CYBER and CYBERSECURITY RISK

CYBERSECURITY RISK MANAGEMENT EVOLUTION

 

Cyber related risks including cybersecurity have taken some of the top spots in many recent Entity risk assessments. Cybersecurity is one of the Information Technology Risk Considerations. Several of the primary reasons for the increased focus on cyber risks include the pervasive and interconnected nature of computing and the ongoing and changing threats of disruption.

Similar to accounting being leveraged throughout all entities to capture transactions to establish accurate financial reporting, most transactions are now conducted with some form of computing. However, beyond accounting for transactions, which was primarily to support the financial reporting for each functional area, computing supports the mission, strategy, and operational processes for each Functional Area to carry out their objectives. 

Computing is a relatively recent functionality for the world compared to accounting. Just as it has taken many decades and disruptions for public company Financial Reporting to mature (i.e., establishment of the Securities and Exchange Commission (SEC) in 1932 or the Sarbanes Oxley Act of 2002), cyber security will also continue to evolve. A key difference though is that most entities rely upon computing for their daily operations and success, thus time is of the essence to ensure business processes continue to function.

The quantification of the costs and Return on Investment (ROI) for cyber related risks is key to the ongoing development and support of Chief Technology and Chief Information Security Officer efforts to manage cyber related risks. Cyber is similar to Product Quality, Assurance and Safety as both are essential for an entity to succeed. However, many organizations view these areas as costs/expenses rather than investments required to carry on the entity mission, strategies, and operational objectives.

FRAMEWORKS and MODELS

Many different cyber security frameworks and models have been developed to assist entities of all types.

 

One example of free resources to assist with cybersecurity is the Department of Homeland Security (DHS) Cybersecurity website.

 

Free implementation resources are available from the DHS Cybersecurity Framework website. Materials include various Cyber Resilience Review Downloadable Resources.

 

The free Cyber Resilience Review (CRR): Method Description and Self-Assessment User Guide below is an example of the useful materials available to support your ongoing cyber related risk management efforts.

DHS NATIONAL CYBER AWARENESS SYSTEM

DHS operates the National Cybersecurity and Communications Integration Center (NCCIC). NCCIC's mission is to reduce the risk of systemic cybersecurity and communications challenges as the United States flagship cyber defense, incident response, and operational integration center.

 

NCCIC provides the National Cyber Awareness System with timely information about security topics and threats for control users, government users, and homes and businesses. Users can sign-up for email alerts or RSS feeds for:

  • Current Activity - A regularly updated summary of the most frequent, high-impact types of security incidents currently being reported to the United States Computer Emergency Readiness Team (US-CERT), a branch of NCCIC.

  • Alerts - Provide timely information about current security issues, vulnerabilities, and exploits.

  • Bulletins - Provide weekly summaries of new vulnerabilities. Patch information is provided when available. 

  • Tips - Describe and offer advice about common security issues for non-technical computer users.

  • Analysis Reports - Provide in-depth analysis on a new or evolving cyber threat.

Refer to Related Resources for additional information including tools, techniques, research, and guidelines.