Cyber crime — It’s all over the news and on everybody’s minds. That’s because cyber crime is ubiquitous, posing a significant threat to any organization that uses technology. Just think of the terminology that has recently become part of our everyday lexicon: hackers, the darknet, Bitcoin, ransomware, intellectual property, credit cards, personal information, malvertising, breaches, persistent threats, Internet of Things, emerging threats, and cloud. Clearly, there’s a lot to worry about — and a myriad of concerns to measure and monitor.
To protect themselves from this broad range of cyber risks, many organizations have adopted a model comprising three lines of defense: information technology (IT), along with business and support units, for implementing new tools; information security (IS) for devising a defense strategy and program; and internal audit (IA) for providing an independent and objective view of the program to executive management. Despite the expertise that each of these groups brings to the table, this siloed approach is confusing and largely ineffective. Why? The short answer is lack of focus and alignment. Each group tends to favor its own priorities, often defining risks and attempting to mitigate them in different ways. Personality differences exacerbate the situation, as leaders debate the boundaries of their organizations and whose priorities are worthy of scarce resources. Often, the incongruence confounds executive management and the board, and the murkiness drives the organization to try to protect everything as opposed to focusing on the things of greatest value. While complex in practice, some more mature organizations have discovered that the road to better cybersecurity has four basic segments.
Please read the entire Deloitte article: ‘Locking arms against hackers’
All too often organizations guard the memo about last week’s pizza luncheon with the same rigor used to protect their most precious intellectual property. It is unfeasible to secure everything; therefore, information must be protected based on its value. Unfortunately, many organizations don’t understand what their crown jewels are, much less where they are located, and that makes cybersecurity nearly impossible — and very expensive. That is why executives and board members find cybersecurity to be so frustrating. The organization puts policies and procedures into place, provides training, implements new technology, performs audits, and corrects deficiencies, only to find that hackers still get into the system and cherry pick the crown jewels. While a single silo, such as the IT or IS department, is often blamed for the leak, it is usually symptomatic of an intrinsic organizational weakness — inadequate alignment across the three lines of defense.