Data breaches and cyberattacks can affect the bottom line. Businesses concerned about protecting consumers' information may already have a chief privacy officer in place. But they need a "Cyber Commander," too, according to a white paper from Focus.com.
"How CEOs Can Prepare for and Respond to Cyberattacks," released on July 26 by the San Francisco-based online business media company, reports cybersecurity needs to become a business process instead of an emergency plan.
"CEOs need to take this class of threats as seriously as they would the defection of customers by way of departing sales agents/managers," the white paper quotes of Andrew Baker, service operations director at SWN Communications Inc. "Too many organizations look at cybersecurity in the same way that they look at contingency planning for earthquake or civil unrest in a Western country—i.e., as something that is not likely to occur, but for which it would be a good idea to have some preparation. However, cyberattacks are a virtual certainty at this time … no organization should expect to avoid getting hit."
1. In the positive sense, "Evangelize cybersecurity to senior executives," the white paper advises. In a more concrete sense, hold the C-suite accountable for breaches. "Unless the CEO makes it absolutely clear that security is a mission-critical quality of an application and that security issues directly affect people's careers at the company, the CEO should take full responsibility for any security issues," according to Brian McCallion, president of Bronze Drum Consulting, Inc.
Without this clear directive—that investing in cybersecurity must happen—many organizations seem to be falling down on the job, cites Barry Schrager, chief security architect at Vanguard Integrity Professionals. "Did you know that the vast majority of those sites—79 percent, according to the Verizon [2010 Data Breach Investigations] Report—that were breached and were subject to the PCI standard had not met that standard at the time of the breach?" According to Verizon's 2011 report, it's now 89 percent not meeting the PCI DSS standard—or the Payment Card Industry Data Security Standard, which protects cardholder information.
2. Appoint a "Cyber Commander" to oversee defenses against targeted attacks. "The title could be changed, but the point is that countering targeted attacks is far different than today's operational security requirements," says Richard Stiennon, chief research analyst at IT-Harvest.
Security needs to be as important as revenue, Baker adds.
3. Use US Defense Information Systems Agency checklists as a model for security reviews. According to Schrager: "While the checklists in these guides may not be totally applicable to every organization, they are an excellent start for an internal security staff to review their organization's systems against."
4. Make cyberattack preparedness a way of life. "Cyberattack defenses need to be an integral part of not only IT's cybersecurity process, but also embedded in the disaster recovery, risk management and business continuation processes," says John Anderson, principal at The Glowan Consulting Group. " … Types of back-up systems, both on-site/off-site storage of mission-critical data and 'time to recover' are all important pieces. I see the CEO's job here as ensuring that all these elements are in place, and that they are appropriately sized and costed for the size, customers and mission of the business."
5. Get third-party reviews. According to Schrager, companies should "bring in external experts for both security assessments to assure that the system and its security are configured properly and also to review the system integrity of the code executing on the system. Unfortunately, recent surveys have shown that that the largest security threats and actual breaches are coming from the inside."