7 Considerations for a Strong Cybersecurity Strategy
Ensuring Cyber Readiness with a Robust CRMP
|Friday, March 6, 2020|
By Ron Kral, partner Kral Ussery LLC published in CorporateComplianceInsights.com
No topic has likely garnered more attention in boardrooms over the last couple of years than cybersecurity. And rightfully so when the full extent of direct and indirect costs of a data breach are considered. Direct costs include legal fees, forensic experts, public relations, remediation efforts, potential fines and regulatory compliance expenses. However, it is the indirect costs of operational disruption, increased insurance premiums, brand reputational damage, loss of future revenue streams, etc. that can lead to business ruin.
There is no shortage of specific cost estimates and articles on this important topic, and one research study pegs the total average cost of a data breach at $3.92 million. Considering what is at stake, is your organization truly prepared to address cyber risks? This article offers some practical considerations to enhance cybersecurity.
The risk of a cyber incident, defined as a cybersecurity event that puts sensitive data at risk and requires action to protect associated assets, applies to all industries and companies of all sizes. No company is too big or too small, and smaller organizations tend to have higher costs relative to their size, thus hampering their ability to financially recover from the incident. However, it tends to be the larger ones that dominate press coverage, and the lessons learned can be insightful. For example, the table below highlights five notorious cyber incidents and their respective causes.
Examining the causes for these five high-profile breaches draws attention to the risks associated with:
There is no shortage of security and IT control frameworks to help formulate a cybersecurity strategy. One of the more prominent cybersecurity frameworks is the NIST Cybersecurity Framework (CSF) published by the U.S. government. The NIST CSF consists of five concurrent and continuous functions:
At a minimum, all organizations should have these five functions addressed in a formal cybersecurity strategy document, sometimes referred to as a cybersecurity risk management program (CRMP). Many frameworks are daunting in terms of their terminology and complexities; it is easy to get lost in the details. Here are some considerations for developing and deploying a cybersecurity strategy:
Remember that cyber readiness, including implementing a robust CRMP, does not happen overnight. It will take time and resources to build and maintain, but an important objective is to strive for continuous improvement to address changing risk landscapes.
Do not procrastinate when it comes to cybersecurity, as the risks are real. While a goal of developing a CRMP leveraging security and IT control framework(s) should be of interest for all organizations, initial steps can be difficult. It begins with education and acquiring the expertise to assess the current state of cybersecurity objectives, risks and controls. An independent perspective can be an efficient and effective route for evaluating the current landscape. In addition, establishing roles and accountabilities at both the board and management levels is an important early step. Finally, for organizations with cloud computing, vendor management control also needs to be an early focus.
In conclusion, we must remember that hope is not a strategy. Cyberattacks and data breaches are rapidly growing with greater sophistication. It is likely only a matter of time before your organization is thrust into a serious cyber incident. If you have already been subject to one, be prepared for another. Don’t be caught off guard, as an entity-wide CRMP is essential in protecting shareholder value. A strong cybersecurity posture allows organizations to be more creative and proactive in the never-ending search for ways to strengthen revenue streams and profitability.
This is an article from the Governance Issues™ Newsletter, Volume 2020, Number 1, published on February 20, 2020 by Kral Ussery LLC.
 Page 5 of Cost of a Data Breach Report 2019, research conducted by Ponemon Institute LLC, published by IBM Security.
 We found significant variation in total data breach costs by organizational size. The total cost for the largest organizations (more than 25,000 employees) averaged $5.11 million, which is $204 per employee. Smaller organizations with between 500 and 1,000 employees had an average cost of $2.65 million, or $3,533 per employee. Research conducted by Ponemon Institute LLC as published by IBM Security in Cost of a Data Breach Report 2019, page 7.
 The average time to identify a breach in 2019 was 206 days and the average time to contain a breach was 73 days, for a total of 279 days. Research conducted by Ponemon Institute LLC as published by IBM Security in Cost of a Data Breach Report 2019, page 6.