Cyber security is no longer the sole responsibility of the technical people, or even the CIO. Following the Target breach (where immense pressure was placed to replace most of the board members after the breach), and board members of Target and Wyndham Worldwide (hotel chain) face derivative lawsuit related to the data breaches. Recent survey reveal that nearly half (45%) of senior management acknowledge that the C-suite and senior leadership themselves are responsible for protecting their companies against cyber-attacks, and the U.S. Securities and Exchange Commission recently published a paper on the Role of the Boards of Directors in Overseeing Cyber-Risk Management, where it recommends:
Cyber-risk must be considered as part of the board’s overall risk oversight: “boards that choose to ignore, or minimize, the importance of cyber security oversight responsibility, do so at their own peril.”
Boards should assess the corporation’s cyber security measures including corporate policies and annual budgets for privacy and IT security programs. And perhaps, more critically, highlights the significance of cyber-risk education for directors, ensuring that the board be at least adequately represented by members with a good understanding of information technology issues that pose risks to the company.
Visit HERE
So how are insights manifested in real-life? We asked Carmi Gillon, Cytegic Chairman of the board and an acting director in several companies what he thinks. Carmi Gillon:” I’ve been serving on several boards for the past decade. Throughout this period we’ve all witnessed the increase importance of cyber security. Especially during the last year, this is an issue that was raised time and again in board meetings, and for good reason- we understand that boards are now responsible for proper implementation of cyber security measures and safeguarding customer data. With this in mind, we are now more reliant on information that is being presented to us by the CIO and CISO. I have always insisted on receiving only relevant, timely information to support my decision on any matter, and cyber security-related decisions are no different. This is even more acute with executives who have no IT or security background. Therefore we now insist that the information (be it cyber security forecast, risk assessment or spending projections) to be as detailed as possible. After all, we need to look at the business from a wide perspective and make sure the decision we take in one area (for instance- to invest more resource into cyber security) will not affect other parts of the business. To make such informed decisions we ask the IT executives to speak in our language- and translate very technical talk into business talk. Only then we can assure we are making sound, responsible decisions.
Cyber crime is a strategic threat to companies and organizations in finance, healthcare, utilities and other factors. Since this threat is so menacing, the duty of senior executives to deal with the issue, rather than leaving it to the responsibility of a professional or technical personnel.
About Cytegic
Cy-te-gic /pronounced: sʌɪ-ˈtē-jik/ adjective: A plan of action or strategy designed to achieve a long-term and overall successful Cyber Security Posture Optimization – “That firm made a wise Cytegic decision”.
Cytegic develops a full suite of cyber management and decision-support products that enable to monitor, measure and manage organizational cyber-security resources.
Cytegic helps organization to identify threat trends, assess organizational readiness, and optimize resource allocation to mitigate risk for business assets.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.