Addressing Cyber Security Strategically

By David L Stevens, CIO, Maricopa County

content-imageDavid L Stevens, CIO, Maricopa County

Cybersecurity has increasingly become more important to an organization’s ability to conduct business. This stems from the high visibility associated with large data breaches that have been reported by various Fortune 500 companies. As a result, organizations are realizing at an increasing rate, that the ability to stem the risk of cyber attackers may be directly related to their ability to stay in business. According to a Gov loop article titled “Securing Government: Lessons from the Cyber Frontlines,” there was a 782 percent increase in the number of Cyber Threats between the years 2006 and 2012. It is also estimated in the same article that the annual cost of cybercrime worldwide is upwards of 400 billion dollars. These increases in cyber attacks are growing at an alarming rate, and thus the risk to organizations and their ability to execute on their mission.

As the problem is becoming more and more prevalent, companies are trying to determine what they can and should do to reduce the likelihood or else they will be the next victim. The biggest problem is the lack of visibility associated with the root cause of the incidents, namely that most companies lack a cybersecurity strategy to execute against. In the Global State of Information Security Survey: Key Findings and Trends, published by Price water house Coopers, LLP (PwC), only 42 percent of respondents reported ever having an overall cyber security Strategy that the Board of Directors was aware of. Moreover, only 40 percent of Boards have endorsed a cybersecurity budget, to address this growing concern. It can be inferred from these statistics that most companies have no visible strategy nor do they support cybersecurity initiatives at a strategic level. The result is that the problem and associated solutions are not well understood, which will likely result in more and more issues over the coming years.

A Strategy addresses most problems by outlining an approach to meet long-term goals and objectives. Without a strategy and appropriate performance metrics to measure the results, there is no meaningful direction for an organization to achieve success. Using the statistics outlined in PwC’s report, 58 percent of Boards of Directors around the globe do not understand how they will address the cybersecurity risk. This may imply they are unaware that their organizations are vulnerable. A strategy that is visible to organizational leadership will ensure an understanding of the scope of the problem, as well as the action plan, that if executed will address the risk.

 

A good Cyber Security strategy starts by appointing someone to lead the function of Cyber Security for the organization


These leaders also need to understand the complexities associated with cyber security, which include the fact that all risks cannot be remediated. This is due to the fact that new vulnerabilities are being discovered daily, factored with human error and the need to have a public presence. Cyber security is then having the ability to reduce the likelihood of something happening, by implementing controls and mitigating known vulnerabilities.

See more: Top CyberSecurity Companies

A good Cyber Security strategy starts by appointing someone to lead the function of Cyber Security for an organization. The Cyber Security leader must be cognizant of how the risks and issues are communicated to the Board of Directors so as to not create unnecessary panic. This is accomplished by defining what Cyber Security is, through a vision statement that is easily understood. A vision statement might be that “the organization will identify, manage, and mitigate the risk of Cyber threats.” The next question is of course, how, which is derived through the statement itself. An organization must be able to identify cybersecurity threats and vulnerabilities, determine what to do about them, and take action to remediate the possibility of breach or reduce the impact of one. This logic will result in the establishment of a Cyber Security Monitoring capability to address the identification gap, creation of a Risk Management program to quantify the root cause of incidents realized and a Security Architecture capacity to implement processes and technologies to mitigate the root causes identified.

Addressing cybersecurity from this perspective ensures that Board members and senior organizational leadership understand that there is a need to identify, quantify, and remediate threats. With this understanding, there is buy-in and support to establishing programs to support these efforts. With the programs established, board members and senior executives will understand the need to support the resources and needs of them, in order to realize their benefits. These programs, however, need to include measurements, so that senior leaders can quantify success and failure. This is where cyber security leaders have to be willing to institute processes, which may put them in a compromising state. For example, if you report on the number of threats that have compromised the network, senior leadership will expect that their risks have been fully remediated. However, in cyber security, once the threat has been identified, the incident has likely already occurred. As a result cyber security leaders need to convey an understanding of what really needs to be done to address the root cause of an incident, namely through investment in technology, processes, and education that support the strategy.

Furthermore, demonstrating that there is a problem through measurements will result in investments into the portfolio of programs. These investments need to be measured and should always demonstrate support for the goals and objectives defined in the strategic plan. This ensures accountability for the cyber security organization as well as demonstrating the current state of risk posture that an organization maintains. The goal, in the end, is to reduce the likelihood that something will occur through the execution of strategic initiatives. Therefore, cyber security is really a risk management issue, whereby problems and issues are addressed by reducing the risk of their occurrence. With Senior Management recognizing that cyber security is a managed risk vs. one that cannot be completely eliminated, and the cyber security leader understanding that they must be accountable for what is to be accomplished, then the return on investments in the portfolio will be realized through a reduced risk profile.

Founded in 1871 in Phoenix, Arizona, Maricopa County offers employment, justice, health and wellness, and public safety services.

Check out: Top CyberSecurity Companies

                       Top Managed Security Companies

Read Also

Bridging the Generational Gap in E-Governance

Bridging the Generational Gap in E-Governance
Inez J. Rodenburg, GISP, CGCIO, MBA, Chief Information Officer (CIO), City of Danville
COVID-19 is accelerating digital transformation in the public sector

COVID-19 is accelerating digital transformation in the public sector
Jonathan Behnke, Chief Information Officer, City of San Diego
HOW EMBRACING CHANGE IN UNPREDICTABLE TIMES IS ALLOWING ONE COMPANY TO ALIGN IT STRATEGIES WITH BUSINESS PRIORITIES

HOW EMBRACING CHANGE IN UNPREDICTABLE TIMES IS ALLOWING ONE COMPANY TO ALIGN IT STRATEGIES WITH BUSINESS PRIORITIES
Vic Ventura, CIO, Novolex
Technology's new and critical role in a post-COVID world

Technology's new and critical role in a post-COVID world
John Stambelos, CIO, Quinn Emanuel Urquhart & Sullivan, LLP
Post-COVID, Building Better Starts with Smart Investments in Startup Technology

Post-COVID, Building Better Starts with Smart Investments in Startup Technology

Jit Kee Chin, Chief Data and Innovation Officer, Suffolk
How to lead your entire organization through an agile transformation

How to lead your entire organization through an agile transformation
Rohan Amin, Chief Information Officer, Consumer & Community Banking, JPMorgan Chase