Ernst & Young’s 2015 Global Information Security Survey is out, and, as usual, is just chock full of information. This year’s survey of 1,755 organizations from 67 countries finds that 88 percent of the global respondents do not believe their information security architecture is sufficient to meet their security needs.
Ernst & Young correctly notes that one of the major challenges organizations confront in the cybersecurity arena is figuring out how not to drown in all the data. You could comb through the report and make judgments about the relative maturity of your organization, or you could take a shortcut and heed this observation— “To efficiently guide your organization through the layers of risks and threats, leaders must have the confidence to set the risk appetite, and be prepared to swing into decisive action to handle any incidents. For example, one clear theme emerging from the last couple of years is that the impact of an incident is greatly reduced by the leadership ensuring there is intelligent and appropriate handling of cyber incidents, and effective communication both internally and externally to manage the outcome.”
There you have a list of priorities in a nutshell. Arguably, the single most important cybersecurity consideration in any organization is whether leadership is both demanding and supporting internal efforts to identify and prioritize threats, taking appropriate measures to reduce risks, and developing comprehensive and effective response plans. Corporate boards must demand accountability from the C Suite, and C Suite leadership should be fully invested in ensuring the organization’s readiness.
Here’s a simple introductory test. Leadership should ask whether the company’s critical data assets have been identified and prioritized, and whether the company can identify who has access to those assets, where they reside within the company (typically in many places given the nature of the workplace), and how they are moving out of the company. If the answers to these questions are not a crystal clear and convincing “yes,” you’ve got work to do. If you do get a “yes” you still have work to do, because readiness is a process, not an end, but you’re in a far better place than those starting with a “no.”
By Tom Davis, SDI Cyber Risk Practice
December 1, 2015