The RE: View for June 15 - July 4

Jul 10, 2014 6:06am

June 29, 2014

Corporate Boards Race to Shore Up Cybersecurity:  Directors Grapple With Issues Once Consigned to Tech Experts, The Wall Street Journal

After a series of high profile data breaches, corporate boards are focusing on cybersecurity.  Steps taken include hiring Chief Information Security Officers, adding a board member with expertise in information technology and security, getting briefed by outside consultants, and dedicating more time during meetings for information security discussions.  See Board Oversight for tips on how to oversee the company’s management of cyber risk.

June 26, 2014

For Cybersecurity, a SOX Moment Looms, CSC Blog

As noted by Samuel Visner, CSC Cybersecurity vice president and general manager, Congress passed Sarbanes-Oxley legislation to protect shareholders and the public from practices in which inaccurate and unhealthy financial information persisted and was reported resulting in companies failing and shareholders losing billions of dollars.  Mr. Visner asks, is there less at stake with cyber?  The Target breach affected 70 million people, the cost of cybercrime worldwide is an estimated $700 billion, companies fold after losing intellectual property from cyber espionage, and the degraded critical infrastructure from a cyber-attack could result in the loss of life.  As cybersecurity threats grow and the value of information increase, the public will demand better and more provable cybersecurity, thus companies will need to prove to shareholders, customers and regulators that good cybersecurity is in place.  Mr. Visner predicts, for cybersecurity, a “SOX moment” may be coming. 

June 23, 2014

What is the job of Chief Information Security Officer (CISO) in ISO 27001?, ISO 27001 and ISO 22301 Blog

This blog provides a good overview of the responsibilities of a Chief Information Security Officer (CISO).  Note that in a small company, the role of the CISO should be performed by your IT system administrator or IT manager along with his or her other duties.  This blog posts recommends that once your company grows above 1,000 employees, you should have a full-time CISO.  In interviewing CISO candidates, consider not only knowledge about information technology, but also the individual’s interpersonal skills and knowledge of your company’s business processes because the CISOs main job is developing a risk-based security culture in the company.       

June 18, 2014

Today’s Top Skill Sets in Security – and Why They’re in Demand, CIO

As the threat environment and business environment evolves, the skill your security professionals need will also evolve.  Even if you are a small business owner with a small IT staff, think about what skills your security professionals should possess.  Also, as noted in this CIO article, look to hire security professionals with “people” skills.  Your security staff should play a key role in creating a culture of cybersecurity awareness and be “good at talking people into doing things they never really did on their own.” 

June 16, 2014

Cybersecurity, Cyber Governance, And Cyber Insurance: What Every Public Company Director Needs to Know, The Metropolitan Corporate Counsel

Unlike many aspects of corporate oversight, cyber is new for many directors.  This article by Paul Ferrillo of Weil, Gotshal & Manges LLP provides an overview of the Board’s responsibilities in overseeing their company’s cybersecurity program and the basic questions the Board should be asking senior management and senior IT staff about the company’s cyber risk and cybersecurity and incident response plan.  Mr. Ferrillo also discusses the availability of stand-alone cyber insurance to mitigate cyber risk and what coverage is provided by cyber insurance.  Use this advice as a basic guide to improve your Board’s oversight of cyber risk and see Board Oversight for more information.

June 16, 2014

Target top security officer reporting to CIO seen as mistake, CSO News

Six months after suffering a massive data breach, Target hired its first ever chief information security officer (CISO). Experts applauded Target’s hiring a CISO but question the decision to have the CISO report to the chief information officer instead of directly to the CEO, worrying that security might not get high enough priority if the CISO is not equal to the CIO.   Al Pascual, an analyst at Javelin Strategy & Research notes that the “CIO and CISO are really complementary roles, and to be truly effective they need to act as partners within an organization.”  The job of a CISO is to establish a company’s overall approach to security and make sure the CEO and Board is aware of any technical problems.  To be effective, the executive should be able to present arguments for large IT security expenditures directly the CEO and the chief financial officer, who can weigh the request against the money the CIO wants to spend on IT operations.  If the CIO has the final say, the balance between security and IT operations could shift to the latter. Jake Olcott, principal consultant on cybersecurity at Good Harbor Security Risk Management, notes that “if senior executives do not have visibility into the company’s security postures, then that’s a bad thing.”

Ruling Raises Stakes for Cyberheist Victims, Krebs on Security

Choice Escow and Land Title unsuccessfully sued its bank, BancorpSouth Inc., in an attempt to recover $440,000 stolen in a 2010 bogus wire transfer. Choice Escrow’s lawyers argued that because BancorpSouth’s Internet-based authentication allowed wire or fund transfers using two options which were both password-based, its commercial online banking security procedures fell short of 2005 guidance from the Federal Financial Institutions Examination Council (FFIEC).  The appellate court ruled in favor of BancorpSouth noting that Choice Escrow was offered dual controls, informed that it was important for them to take advantage of the dual controls, and made an informed decision in writing not to do use dual controls.   Krebs article notes that perhaps most significantly, the appellate court ruled that the bank can pursue its legal fees against the customer which may dissuade plaintiffs who not only have to pay their lawyers but those of the bank if unsuccessful.  Cyber theft victims may be more cautious about bringing recovery lawsuits against banks.  

June 2014

Why senior leaders are the front line against cyberattacks, McKinsey & Company

The importance of cybersecurity is known, so why isn’t more being done to protect our critical information assets?  This McKinsey & Company article notes that there are a number of structural hurdles in companies that make cybersecurity difficult.  However, as found through research undertaken with the World Economic Forum, “senior-management time and attention was identified as the single biggest driver of maturity in managing cybersecurity risks.”  Senior managers need to:

  • actively engage in strategic decision making about cybersecurity risk,
  • drive consideration of cybersecurity implications across business functions,
  • push changes in user behavior and
  • ensure effective governance and reporting is in place.