//
you're reading...
Information Security, IT & TECHNOLOGY

Cyberrecovery and the C-suite


ISACA-Logo

I was recently invited to participate in a panel discussion at a cybersecurity conference. The overall focus of the panel was on best practices for network security, specifically preparing for a cyberattack. We were given 5 focus areas to consider, mostly the usual topics such as zero-day attacks and bring your own device (BYOD). The 5th focus area was deploying a successful disaster recovery (DR) plan with regard to cybersecurity.

In addition to myself, the panel was staffed by 2 chief information security officers (CISOs), a chief executive officer (CEO) and the panel was moderated by a 3rd CISO. When the topic of DR came up for discussion on the preparation conference call, 1 of the participants summarily dismissed it as being old hat and played. He said that topic has been discussed to death and there has been nothing new in that area in years. One person after another agreed with him, and the moderator said “Ok. We will cut that topic out of the discussion.” I disagreed and chimed in with a brief overview of my recent Journal article. Afterwards, they all agreed to keep the topic, and someone even suggested that we move the topic up to be the 1st subject of discussion. They said that they had never looked at DR from the perspective of preparing the C-suite for a cyberbreach.

A few weeks ago, I had lunch with a chief information officer (CIO) friend of mine, and the subject of my article came up. I asked him if he and the CISO, who reported to him would consider presenting the idea of the C-suite participating in a cyberbreach preparedness exercise to the company president and the board of directors (BoD). He laughed and said they wanted no involvement in the design and execution of cybersecurity. All they want is to be told the firm is safe and that the Sarbanes-Oxley (SOX) audit will pass. Apparently appearing safe is just as good as being safe to some executives.

So why do some C-suite executives react this way? I think it is evolutionary in nature. Twenty years ago, only 3 out of 10 companies had DR plans. Now everyone has one. It took a few disasters and an act of the US Congress to garner the wide acceptance we see today. I think the same evolutionary set of baby steps will naturally happen before a wide acceptance of cyberbreach preparation in the C-suite will be seen. It would be interesting to gather some empirical data on how many companies are prepared and practiced now and then monitor the growth over the next few years. I suspect the high impact of cyberbreaches will move the evolution of cyberbreach preparedness along a lot faster than that of the DR plan.

Read Gary Lieberman’s recent ISACA Journal article:
Preparing for a Cyberattack by Extending BCM Into the C-suite,” ISACA Journal, volume 5, 2015.

[ISACA Journal Author Blog]

About @PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Web Stats

  • 119,161 hits
@PhilipHungCao

@PhilipHungCao

@PhilipHungCao, CISM, CCSP, CCSK, CASP, CIW-WSP, GICSP, PCNSE, ACSP, CCDA, DCSE, JNCIA, MCTS, MCSA, VCP5-DCV, VCP6-NV, ZCNT is a #TekF@rmer. He has 16 years' experience in ICT/Cybersecurity industry in various sectors & positions.

Personal Links

View Full Profile →

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,247 other followers

Twitter Updates

Archives

September 2015
M T W T F S S
« Aug   Oct »
 123456
78910111213
14151617181920
21222324252627
282930  
%d bloggers like this: