Large organizations have always focused on managing risk, but the technological breakthroughs that have enhanced our world in countless ways have also transformed how leading executives engage in enterprise risk management (ERM). The pervasive and ever-expanding threat of cyber crime means that comprehensive strategies for cyber security are now absolutely essential for all organizations.
After all, a report by Cybersecurity Ventures estimates that cyber crime across the globe will cost more than $6 trillion annually by 2021.
The sheer magnitude and pervasiveness of the crisis represent a cyber security call to arms, and seemingly no one is immune. By now, the list of data breach victims reads like a who’s who of major corporations, governmental agencies, retailers, restaurant chains, universities, social media sites and more:
- The Department of Homeland Security, IRS, FBI, NSA, DoD
- Macy’s, Saks Fifth Avenue, Lord & Taylor, Bloomingdale’s
- Facebook, Reddit, Yahoo, eBay, LinkedIn
- Panera, Arby’s, Whole Foods, Wendy’s
- Target, CVS, Home Depot, Best Buy
- Delta, British Airways, Orbitz
- Equifax, Citigroup, J.P. Morgan Chase
- The Democratic National Committee
- Adidas, Columbia Sportswear, Under Armour
- UC Berkeley, Penn State, Johns Hopkins
If you need another reason to drop everything and prioritize cyber security risk management in your organization’s overall ERM strategies and systems, consider the recent NotPetya malware attack. Described by Wired as “The Most Devastating Cyberattack in History,” it disrupted global shipping operations for several weeks and caused more than $10 billion in total damages while temporarily crippling such multinational companies as shipping giant Maersk and FedEx’s European subsidiary, TNT Express. All because hackers were able to infiltrate a networked but unsecured server in the Ukraine that was running software that made it more vulnerable to attack.
Despite these and countless other costly incidents and attacks, many organizations have not yet fully incorporated cyber security risks into their overall enterprise risk management frameworks.
3 Chief Obstacles to Cyber Security and ERM Preparedness
The ever-expanding list of high-profile attacks and victims could be seen as evidence that, in many instances, “the adversaries are winning,” according to Richard Spires, a former chief information officer at both the IRS and the Department of Homeland Security. Or at least that there is much work to be done to combat the ongoing threat.
In a piece titled “The Enterprise Risk Management Approach to Cybersecurity,” Spires poses the question: “In an era of ever more sophisticated cyber security tools, how is it that we are actually backsliding as a community?” And he offers three key answers:
- Complexity: IT (and cyber security) systems are by their nature extremely complex and in many cases far-flung, so creating airtight security is incredibly challenging.
- Highly Skilled Adversaries: The hackers’ tactics and methods continue to grow more sophisticated. Plus, their risk is low because they are hard to catch. They are smart and, with billions of dollars on the line, more highly motivated than ever.
- Lack of IT professionals: Cisco reports that 1 million cyber security jobs are currently unfilled on a worldwide basis and that “most large organizations struggle to find, develop and then retain such talent.” The shortage of qualified cyber security professionals with the right skills, knowledge and experience is an ongoing “crisis,” according to Forbes.
Uncle Sam Wants You… to Focus on Cyber Security, Enterprise Risk Management
One of the leading efforts to develop protocols that organizations can use to safeguard themselves is sponsored by the U.S. Government — the National Institute of Standards and Technology’s Cybersecurity Framework.
According to Gartner, more than 50 percent of U.S.-based organizations will use the NIST Cybersecurity Framework as a central component of their enterprise risk management strategy by 2020, up from 30 percent in 2015. This voluntary framework consists of “standards, guidelines, and best practices to manage cybersecurity-related risk,” according to NIST, which reports that version 1.1 of the Cybersecurity Framework has been downloaded over 205,000 times since April 2018.
Also, the Center for Internet Security (CIS) has produced “a prioritized set of (20) actions to defend against pervasive cyber threats.” CIS says its protocols are intended to provide “a roadmap for conducting rigorous and regular cybersecurity enterprise risk management processes that will significantly lower an organization’s risk of catastrophic loss.”
CIS, which claims its best practices could have prevented attacks like the data breach that hit the consumer credit reporting agency Equifax, also offers guidelines for the seemingly “overwhelming” challenge of how to build a cyber security compliance plan.
5 Helpful Tips for Cyber Security and Enterprise Risk Management
OK, how about some actionable tips for organizations looking to beef up their cyber security defenses and risk management profile? Chris Yule, a senior principal consultant for Secureworks, breaks it down in laymen’s terms in a quick video. Yule’s five tips include:
- Cultivate support of senior management — It is essential for organizations to have strong support for cyber security risk management on the senior management team and to tie it to their overall business strategy.
- Limit your attack surface — Often referred to as “hardening” your potential targets and vulnerabilities, this refers to coordinating with IT in reducing your exposure and “locking things down.”
- Increasing visibility/awareness — In addition to building up defenses to reduce risk, organizations must also “tear things down.” This means working to better understand the potential spectrum of risk by conducting comprehensive internal vulnerability scanning, penetration testing and “monitoring your infrastructure for the bad stuff.”
- Build a culture of security among employees — Employees must be committed to cyber security and clearly understand their specific responsibilities. “Make sure that everybody’s trained, everybody knows what their role is within the organization to keep things secure,” said Yule.
- Prepare an incident response plan — “You need to be prepared for when things go wrong,” warned Yule. Notice that he says when and not if. “Everybody will get breached at some point regardless of what you do,” said Yule, so it is essential that everybody knows “what the plan is to contain and eradicate that threat when it happens.”
Cyber Security and ERM: The Next Generation
To accomplish all of this essential work, skilled professionals are in high demand (and well-compensated); however, they are also in short supply. In fact, according to Cybersecurity Ventures, there will be as many as 3.5 million unfilled cyber security positions by 2021.
Fortunately, many training programs are available from certifications and undergrad options to innovative master’s degree programs. For example, University of San Diego has worked closely with cyber security industry leaders to develop two cutting-edge advanced degree programs, including one that offers working professionals the flexibility to earn their cyber security master’s degree online.
One thing is certain: the good guys on the front lines face a never-ending battle against smart cyber criminals who are developing new tricks and attacking new targets every single day. Because the stakes are so astronomical, all organizations must be focused and vigilant about emphasizing cyber security as an essential component of their overall enterprise risk management strategy.
About the Author: Michelle Moore, Ph.D., is academic director and adjunct professor for the University of San Diego’s innovative, online Master of Science in Cyber Security Operations and Leadership program. She is also a researcher, author and cyber security policy analyst with over two decades of private-sector and government experience as a cyber security expert.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.