I was recently invited to participate in a panel discussion at a cybersecurity conference. The overall focus of the panel was on best practices for network security, specifically preparing for a cyberattack. We were given 5 focus areas to consider, mostly the usual topics such as zero-day attacks and bring your own device (BYOD). The 5th focus area was deploying a successful disaster recovery (DR) plan with regard to cybersecurity.
In addition to myself, the panel was staffed by 2 chief information security officers (CISOs), a chief executive officer (CEO) and the panel was moderated by a 3rd CISO. When the topic of DR came up for discussion on the preparation conference call, 1 of the participants summarily dismissed it as being old hat and played. He said that topic has been discussed to death and there has been nothing new in that area in years. One person after another agreed with him, and the moderator said “Ok. We will cut that topic out of the discussion.” I disagreed and chimed in with a brief overview of my recent Journal article. Afterwards, they all agreed to keep the topic, and someone even suggested that we move the topic up to be the 1st subject of discussion. They said that they had never looked at DR from the perspective of preparing the C-suite for a cyberbreach.
A few weeks ago, I had lunch with a chief information officer (CIO) friend of mine, and the subject of my article came up. I asked him if he and the CISO, who reported to him would consider presenting the idea of the C-suite participating in a cyberbreach preparedness exercise to the company president and the board of directors (BoD). He laughed and said they wanted no involvement in the design and execution of cybersecurity. All they want is to be told the firm is safe and that the Sarbanes-Oxley (SOX) audit will pass. Apparently appearing safe is just as good as being safe to some executives.
So why do some C-suite executives react this way? I think it is evolutionary in nature. Twenty years ago, only 3 out of 10 companies had DR plans. Now everyone has one. It took a few disasters and an act of the US Congress to garner the wide acceptance we see today. I think the same evolutionary set of baby steps will naturally happen before a wide acceptance of cyberbreach preparation in the C-suite will be seen. It would be interesting to gather some empirical data on how many companies are prepared and practiced now and then monitor the growth over the next few years. I suspect the high impact of cyberbreaches will move the evolution of cyberbreach preparedness along a lot faster than that of the DR plan.
Read Gary Lieberman’s recent ISACA Journal article:
“Preparing for a Cyberattack by Extending BCM Into the C-suite,” ISACA Journal, volume 5, 2015.