It is becoming more and more evident that cybersecurity is one of the focal points regarding security risks in the twenty-first century for all organisations. It is understandable that almost every organisation which has access to any kind of computing devices will be at risk and will probably experience harmful cyber incidents. Hackers, whether individually or state-sponsor cyber-attacks, are increasingly finding ever more creative methods to bring cyber mayhem. This is ever more likely with expansion of mobile devices and the evolution of computing capabilities through the introduction of advanced technologies such as, the Internet of Things, cloud computing and big data. This brings risk management to the top of agenda in large organisations. We know that the goal of risk management is to maximise the output of the organisation that includes services, products, revenue, and so on, while minimising the risk for unanticipated results. Information security and cyber security programs are successful if they are strategically aligned with organisations’ risk management strategies. Senior executives should recognise this dependencies and plan adequately for cyber threats. However, based on the "Cyber Security Breaches Surveys, 2016," cyber security, which should be part of the big risk management strategy, it has only been highlighted by 69% businesses whom believe cyber security is a priority for senior managers. Therefore, 31% of them even do not recognise the cyber security as a priority. The other main problem which has been identified by this report was only 51% of companies have taken recommended actions to identify cyber risk The accountability lies with senior management. The senior management team has a broad and clear view of the organisation strategic planning. Therefore, they are the only people who can effectively address and manage complex cyber security threats. But this requires an ongoing collaboration, clear communication channels and adequate security awareness by senior management team. Major information security risk factors may be left unchecked without coordinated oversight of senior management team and the rest of organisation. The importance of such close cooperation becomes even more critical if an enterprise do business globally. There are various forces beyond the control of senior management team which make it impossible to deal with the threats of cyber space, using traditional risk management. It requires, agility and has great dependency on senior management involvement with clear security awareness. Organisations can and should build a strong security awareness foundation that be able to provide adequate cyber resilience. Senior management team should also evaluate threat trajectories from a position of risk profiling and business acceptability. This leads organisations to a position in which the can address cyber hygiene, cyber resilience and cyber warfare that would affect organisations as well as governments. It can be concluded that senior management team is not just responsible for establishing the risk framework that will be used to define risk assumptions, risk constraints, risk tolerances, and risk priorities. But senior management team has a greater responsibility beyond risk framework. It must be fully engaged with all aspects of cyber risk factors and establishment of a clear coordinated efforts within organisations and all internal components of it. In addition, creating an environment of security awareness and creating a clear communication channels should also be considered.
About the Author: Reza has been working in various IT positions in the last 10 years and currently working as an information Security Consultant, helping his clients to become more effective and efficient typically through the strategic of information systems, risk management and security governance. Previously, Reza was working for a number of business consultancy firms which specialise in wide range of consultancy services such as information and IT security, risk management, business continuity, security governance and strategy in the Middle East. Having significant experience of the commercial sector at different levels of organisational hierarchy in various parts of the globe whilst working with variety of cultures and work ethics, and at the same time educated at PhD level in information security enables Reza to have a good understanding of current security threats, risks and their impacts. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
