How to Launch an Effective Cybersecurity Upgrade (That Won’t Drive You Crazy)

Relegating cybersecurity to the IT department is a commonplace but rarely effective practice. Cybersecurity cannot eliminate risk 100%— that’s impossible—but rather, it allows you to assess risk and manage it.

Designing or updating your company’s optimal cybersecurity program means balancing your organization’s desire for fortress-caliber defense with its need to function smoothly, react quickly and interconnect efficiently with customers and suppliers.

Designing the cybersecurity program that best suits your company begins with communicating the importance of the project upward to the board, ownership or managing partners, and downward to top reports, Chris Moschovitis, chairman and CEO of Manhattan-based IT consultant TMG-Emedia Inc. told Chief Executive.

Board involvement is job one
Securing board involvement from the onset is essential for project success, he says. Determining acceptable levels of enterprise risk is a key governance role, expressing the board’s due-care and fiduciary responsibilities. Where there are no directors, owners and managing partners provide this essential function. Your direct reports will manage the process of collecting and collating information on the P&L level, while you will interpret and present this upstairs.

“Designing the cybersecurity program that best suits your company begins with communicating the importance of the project upward to the board, ownership or managing partners, and downward to top report.

Risk acceptability levels vary enormously from division to division and certainly from company to company. While every company in the world suffers if its computing system goes down, not every company suffers equally.

Moschovitis illustrates by comparing a hypothetical investment company with a hypothetical facilities maintenance business. The investment firm has hundreds of millions of dollars at risk at any given moment. A systems failure measured in minutes would disrupt trading, shred the company’s trustworthy image and could cause financial ruination. By way of comparison, a building maintenance company would be inconvenienced by a short down time but probably be unharmed financially.

Legal liability changes the picture
But factor in such variables as legal liability and reputation loss and the actual risk factors expand considerably.

Legal vulnerability is a question to discuss with your legal staff. As for reputation management: “Customers look at your vulnerability to cyberattack as a key determinant of your value,” Moschovitis says. “If your anti-hacker systems are not rigorous, are continuously outdated or are in any way inadequate, your customers clearly are not going to be happy.”

On the other hand, imposing too many layers of control is counterproductive. For example, our hypothetical building maintenance company offers most employees and suppliers immediate and extensive access to real-time data. Restricting their access unnecessarily would slow down operations, complicate inventory management and reduce on-time delivery rate.

Next, you’ll aggregate the input and create an enterprise-wide flow chart. The chart will depict multiple system-down possibilities based on selected time-vs-value scenarios. Time increments might be based on 1-minute, 5-minute, and hours-long incident durations. Your own company might require different intervals.

When that step is complete, ask your cybersecurity expert to study the down scenarios and outline corresponding risk prevention tactics. Your specialist should grade the tactics in terms of both deterrence and accessibility. For example, the most hacker-resistant defense possible gets an A grade for deterrence and a D for restrictiveness. The reason for the A rating is self-evident. The D, on a scale of A through D, signals that this layer of high-duty security is the costliest to implement and maintain.

Put another way: the tougher the controls, the more undesired deterrence to legitimate users and uses.

Downtimes are not the only consequence of cyberattacks, either. Organizations are also targeted by hackers who steal information, upload erroneous data, install malicious applications, and otherwise cause mayhem. All malicious activities can cause significant harm, the consequences of which should be included in your assessments.

Make it a team effort
Preparing for an enterprise-wide security installation or upgrade consumes time and resources. You’ll significantly shorten project duration and improve outcome by assigning staff or hiring consultants who have proven high-level risk-assessment and financial-projection skills.

When you’re satisfied with the results of your preparation, schedule your presentation with your board. Your carefully-determined calculations will help them understand the actual costs of cyberattacks, as well as the actual costs of prevention.

“When risk appetite is established, you’re ready to design, roll out and manage your new cybersecurity program,” Moschovitis says. “You’ve established the foundation for success.”


MORE LIKE THIS

  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events

    Roundtable

    Strategic Planning Workshop

    1:00 - 5:00 pm

    Over 70% of Executives Surveyed Agree: Many Strategic Planning Efforts Lack Systematic Approach Tips for Enhancing Your Strategic Planning Process

    Executives expressed frustration with their current strategic planning process. Issues include:

    1. Lack of systematic approach (70%)
    2. Laundry lists without prioritization (68%)
    3. Decisions based on personalities rather than facts and information (65%)

     

    Steve Rutan and Denise Harrison have put together an afternoon workshop that will provide the tools you need to address these concerns.  They have worked with hundreds of executives to develop a systematic approach that will enable your team to make better decisions during strategic planning.  Steve and Denise will walk you through exercises for prioritizing your lists and steps that will reset and reinvigorate your process.  This will be a hands-on workshop that will enable you to think about your business as you use the tools that are being presented.  If you are ready for a Strategic Planning tune-up, select this workshop in your registration form.  The additional fee of $695 will be added to your total.

    To sign up, select this option in your registration form. Additional fee of $695 will be added to your total.

    New York, NY: ​​​Chief Executive's Corporate Citizenship Awards 2017

    Women in Leadership Seminar and Peer Discussion

    2:00 - 5:00 pm

    Female leaders face the same issues all leaders do, but they often face additional challenges too. In this peer session, we will facilitate a discussion of best practices and how to overcome common barriers to help women leaders be more effective within and outside their organizations. 

    Limited space available.

    To sign up, select this option in your registration form. Additional fee of $495 will be added to your total.

    Golf Outing

    10:30 - 5:00 pm
    General’s Retreat at Hermitage Golf Course
    Sponsored by UBS

    General’s Retreat, built in 1986 with architect Gary Roger Baird, has been voted the “Best Golf Course in Nashville” and is a “must play” when visiting the Nashville, Tennessee area. With the beautiful setting along the Cumberland River, golfers of all capabilities will thoroughly enjoy the golf, scenery and hospitality.

    The golf outing fee includes transportation to and from the hotel, greens/cart fees, use of practice facilities, and boxed lunch. The bus will leave the hotel at 10:30 am for a noon shotgun start and return to the hotel after the cocktail reception following the completion of the round.

    To sign up, select this option in your registration form. Additional fee of $295 will be added to your total.