The American National Standards Institute (ANSI) and the Internet Security Alliance (ISA) recommend that CFOs engaged in an “overnight” merger and acquisition (as we see occurring in our current financial climate) should spend the time to ask the right questions to gain pertinent information from their technology team, business managers, internal compliance officers, and corporate legal counsels, as well as crisis management and PR teams. Marlene
New guide gives CFOs 50 questions about cyberthreats to ask various department heads
By
Jaikumar Vijayan
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Cybercrime+and+Hacking&articleId=9117546&taxonomyId=82&pageNumber=2
October 20, 2008
(Computerworld) A good place for senior executives to start in
trying to understand their companies' financial exposure to cyberthreats is by
getting an overall assessment — not just from IT, but also from business units
and corporate operations such as the human resources, legal and public
relations departments.
That piece of
advice is contained in an information guide that the American National Standards
Institute (ANSI) and the Internet Security Alliance (ISA) jointly released
today in an effort to help high-level execs prepare for the financial
implications of possible cyberattacks.
But as fundamental
as that notion might seem, the guide says that the continued failure of chief
financial officers and other corporate executives to gather a multidimensional
view of IT
security threats often leaves companies dangerously unprepared for the
sometimes staggering
costs that can result when their systems are attacked.
The 40-page guide was
put together by a task force of risk management executives from more than
two-dozen organizations, including Carnegie Mellon University, IBM, insurers American International Group
(AIG) and State Farm Insurance, defense contractor Lockheed Martin and
consulting firms Booz Allen Hamilton and KPMG. The document lists a series of
50 questions that CFOs and other executives should be asking the leaders of
various internal groups, according to ANSI and the ISA.
The questions are
designed to elicit information that can help provide a more holistic picture of
a company's exposure to security threats, and the potential costs of either
ignoring or mitigating
those threats, said Ty Sagalow, president of product development at AIG's
general insurance group.
Sagalow, who led a
series of workshops that resulted in the new guide, said a lesson that the
participants quickly learned during the sessions was that "cybersecurity,
which has been traditionally viewed by some companies as an IT issue, is not
just an IT issue." Just like, he added, it isn't purely a legal or PR
issue.
As for the
possibility that some IT managers could view increased involvement in security
issues by other departments as encroaching on their turf, Sagalow and other
members of the task force said they don't expect that to be an issue. Many IT
departments already recognize that they're only part of the solution to
cybersecurity issues, said Edward Stull, a software architect at Direct
Computer Resources Inc. and chairman of an IT security best-practices group for
the InterNational Committee on Information Technology Standards.
According to
Sagalow, this is the first time that an effort is being made to provide CFOs,
who ultimately have to sign the checks for security investments, with a means
for better understanding the financial ramifications of cyberthreats.
But the broader issue
of finding a way to more reliably quantify the risks posed by cyberattacks
isn't new. For years, companies have been using various models
and metrics to try to determine how effective their security controls are
and how much they should spend to guard against attacks.
Most of the existing
efforts are geared toward giving security managers new tools that can
better estimate and justify the costs of implementing IT and process controls.
In the past, other initiatives have taken a stab at developing risk
prediction models that insurance companies, for instance, could use in
underwriting cyberinsurance
policies .
The new guide
being offered by ANSI and the ISA recommends that CFOs ask their technology
team questions about the biggest threats to data confidentiality, integrity and
availability, and the controls that are in place to protect against those
threats.
Similarly,
security-related questions about business continuity and recoverability need to
be asked of business managers, the guide says. And internal compliance officers
should be asked for information on industry or government regulations that
their companies are required to comply with as well as internal data
collection, retention and destruction practices and the penalties for failing
to comply with them.
In addition, CFOs
should ask corporate legal counsels about the exposure of their companies to shareholder
lawsuits and other legal actions stemming from data breaches, and they
should request information about the laws governing the company's data use
policies, according to the guide. In the same manner, the document advises that
crisis management and PR teams be queried on issues such as the existence of a
crisis communications plan and the financial implications of delaying or mishandling
breach notifications.
An analysis of
such information can help CFOs put the risks associated with cyberthreats into
monetary terms, Sagalow said. He noted that companies have all sorts of tools
and methodologies for measuring the financial risks associated with events such
as floods, fires, storms and even employee defections. But they don't have a
framework for evaluating the risks posed by security threats, he said, adding
that such a framework is vital because of the escalating costs associated with
cyberattacks.
Larry Clinton, the
ISA's president, said the goal of putting the guide together was to give CFOs a
tool for better estimating the potential costs of attacks. That information, he
said, can help move the "locus of control" for cybersecurity from the
CIO and chief information security officer to the CFO.
"Businesses
make decisions based on their financial self-interest," Clinton
And getting CFOs
more involved in security matters may not be a bad thing for IT departments,
according to Clinton.
Grant Gross of the IDG News Service contributed to this
story.
Comments