The world has seen a surge of attention regarding cyber activity, and it has not been in a positive light.
Many organizations have experienced the threat that accompanies the adverse intentions these activities come with, especially organizations that have not prioritized nor made cyber risk part of their risk management agenda. Being exposed to cyber threats is no longer something that only affects big multinationals with massive data centers. Cyber threats are applicable to any organization that operates on, and is connected to the Internet grid. A cyber breach, which almost always would have adverse impact to an organization, is no longer a matter of if; it is a matter of when.
The question that leadership of organizations should be asking is how prepared they are from a risk management perspective to deal with risks that come with the use of information and technology. Is this a prominent and standing agenda item on the board’s and executive committee’s meetings? If the answer to each of these questions in not affirmative, then the organization is more exposed to the risk of a cyberattack, and of not being able to recover operations as quickly as would be required to enable business to carry on as usual.
To ensure the continuity of business, the board should ensure that the organization’s risk management framework addresses cyber risks. Cyber risks must be identified, quantified in relation to the organization’s environment, and appropriate actions taken to minimize the impact of cyber-related incidents. The leadership of the organization should ensure that business continuity plans and arrangements are in place for incidents that may result from a cyberattack.
It is no longer the responsibility of only the operational staff in the IT department to deal with cyber risks. Cyber threats are too great to not afford them the level of attention they require at board and senior leadership levels.
Cyber security, risk management and business continuity planning must be standing items on the board and executive committee’s agendas. This will ensure that appropriate attention is given to areas where gaps may exist. This way, commitment will be afforded to enable the implementation of the required processes and solutions to address identified gaps and minimize risk exposure, as well as the impact that risk poses to the business.
Editor’s note: See more commentary on this topic from Emily, as well as from several other leading industry experts, at www.isaca.org/tech-governance-impact.