Just like we learn so much about the state of our health with an annual physical exam, so does a credible risk assessment provide vital insight to improve the quality of an enterprise cyber security program. The state of cyber security today is probably reflective of the Equifax data breach. This is a teaching moment. It very well could be the tipping point for cyber security. Cyber security, for the next few years, will be a significant C-level priority. Executives are beginning to realize that cyber risk = disruptive business risk!
Security is only as strong as the weakest link. Organizations must ensure that they are on a regular basis performing a comprehensive risk assessment exercise to discover vulnerabilities that can be exploited. The immediate lesson from the Equifax breach is about ensuring organizations review their patch management and configuration management practices. Any policy and process must be influenced by standards such as PCI DSS, ISO 27001, and NIST Special Publications. However, organizations must view this area of challenge as an opportunity to review and improve the full scope of the enterprise cyber security program. Think of the Japanese word, “kaizen,” that means continuous improvement.
Establish an active cyber defense program
The bottom-line recommendation for senior executives is to set the tone for cyber security as an enterprise priority. These seven areas are critical to address on a continual basis:
- Develop a credible and an approved cyber security strategy that resonates across the enterprise
- Implement a cyber security framework
- Conduct a comprehensive and thorough security risk assessment, at least annually
- Ensure a technical vulnerability assessment is performed quarterly, and a penetration testing, annually, on mission critical assets
- Perform a Business Impact Analysis (BIA)
- Develop a detailed IT Disaster Recovery Plan (DRP); test it regularly
- Create a cyber incident response plan
Cyberattacks may not just disrupt, but potentially destroy valued data. 2018 will witness cyber events of the past repeated. We must be prepared now. We must bake in cyber security in the enterprise DNA. It always starts with a credible enterprise risk assessment. Ensure it is comprehensive and thorough.
Editor’s note: Ali Pabrai will discuss this topic in more detail during his CSX Europe session, titled “The Art of Performing Risk Assessments.” Pabrai is a renowned cyber security expert and member of Infragard (FBI). He is a top-rated dynamic speaker and chief executive of ecfirst – a compliance and cyber security company. Pabrai also serves on the HITRUST Assessor Council, and is the author of several published works.
[ISACA Now Blog]