. It is designed to connect companies and governmental agencies with the DHS to help manage cyber risks. A cybersecurity risk plan can help a board understand the risks involved as well as the plans around risk mitigation. Ridge has some questions directors should consider asking management:
- What is the governance structure around IT?
- Is there an individual or team accountable?
- How often do we get reports on this accountability? Is there a dashboard?
- Will our company be reactive or preemptive with regard to cyber threats?
- Do we need to engage a third party to help?
- SEC’s March 26, 2014 Cybersecurity Roundtable
- NIST Advisory Committee 2013 Annual Report Highlights Cybersecurity and Manufacturing
- NIST’s Framework for Improving Critical Infrastructure Cybersecurity
- The Center for Audit Quality’s Alert: Cybersecurity and the External Audit
- PwC’s Answering your cybersecurity questions: The need for continued action