The American National Standards Institute (ANSI) and the Internet Security Alliance (ISA) recommend that CFOs engaged in an “overnight” merger and acquisition (as we see occurring in our current financial climate) should spend the time to ask the right questions to gain pertinent information from their technology team, business managers, internal compliance officers, and corporate legal counsels, as well as crisis management and PR teams. Marlene
New guide gives CFOs 50 questions about cyberthreats to ask various department heads
By
Jaikumar Vijayan
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Cybercrime+and+Hacking&articleId=9117546&taxonomyId=82&pageNumber=2
October 20, 2008
(Computerworld) A good place for senior executives to start in
trying to understand their companies' financial exposure to cyberthreats is by
getting an overall assessment — not just from IT, but also from business units
and corporate operations such as the human resources, legal and public
relations departments.
That piece of
advice is contained in an information guide that the American National Standards
Institute (ANSI) and the Internet Security Alliance (ISA) jointly released
today in an effort to help high-level execs prepare for the financial
implications of possible cyberattacks.
But as fundamental
as that notion might seem, the guide says that the continued failure of chief
financial officers and other corporate executives to gather a multidimensional
view of IT
security threats often leaves companies dangerously unprepared for the
sometimes staggering
costs that can result when their systems are attacked.
The 40-page guide was
put together by a task force of risk management executives from more than
two-dozen organizations, including Carnegie Mellon University, IBM, insurers American International Group
(AIG) and State Farm Insurance, defense contractor Lockheed Martin and
consulting firms Booz Allen Hamilton and KPMG. The document lists a series of
50 questions that CFOs and other executives should be asking the leaders of
various internal groups, according to ANSI and the ISA.
The questions are
designed to elicit information that can help provide a more holistic picture of
a company's exposure to security threats, and the potential costs of either
ignoring or mitigating
those threats, said Ty Sagalow, president of product development at AIG's
general insurance group.
Sagalow, who led a
series of workshops that resulted in the new guide, said a lesson that the
participants quickly learned during the sessions was that "cybersecurity,
which has been traditionally viewed by some companies as an IT issue, is not
just an IT issue." Just like, he added, it isn't purely a legal or PR
issue.
As for the
possibility that some IT managers could view increased involvement in security
issues by other departments as encroaching on their turf, Sagalow and other
members of the task force said they don't expect that to be an issue. Many IT
departments already recognize that they're only part of the solution to
cybersecurity issues, said Edward Stull, a software architect at Direct
Computer Resources Inc. and chairman of an IT security best-practices group for
the InterNational Committee on Information Technology Standards.
According to
Sagalow, this is the first time that an effort is being made to provide CFOs,
who ultimately have to sign the checks for security investments, with a means
for better understanding the financial ramifications of cyberthreats.
Recent Comments