Lax Cybersecurity Threatens Missions
Data protection must have a seat at the C-suite level, experts say.
Cybersecurity is now a significant area of focus and concern for senior leaders who have witnessed cyber events that have resulted in significant financial and reputational damage. However, for many organizations, data defense continues to be a technology-focused effort managed by the technical “wizards.” Board of director discussions often zero in on describing the latest cyber threats rather than taking a long-range approach.
But cybersecurity is more than a technical challenge. Enterprise risk management (ERM) is an effective tool to assess risks, including those with cyber origins, but few businesses or agencies use the technique for this purpose, cyber experts assert.
There is a simple but profound difference between looking at cyber risks in light of and not considering an organization’s mission. It is only by assessing cybersecurity risks to the mission that senior leaders can determine if their security controls are adequate, data defense specialists say.
Most organizations say they perform some form of ERM, but in practice, many look at trends in cyber threat activity or the implementation of specific cybersecurity best practices as proxy measures of organizational cyber risk posture. In other cases, data integrity and security must be translated for C-suite executives or board members so they can assess the potential impact on mission performance, the cyber specialists point out.
Risks to mission accomplishment is the heart of the matter. An organization must identify mission risks arising from cyber sources so they can be included in the ERM effort, they recommend.
The process is conceptually simple yet in practice can be complicated. Because the ERM process entails looking at key organization missions and identifying events that could impact the ability to accomplish the organization’s mission, the question for management is where to start.
Experts recommend four steps for the ERM to identify cyber risks: prioritize the organization’s critical missions; identify cyber dependencies; identify cyber-related risks; and identify potential means to actualize the risk. To evaluate the risks, the specialists suggest assessing the potential impact of each cyber risk and identifying and implementing the technical and management security controls to mitigate cyber risks.
Senior managers and an organization’s directors should expect two inputs from the management of an organization regarding cyber risk. The first is addressing cyber risks in the context of the organization’s ERM effort; the second is the status of implementation of a basic cyber hygiene program.
Members of the AFCEA International Cyber Committee examined these issues and offer organizations—both government and industry—ways not only to begin an ERM process but also to benefit from the management technique. The explanation is available online.