April 6, 2010

To view the original article please click here.


Patricia Vowinkel, Risk & Insurance , 04/06/2010

It’s time to break cybersecurity out of the IT ghetto.

Business is on the front lines of a raging cyberwar, according to a new report, and yet cybersecurity is too often thought of as just an IT issue rather than the enterprisewide risk management issue it really is.

Too much responsibility for this issue is handed over to IT departments, and corporate leadership is structured in such a way that the real financial issues with respect to cybersecurity are masked, according to “The Financial Management of Cyber Risk,” the report released by the Internet Security Alliance (ISA) and the American National Standards Institute (ANSI) in late March.

One of the authors’ objectives is to bring the problem to the attention of C-level executives.

“If it does nothing else, hopefully it raises awareness outside of the IT sectors that this risk is larger and more pervasive than people have thought,” said Robert Parisi, national practice leader for technology, network risk and telecommunications at insurance brokerage Marsh.

American business losses due to Web-based attacks totaled the equivalent of more than $1 trillion of intellectual property between 2008 and 2009, according to the White House Cyberspace Policy Review. Cyberrisk threatens not just business, but national security as well.

“Ignorance is bliss, but it’s not a defense,” said Parisi, who was part of a committee that drafted a section of the report dealing with cyberrisk management and risk transfer.

It is the rare C-level executive who has any direct involvement in the management of cybersecurity risks. In 95 percent of U.S. companies, the chief financial officer is not directly involved in the management of information security risks, according to the 2008 Deloitte study, “Information Security & Enterprise Risk,” cited in the ISA/ANSI report. The Deloitte study also found that 75 percent of U.S. companies do not have a chief risk officer.

“The Internet and modern information systems cut across an entire organization, but the security of the information system tends to be located most often just in one small department of the organization,” said Larry Clinton, president of the ISA.

But that one department, IT, is often viewed as a cost center, and so it tends to get starved for budgeting resources, Clinton says.

As a result, cyberthreats are underrealized, funding is not properly allocated and proper defense is compromised, according to the report.

Senior executives with cross-departmental authority, such as CEOs or CFOs (or CROs), must take strategic control, not operational control, of the IT systems that are the nerve center of their operation.

“It’s not a risk that can be dealt with by simply spending more on technology or spending more on insurance,” Parisi says.

The report provides a practical framework for executives to understand the true costs of cybersecurity, and assess and manage the financial risks generated by the modern information system.

It also provides a detailed program for the functional departments of an organization to use in their development of the needed cross-departmental analysis. Such functional departments include human resources, legal and compliance, communication, operational and technical, and risk management.

“There are existing standards and practices and technologies that could solve between 80 percent and 90 percent of the cyberattacks, but most organizations are not using them,” Clinton said. “If we could simply get them to be better appreciative of what the problem really is and how to attack it, our hope is that we can expand the perimeter of cyberdefense out and, in so doing, create a sustainable system where we’re all secure.”