One of the main issues with cyber security is that everyone likes to think it is the responsibility of the IT department. However, with cyber-attacks continuing to increase in both frequency and complexity – and with technology not necessarily being a key deciding factor of whether or not a business is breached – it seems obvious that it should also be a matter for the Risk Officer. Whether or not that’s the case right now, however, remains an open question, but it’s time that we start moving in this direction.
The notion among businesses that cyber security is someone else’s problem started with business executives routinely handing it off to the IT Manager or the Chief Information Officer. But since cyber security has risen in prominence a new position has emerged, that of the Chief Information Security Officer (CISO).
Quite obviously, the individuals with these job titles, whether IT Manager or CISO, do have primary responsibility for cyber security, especially as they are trained and experienced in the art of information technology. They also have information security specific training.
But with the continued prevalence of security breaches, and the ever-evolving methods used by attackers in breaching even the strongest of defences, it’s evident that security can no longer start and stop with one designated individual or team. Phishing can succeed when targeting the CEO, or when targeting the newest intern. That’s why cyber security is everyone’s problem, from top to bottom.
Enter the Risk Officer
With the sheer volume and multiple types of cyber threats faced by businesses today, and along with new data protection legislation on the horizon, cyber security must be seen for what it really is: a key business risk.
Last year, an Aura survey* of IT decision makers found that 70% of respondents believe senior management see cyber security as a key concern or risk factor for their business.
We also know awareness of cyber risk at board-level is increasing – with three out of five IT decision makers saying they now provide some form of cyber or information security reporting to the Board or senior management.
This situation means that over the next few years Kiwi businesses are going to see a shift in who takes responsibility for cyber risk within an organisation. And yes, while ‘cyber security is everyone’s problem’ it’s going to become more of a Risk Officer thing than an IT manager thing.
What is Business Risk?
Business risk is easily defined as anything that threatens a company's ability to meet its target or achieve its financial goals. There are many risks faced by all organisations, some of which are specific to certain industries, and others which are common across every company. It’s into this latter category that cyber risk falls, since virtually every organisation today that is dependent on computer systems for its day-to-day operations can fall victim to a security breach.
Risk Officers are generally only employed by larger companies and, as implied by the title, are tasked with the identification, analysis, and mitigation of events that could threaten the business. In small to medium organisations a director of a company may share the responsibilities of a dedicated risk officer, rather than employ one individual. Note, however, that the risk officer isn’t the only one responsible for mitigating risks – people throughout an organisation will have varying contributions towards managing specific risks in their control. An example of this would be cashiers at a retail outlet, who must prevent unscanned goods from leaving, or directors who must maintain awareness of inventory.
The Reality (and Pervasiveness) of Cyber-Risk
There is plenty of evidence of the cyber-risks businesses face, with Air New Zealand’s Airpoints being the most recent in the news. Ransomware is on the rise, with even digital cameras a potential route of attack. And bear in mind, most businesses which suffer a ransomware or other attack won’t actually make the news at all – many simply pay or fix the issue and get on with it.
Direct loss of income, reputational damage and business disruption typically follow when cyber-risk turns into a successful cyber-attack. New laws, such as the European General Data Protection Regulation, Australia’s Notifiable Data Breaches law and the present overhaul of New Zealand’s Privacy laws are indicative of a growing recognition of the issue from policymakers – and the growing reality of compliance.
The bottom line is that information security is, as has been the case for some time, everyone’s problem. But given the pervasiveness of the risk, and the high stakes involved, it also requires specific time and attention from whose role it is to analyse and quantify risk. And that means it is clearly an issue for the Risk Officer.