lolloj - Fotolia
As the WannaCry ransomware attack unfolded in May 2017, Airlines Reporting Corp. CISO Rich Licato conferred with his staff.
Licato ticked off questions: Was the attack relevant to the company? Where were its vulnerabilities? Was the organization protected? He quickly received his answers: The company was 100% covered with its network protection and endpoint protection layers, while it was 99% covered with its patching updates.
There were no panicked staffers, nor a need to shut down systems.
"We knew it wasn't a problem for us, and we knew that fairly quickly," Licato said, adding that his team patched the 1% of older systems that hadn't been updated prior to the attack.
Many companies fall far short when it comes to evolving cyber-risk management processes. Consider PwC's sixth annual Risk in Review report, released in April 2017, which polled more than 1,500 executives across 30 industries. It found that although respondents identified cybersecurity as a growing risk, only 9% scored high in regards to cyber-risk maturity at their organization.
Meanwhile, enterprise security vendor Bromium Inc. surveyed 210 security professionals in early 2017 and found that 10% admitted to paying a ransom or hiding a breach, while 35% admitted to going around, turning off or bypassing their corporate security settings.
Licato attributed his team's ability to assess whether and where WannaCry threatened Airlines Reporting to having not just the right defensive technologies in the IT stack, but also to having a strong cybersecurity governance program. This program ensured all the necessary technologies, protocols and procedures were in place to respond to any emerging risk, threat or solution that might hit the market.
"When it comes to maturing and sustaining your cyber-risk program, I boil it down to culture," he said. "Trying to treat security as a separate thing and not integrating it into your business process, I don't think it creates a sustainable program and you never get to the level of maturity you want it to be."
Action vs. reaction
Cybersecurity experts say the recent reports confirm what they're seeing in many organizations: Cybersecurity governance programs often focus on delivering point solutions, making them reactive tactics that can't keep pace with rapidly changing business needs and risks.
"It's a bit of a failure within the governance programs," said Cynthia J. Larose, chair of the privacy and security practice and a Certified Information Privacy Professional at law firm Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
It's this lack of governance, she and others said, that has companies running out-of-date systems vulnerable to attacks like WannaCry.
Greg Bellglobal cybersecurity services strategic growth initiative co-leader, KPMG International
Organizations struggle with managing cyber-risk management and developing a mature governance posture for a variety of reasons, cybersecurity experts said. Corporate officers often separate cyber-risk from other areas of risk, so it becomes siloed. Many company leaders, including CIOs and other IT managers, also isolate cybersecurity as a separate program, thereby, making it something that's bolted on rather than integrated into the IT stack and the company culture.
Moreover, cybersecurity is complicated and expensive, making it difficult for seasoned executives to tackle.
"[Boards] are struggling with cybersecurity. Every year the budget for it goes up, and they ask if they're more secure, and they hear, 'No, not really,'" said Greg Bell, the global cybersecurity services strategic growth initiative co-leader for KPMG International.
Bell said companies in a few key industries -- namely, financial services and other highly regulated sectors -- have developed mature governance programs to manage cybersecurity. But with the exception of the largest companies, the vast majority of organizations across most other sectors have not done the heavy lifting required to implement the policies, procedures and protocols that align with evolving business needs and cybersecurity requirements.
Maturing cybersecurity governance
To ensure a company has such strategic alignment, Bell said it must develop, manage adhere to and continually evolve a governance plan that includes key characteristics that go beyond existing cybersecurity operational frameworks such as NIST 800-53 and the ISO/IEC 27000 series. Companies need those operational standards as well as their own framework that outlines governance processes, he explained.
He said KPMG advises its clients to use its own cyber-oversight framework that integrates with business processes so cybersecurity aligns to strategy. It's also vital to have a clear understanding of where information and intellectual property resides and a plan to manage a breach or other cyber incident when it occurs, Bell added.
Larose provided a list of traits that indicate a mature approach to governing cyber-risk, including the following:
- a leader accountable for cybersecurity;
- a cross-functional interdisciplinary cybersecurity committee that meets on a regular basis with various business leaders, including security experts and functional heads who actively collaborate on risk and security issues;
- ongoing training for employees, partners and even customers; and
- a board that's engaged with cybersecurity issues and supports it with funding.
Like Bell, Larose said most companies don't possess those characteristics. Moreover, she's not optimistic they'll build that capacity anytime soon despite cyberattacks continuing to make headlines and costing businesses money. Instead, she believes it will take major disruptions before corporate America takes action.
She expects that type of disruption -- one that will shut down and cripple companies' ability to actually do business -- is coming soon, leaving those who have mature cyber-risk management and governance processes better able to weather such an event.
"They'll be both the ones that will stand to profit and grow, they'll have the competitive advantage," she said.
Cybersecurity strategy "resolutions" for 2017
Opinion: Private sector should contribute more to national cybersecurity