Nickel in demand
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
The <strong>in</strong>creas<strong>in</strong>g occurrence of<br />
cybersecurity breaches – such<br />
as the recent case at eBay when<br />
it is believed more than 145 million user<br />
accounts were <strong>in</strong>filtrated – is caus<strong>in</strong>g<br />
executives around the globe to seek ever<br />
more sophisticated solutions to prevent<br />
future violations . As they review their<br />
procedures, tighten their operational<br />
environment and add additional levels of<br />
security, f<strong>in</strong>d<strong>in</strong>g the optimum formula is<br />
still prov<strong>in</strong>g elusive.<br />
Advances <strong>in</strong> security architecture<br />
and cyber-defence tactics have helped<br />
address some risks, but they are<br />
<strong>in</strong>efficient and unsusta<strong>in</strong>able when faced<br />
with the more adaptive, embedded and<br />
<strong>in</strong>terconnected capability of the current<br />
threat. Strengthen<strong>in</strong>g network resilience<br />
is important but management responses<br />
seem overwhelm<strong>in</strong>gly reactive. The<br />
crim<strong>in</strong>al cyber threat is nimble and <strong>in</strong>tensely<br />
focused and, thanks to its f<strong>in</strong>ancial success<br />
to date, has the wherewithal to <strong>in</strong>vest<br />
<strong>in</strong> <strong>in</strong>novation and scale, often leav<strong>in</strong>g<br />
corporate security trail<strong>in</strong>g <strong>in</strong> its wake.<br />
Given that the cost of cybercrime to the<br />
UK is currently estimated to be between<br />
£18 billion and £27 billion, it is essential<br />
that boards play a more proactive role. At<br />
an operational level, work<strong>in</strong>g on the basis<br />
that they will be faced with a cyber-attack<br />
at some po<strong>in</strong>t, leadership teams need to<br />
anticipate the bus<strong>in</strong>ess risk and develop<br />
counter-measures and bus<strong>in</strong>ess cont<strong>in</strong>uity<br />
plans which will m<strong>in</strong>imise the disruption.<br />
“we are start<strong>in</strong>g to see the<br />
creation of a new senior role on<br />
the leadership team, that of the<br />
Chief Security Officer (CSO)”<br />
But how do they do this and who should<br />
be <strong>in</strong> charge of driv<strong>in</strong>g the corporate<br />
agenda on cybersecurity?<br />
As boards acknowledge that technology<br />
on its own is not enough, companies need<br />
the addition of strong, well-organised<br />
management with a broad range of<br />
technical and non-technical capabilities.<br />
In many <strong>in</strong>stances, the responsibility<br />
for cybersecurity falls on the CIO. This is<br />
perfectly understandable but IT risk and<br />
<strong>in</strong>formation security have now become<br />
bus<strong>in</strong>ess issues and not simply technical<br />
ones. Additionally, there is no department<br />
that is immune to a cyberattack, or that<br />
shouldn’t consider that certa<strong>in</strong> activities<br />
undertaken with<strong>in</strong> that department may<br />
give rise to a security breach, generated<br />
either <strong>in</strong>ternally or externally. The challenge<br />
here is to oversee the organisation’s<br />
enterprise-wide risk management <strong>in</strong> an<br />
effective way that balances manag<strong>in</strong>g risks<br />
while add<strong>in</strong>g value to the organisation.<br />
In an <strong>in</strong>creas<strong>in</strong>g number of companies,<br />
we are start<strong>in</strong>g to see the creation of<br />
a new senior role on the leadership<br />
team, that of the Chief Security Officer<br />
(CSO). Whilst the position of Head<br />
of Security is not new, the role has<br />
changed considerably <strong>in</strong> scope of<br />
responsibility. Some organisations<br />
are also dist<strong>in</strong>guish<strong>in</strong>g between the<br />
Head of Physical Security and the<br />
Head of Data Security.<br />
Work<strong>in</strong>g alongside the CIO, the<br />
CFO and others, one of the CSO’s<br />
responsibilities is to advise the board and<br />
senior executive team on exist<strong>in</strong>g risk<br />
management procedures. He/she must be<br />
able to demonstrate the effectiveness of<br />
these procedures <strong>in</strong> identify<strong>in</strong>g, assess<strong>in</strong>g,<br />
and manag<strong>in</strong>g the organisation’s most<br />
significant enterprise-wide risk exposures.<br />
As boards consider these risks, they must<br />
decide whether their current risk oversight<br />
and governance processes enable<br />
40<br />
[ Aug 2014 ] BE Monthly