Sunday, April 4, 2010

Cybersecurity and Risk Assessment

You have yet another opportunity (obligation? curse?) to inform and educate your senior management about how important is the work you are doing to protect your institution from a damaging data breach.

The American National Standards Institute (ANSI) last week released its report " The Financial Management of Cyber Risk - An Implementation Framework for CFOs." I recommend you download it by clicking here (you will need to register, but it's free thanks to the good people at ANSI).

Then give it a good read. It makes the case that:
In reality, cybersecurity is an enterprise-wide risk management issue that needs to be addressed from a strategic, cross- departmental, and economic perspective. The chief financial officer (CFO), as opposed to the chief information officer (CIO) or the chief security officer (CSO), is the most logical person to lead this effort.
The report assigns dollar figures to breaches (nothing really new here, but more credibility). And speaking of credibility, a blog post from SANS Storm Centyer stated that:
The report is endorsed by Melissa Hathaway, former Acting Senior Director for Cyberspace for the National Security Council. The CFO guide is a direct response to the Cyberspace Policy Review released last May. That report stated, "Between 2008 and 2009, American business losses due to cyberattacks grew to more than $1 trillion in intellectual property." Copies of the documents from the Fed review can be found on the White House website. (

I found several chapters interesting, particularly Chapter 2 on educating users. Also there are some great appendices including one on insurance (really!) offered by various companies.

It all goes back to the theme that risk is a multidisciplinary issue that should be addressed in a multidisciplinary fashion.

No comments:

Post a Comment