The pressure on attorneys and C-level executives to develop effective information security management programs has reached unprecedented levels, especially given the latest data breaches and cyber threat reports. The financial, legal and reputational fallout resulting from massive attacks on Target, Home Depot and JPMorgan Chase—to name just a few of the most prominent incidents in recent months—highlights the seriousness of the problem and the inadequacy of many organizations’ efforts to mitigate the risk.
With each passing day, the stakes are getting higher for companies that fail to heed the warnings. Organizations that experience breaches and fail to mitigate the damage promptly are increasingly subject to the scrutiny of the agencies like the Federal Trade Commission, the Securities and Exchange Commission and the Commodity Futures Trade Commission, all of which are developing more stringent guidelines and initiatives regarding cybersecurity and incident response planning. Even Congress is getting into the act with bruising public hearings and comprehensive document requests, as Target CEO Greg Steinhafel (since resigned) discovered at the hands of the House Committee on Energy and Commerce.
Following the lead of regulators, the plaintiffs’ bar is also ramping up actions targeting organizations that have suffered data breaches and bringing a variety of class action claims and shareholder suits. Although the defendants have prevailed in nearly all cases brought against them in this area largely due to challenges in establishing measurable harm, companies are still forced to spend millions defending themselves.
The root of the problem: a defensive posture
What have enterprises been doing wrong? By all indications, insufficient investment in cybersecurity does not appear to be the primary problem. Chase, for example, has told shareholders it will have spent $250 million on cybersecurity by the end of 2014, employing approximately 1,000 individuals in that capacity—and the company expects its investment of capital and professional talent in the effort to protect its data to grow exponentially in coming years. But that didn’t prevent the company from suffering a breach that is now estimated to impact 76 million households and 7 million small businesses.
The real problem is that enterprises are still focusing their security strategy too much on tools and technologies available from vendors in an attempt to shore up perimeter defenses, and signature-based threat detection—even though the current onslaught of breaches has decisively demonstrated that such methods are easily defeated or bypassed by hackers using widely available and inexpensive tools of their own.
Instead of throwing money at security technology, enterprises need to undergo a radical philosophical change in their approach to cybersecurity. They can start by acknowledging that preventing a breach is impossible. Serious security experts have been making this point for years now: regardless of how much you spend or how advanced your security technology is, determined attackers will eventually find a weakness and penetrate your network.
Understanding this truth, the logical next step is to focus your efforts on creating, maintaining and testing a robust, formal, comprehensive incident response plan. Instead of merely hoping to eliminate the possibility of a breach, security-savvy enterprises are developing detailed programs to contain the damage—a process that can only succeed in a company culture where everyone understands that cyber risk is not simply an IT problem, but a serious business risk that requires the engagement of the entire organization.
A converged response model to cyber risk management
A serious information security management program should be based on a “converged” incident response model, where IT, legal, compliance, management and other key stakeholders have identified key vulnerabilities and agreed upon a unified response to incidents before they occur.
Budgets, personnel and other resources should be allocated specifically for incident response. Of course, companies should actively seek and acquire technologies that will aid them in quickly detecting and responding to today’s advanced threats. However, companies also must engage their most sophisticated response system – their employees. Staff should be trained not only on how to spot a potential breach, but what to do immediately afterward, and the organization should conduct mock drills to benchmark the efficacy of its processes and employee performance. The company culture should foster an environment where professionals across the enterprise are expected to collaborate and communicate openly and transparently about data security to ensure that policies, procedures and everyday practices are sufficient to protect the company against the damage that can result from an incident.
Why is enterprise-wide collaboration so important? Because different business units have distinct perspectives and requirements that need to be integrated from the moment a breach is detected. Even the best IT staff and consultants who have been trained in incident response may not understand the full implications of a breach and take appropriate steps before it’s too late. For example, they may not understand the importance of establishing a clear, comprehensive, defensible record of all response activities so that legal counsel will be able to mount an adequate defense in the face of subsequent legal and compliance actions. Legal also needs to be involved at the very beginning of an incident to minimize delays in notifying authorities and the public after a breach is detected and reduce the potential for damage claims related to a delayed response. It’s also possible that valuable trade secrets or intellectual property may be at risk in the event of a breach, but IT might not immediately recognize the importance of the data and take steps quickly enough to protect it.
Working toward alignment: how to get started
A proactive stance to cyber risk management is crucial to preventing security issues down the road. One way to quickly assess your organization’s cyber security alignment and identify gaps and weaknesses is to hold one-on-one meetings with each of your key legal management and IT professionals. Here are some examples of questions you can pose:
- What are the top three most significant information security and data privacy risks faced by the organization?
- How is the organization’s information security framework tailored to defend against these threats?
- Who owns the information security and data privacy risk function in the organization? (Don’t forget to identify risks associated with insider threats, which are still the leading source of breaches, as well as threats from third-party vendors.)
- Are you familiar with your company’s information security incident response plan, and can you describe your own role in the process?
- When did the organization last conduct an information security risk assessment and what were the results?
- What are the vendor relationships that present the highest potential risk to critical data?
The answers you receive in this exercise almost always provide some surprises. Not only is it a great to get a quick overview of alignment and assess overall readiness, it’s a good way to make people aware of the range of considerations that need to go into building a program for managing cyber risk. As you engage in this exercise, make it clear that each individual’s views and concerns are important and legitimate. Once you’ve gathered responses, gaps in alignment should be addressed as a group with the goal of developing a proactive, coherent and unified corporate response. At some point in the process, some companies will want to turn to outside expertise to get objective input, facilitate cooperation among stakeholders and ensure adherence to industry best practices.
Aligning cyber security functions may have collateral benefits
Once your organization commits to a formal “converged” cyber risk management program, you are likely to discover there are unexpected business benefits that aren’t directly related to security concerns. By working together, legal and IT security professionals can often find ways to move the business in a favorable direction while remaining within acceptable risk parameters. For example, formal security planning will force you to identify business strategies and tactics that are unreasonably risky. But armed with this knowledge, your organization will better understand how to minimize or mitigate these risks before making business decisions that could impact the security of your organization, such as working with third-party vendors, entering into new markets or geographical regions, engaging in M&A or other initiatives.. By keeping within the acceptable risk thresholds outlined in the cyber risk management plan, executives can move forward with new initiatives with greater confidence or, conversely, walk away from a potentially lucrative but risky situation without fear or consequence – knowing that the board and all C-level executives are aligned with and committed to the cyber risk plan.
Having a comprehensive cyber security risk management plan in place will not prevent breaches. Rather, it provides an organization with definitive steps on how to respond to any threat – large or small. It may require additional investment in time, money and other resources (or a reallocation from traditional cybersecurity initiatives), and perhaps a cultural shift within the organization in order to be effective. But the end result is that, in the event of a cyber event, the breach will be detected, addressed and nullified sooner, minimizing the size and scope of actual loss as well as the potential fallout and repercussions that come with a delayed or inadequate response or poor preparation.
About the Author
Jason Straight is an attorney and senior vice president and chief privacy officer at UnitedLex, a legal services outsourcing company.
(Image Credit: ShutterStock)