Designing or updating your company’s optimal cybersecurity program means balancing your organization’s desire for fortress-caliber defense with its need to function smoothly, react quickly and interconnect efficiently with customers and suppliers.
Designing the cybersecurity program that best suits your company begins with communicating the importance of the project upward to the board, ownership or managing partners, and downward to top reports, Chris Moschovitis, chairman and CEO of Manhattan-based IT consultant TMG-Emedia Inc. told Chief Executive.
Board involvement is job one
Securing board involvement from the onset is essential for project success, he says. Determining acceptable levels of enterprise risk is a key governance role, expressing the board’s due-care and fiduciary responsibilities. Where there are no directors, owners and managing partners provide this essential function. Your direct reports will manage the process of collecting and collating information on the P&L level, while you will interpret and present this upstairs.
Risk acceptability levels vary enormously from division to division and certainly from company to company. While every company in the world suffers if its computing system goes down, not every company suffers equally.
Moschovitis illustrates by comparing a hypothetical investment company with a hypothetical facilities maintenance business. The investment firm has hundreds of millions of dollars at risk at any given moment. A systems failure measured in minutes would disrupt trading, shred the company’s trustworthy image and could cause financial ruination. By way of comparison, a building maintenance company would be inconvenienced by a short down time but probably be unharmed financially.
Legal liability changes the picture
But factor in such variables as legal liability and reputation loss and the actual risk factors expand considerably.
Legal vulnerability is a question to discuss with your legal staff. As for reputation management: “Customers look at your vulnerability to cyberattack as a key determinant of your value,” Moschovitis says. “If your anti-hacker systems are not rigorous, are continuously outdated or are in any way inadequate, your customers clearly are not going to be happy.”
On the other hand, imposing too many layers of control is counterproductive. For example, our hypothetical building maintenance company offers most employees and suppliers immediate and extensive access to real-time data. Restricting their access unnecessarily would slow down operations, complicate inventory management and reduce on-time delivery rate.
Next, you’ll aggregate the input and create an enterprise-wide flow chart. The chart will depict multiple system-down possibilities based on selected time-vs-value scenarios. Time increments might be based on 1-minute, 5-minute, and hours-long incident durations. Your own company might require different intervals.
When that step is complete, ask your cybersecurity expert to study the down scenarios and outline corresponding risk prevention tactics. Your specialist should grade the tactics in terms of both deterrence and accessibility. For example, the most hacker-resistant defense possible gets an A grade for deterrence and a D for restrictiveness. The reason for the A rating is self-evident. The D, on a scale of A through D, signals that this layer of high-duty security is the costliest to implement and maintain.
Put another way: the tougher the controls, the more undesired deterrence to legitimate users and uses.
Downtimes are not the only consequence of cyberattacks, either. Organizations are also targeted by hackers who steal information, upload erroneous data, install malicious applications, and otherwise cause mayhem. All malicious activities can cause significant harm, the consequences of which should be included in your assessments.
Make it a team effort
Preparing for an enterprise-wide security installation or upgrade consumes time and resources. You’ll significantly shorten project duration and improve outcome by assigning staff or hiring consultants who have proven high-level risk-assessment and financial-projection skills.
When you’re satisfied with the results of your preparation, schedule your presentation with your board. Your carefully-determined calculations will help them understand the actual costs of cyberattacks, as well as the actual costs of prevention.
“When risk appetite is established, you’re ready to design, roll out and manage your new cybersecurity program,” Moschovitis says. “You’ve established the foundation for success.”