April 1, 2010

To view the original article please click here.


Greg Master, SC Magazine, 04/01/2010

Two industry groups on Wednesday released a free guide that the authors hope will encourage financial executives within an organization to take the lead role in mitigating cyber-risks.

The framework, developed by the Internet Security Alliance (ISA) and the American National Standards Institute (ANSI), comes in response to the White House’s release last May of the 60-day Cyberspace Policy Review. That report stated that between 2008 and 2009, American business losses due to cyberattacks grew to more than $1 trillion in intellectual property.

The new publication, The Financial Management of Cyber Risk: An Implementation Framework for CFOs, helps organizations meet one of the review’s recommendations that monetary value be assigned to cyber-risks and their consequences.

One of the main challenges is to make senior executives aware of the impact data theft and other consequences of cyberattacks can have on a company’s bottom line, Larry Clinton, president of the ISA, told on Thursday.

“What we are trying to do is expand the conversation about cybersecurity out of the IT realm and get it appreciated more in the organizational realm,” Clinton said. “What this publication demonstrates is that most companies are not analyzing the financial implications of a cyberattack. It offers a road map to better analyze the true costs, and then offers a straightforward mechanism to address that.”

These senior leaders are responsible for the financial health of an organization and beholden to the shareholders, he added. Once senior executives become aware of what implications a lack of security has from a loss and legal exposure perspective, the financial implications begin to mount and solutions need to be implemented on the enterprise level.

The document is an appeal to C-level executives from a financial and business strategy level, rather than coming only from a request for more technical safeguards, Clinton said.

“A lot of people in the C-suites are not comfortable with technological implications,” he said. “Even though they have plenty of data, they don’t see that part of their job is to secure that data.”

The ISA-ANSI guide explains that cybersecurity is an enterprise-wide risk management issue that needs to be addressed from a strategic, cross-departmental and economic perspective. It proffers that the CFO of an enterprise, rather than the CIO or CSO, is the most logical person to lead this effort.

More than 60 experts from government and commercial enterprises contributed to the publication, which is being offered free to organizations across the country.

“By bringing together this diverse group of cybersecurity experts, ISA and ANSI have identified the potential gaps in the process of analyzing cyber-risk,” Fran Schrotter, senior vice president and chief operating officer at ANSI, said in a statement. “We have given C-suite executives a tool that will assist them in developing and implementing a cyber-risk management plan for their entire organization.”