Into the Breach: Disruptive Technology and Cybersecurity

This post is based on findings from our report on a survey of more than 370 board members and C-suite executives about the risks they consider top-of-mind for the coming year. The survey was conducted for the second consecutive year by North Carolina State University’s ERM Initiative and Protiviti. For more information, visit www.protiviti.com/toprisks.

One of the more interesting dichotomies to surface in Protiviti’s Executive Perspectives on Top Risks for 2014 survey is a declining concern – albeit slight – over operational cybersecurity. This is occurring in the face of a fast-rising strategic concern that disruptive technological innovation is evolving faster than organizations are comfortable in managing.

I know I don’t have to convince anyone that cybercrime is a real danger – and there’s plenty of data to prove it. The White House recently released final voluntary cybersecurity standards, the Cybersecurity Framework. These standards are viewed as a national imperative. They are created for private businesses, especially those that make up the nation’s “critical infrastructure,” which includes telecommunications companies and utilities. The Framework focuses on identification, protection, deterrence, response and recovery. (For more information, read our Flash Report on the new Cybersecurity Framework).

There is a growing body of evidence that security breaches to date, while embarrassing, may not be creating long-term reputational damage, except in extreme situations. Over time, the public is starting to recognize that cybercrime losses are a cost of doing business, similar to investment losses or normal retail theft. A July 2013 report from the Center for Strategic and International Studies, a nonprofit global security think tank in Washington, D.C., placed the scope of cybercrime at up to 1 percent of the global gross domestic product. The Center also suggests that the only real and lasting damage from cybercrime comes from the theft of intellectual property.

That doesn’t qualify as “good news,” however. Make no mistake about it. Cybercrime and cyber espionage cost the global economy billions of dollars every year. Further, this dollar amount, large as it is likely to be, may not fully reflect the damage to the global economy. Cyber espionage and crime slow the pace of innovation, distort trade and bring with it the social costs associated with crime and job loss.

Just because people are recognizing security breaches as a common threat doesn’t mean that organizations shouldn’t do everything in their power to prevent cybercrime and eliminate potential breaches.

Here are some recommendations to address critical cybersecurity issues. These are summarized from Issue 44 of our Board Perspectives: Risk Oversight newsletter:

1) Make incident response a top management priority to avoid these common pitfalls:

    • Developing a plan “good enough” to satisfy the business and non-IT personnel in the organization
    • Failing to include an escalation plan, and appropriate rules, responsibilities and protocols for the plan’s execution
    • Testing just enough to demonstrate compliance, but failing to test the plan thoroughly

2) Build a preventative human and technology security perimeter. By building a strong communication program and heightening the overall risk consciousness regarding cybersecurity, companies can help their employees recognize risky behavior and respond to attacks. Continuing employee education, alongside strong technical security controls, will help clarify how to use the technology in question.

3) Use escalation protocols to increase visibility at the top. We still see too many boards treating cybersecurity as “an IT issue” rather than as a business issue.

4) Create an operational framework for incident response. Companies should establish an incident response program that has management visibility and sponsorship.

5) Consider retaining appropriate external expertise.

Having a strong plan to manage cyber risk is as important as managing through the economic, political and regulatory environment. For more on this topic, see my recent blog post, Cybersecurity Framework: Where Do We Go From Here?

What’s your perspective on cyber threats? Start a conversation in the comment field below.

Jim

Split Decision: Boards and Executives Divided on 2014 Risk Outlook

This post is based on findings from a survey of more than 370 board members and C-suite executives about the risks they consider top-of-mind for the coming year. The survey was conducted for the second consecutive year by North Carolina State University’s ERM Initiative and Protiviti. For more information, visit www.protiviti.com/toprisks.

There’s an old statistics joke about two economists who go deer hunting. Upon sighting a deer, one shoots high, the other shoots low. As the deer scampers to safety, the economists fist bump. On average, they nailed it!

That joke comes to mind as I consider our Executive Perspectives on Top Risks for 2014 study. On average, of the more than 370 surveyed, executives and board members found the business climate less risky than 2013, with board members generally finding it more risky, and executives, collectively, ranking it less risky.

So, which is it? It depends on your perspective.

COVER NC-State-Protiviti-Survey-Top-Risks-2014 UL

Operationally, things appear to be better. The economy is improving. Unemployment is down. And consumer confidence is up.

Executives have a clearer line of sight on growth, and they have more confidence in their projections and forecasts. In that macroeconomic and operational sense (which accounts for two-thirds of our survey questions), things are less risky.

Board members look at risk differently. Tasked with making sure all the bases are covered, directors scan the horizon and spend more time thinking about how external forces and strategic risks such as regulation, societal change and disruptive technology might blindside management as they are going about executing their business model. Simply stated, directors may be taking a more strategic view, and strategic risks (the remaining one-third of our survey questions) do appear to be more risky.

Whatever the reasons for the divergence in boards’ and executives’ view of the changing risk environment, organizational leaders must make sure everyone’s reading from the same page. Boards and executives alike should be asking:

  1. Is management periodically evaluating changes in the business environment to identify risks in corporate strategy?
  2. Is the board sufficiently involved in that process?
  3. Does management apprise the board on a timely basis of changes in the organization’s risk profile?
  4. Is the board aware of the most critical risks facing the company, and does it agree on why those risks are significant?
  5. Is there a periodic board-level dialogue regarding management’s appetite for risk and whether the organization’s risk profile is consistent with that risk appetite?

These are questions directors can ask about the organization’s risks. Following are three questions they can ask about risk management as they discharge their risk oversight responsibilities:

  1. Are we improving our risk management capabilities continuously to ensure we are managing our risks effectively in a changing business environment?
  2. Is our risk culture encouraging the right behaviors?
  3. Have we integrated risk management with the appropriate management processes?

For a more in-depth look at some of the above questions, please read Issue 50 of Board Perspectives: Risk Oversight, titled Five Risk Oversight Questions Directors Should Ask.

What’s your outlook on risk? Do you agree with the executives or the board members?

Business Continuity: What’s your backup plan?

“By the time you hear the thunder, it’s too late to build the ark.” – Unknown

In today’s global economy, organizations don’t have to be in the same region of the world for their operations to be affected adversely by a catastrophic event. A prime example: the Tohoku earthquake in Japan in 2011, and the tsunami and nuclear crisis that followed. Simply consider Japan’s dominance in the auto and semiconductor industries, and it’s not hard to imagine how these events created ripple effects for companies in Europe, the United States and elsewhere. Many leading businesses suffered losses in the millions – and some in the billions – due to the triple disaster in Japan because they had assumed risks in their supply chain from which they could not recover on a timely basis when the “unthinkable” occurred.

Business continuity management (BCM) is an overarching strategy encompassing crisis management, business recovery planning and information technology (IT) disaster recovery.

Continue reading