If CFOs needed any further evidence that cybersecurity has taken its place among the top risk-management concerns of businesses, the US Securities and Exchange Commission offered proof on 26 March, during the agency's cybersecurity roundtable, in which commissioners and panelists discussed attendant challenges for market participants and public companies.
From the perspective of companies' senior management, one of the first aspects of the situation that must be grasped is that it is not going to change, said Ari Schwartz, acting senior director for cybersecurity programs, National Security Council, The White House.
"It's important to put that out front," he said. "A lot of times when you're discussing these issues with boards and senior management, there's an attitude of 'What can we do to get past this problem?' And it's not really a problem you're going to get past. It's a problem you're going to manage."
With that in mind, the top challenges for senior management are identifying the aspects that can be tackled effectively, said Mary Galligan, director of cyber risk services at Deloitte & Touche LLP.
"Looking at our clients across all industries," Galligan said, "there are three challenges that are consistent: The first is, how do I figure out what I really need to protect? How do I do a true risk assessment that is specific to my sector?"
Secondly, Galligan continued, companies ask: "'How do I manage access?' Not just the insider access, but more and more third party access, the vendors, the professional services."
"And the third one would be," she said, "'How do I monitor the monitors?' If I am collecting threat intelligence information, do I have the talent, and the knowledge, to zero in on what is very specific to my company, industry and sector?"
What companies can do
For a company to have good defenses in place, senior management should strive to convey the message to all employees, that cybersecurity is not an information-technology problem, but a business issue.
"This is not one person's job within an organization," Andy Roth, partner and co-chair, global privacy and security group, Dentons US LLP, said. "This is senior management accountability, this is top down, signaling 'This is very important to us.' It takes cooperation, so that when situations arise they can be dealt with quickly."
Galligan agreed, suggesting, "One role that senior management can play is creating a culture in an organization that literally says this cybersecurity issue starts at the keyboard, it starts with every single employee."
One concrete way to signal the priority of cybersecurity and preparedness is to run cyber incident drills, Galligan said.
"You're seeing more companies in different sectors doing cyber war-gaming, doing simulations, and the reason is because as soon as an incident happens, we move from a cyber threat, and cyber incident, to a business issue, and an economic issue."
"Those companies and organizations with a robust cyber incident response plan do better," Galligan added. "They do better, and they minimize their risks."