Cyber risk is an important risk management issue for companies of all sectors and sizes. Because of the potentially significant financial, legal and reputational consequences of cyber attacks, plus the growing awareness that governance and policy are essential parts of the solution, senior executives and boards directors are becoming more involved in steering their companies’ cyber-security risk management efforts.

However, two-thirds of CEOs (and likely even more board directors) say they do not have the information they need to understand and translate IT security into business risk. Technology issues are particularly vexing. This translation gap stymies efforts to manage cyber risk in a deliberate, collaborative and effective manner, particularly when it comes time to approve the next year’s budget for cyber-security technologies and IT security.

Board members and CEOs are starting to ask their CISOs more questions about the relationship between cyber risk and cyber-security technology spending. Below are three key areas that demonstrate common gaps in understanding.

What makes your company a target for cyber attack?

Every company has cyber risk, regardless of sector, size and public profile. While headlines have focused on retailers, banks, and defence companies, the list of victims includes universities, private equity firms, manufacturers, small technology companies, critical infrastructure, law firms and countless small and medium businesses.

Even if your company is not the attacker’s target, you may be the way they choose to get there: the attacker who stole millions of credit card numbers from Target’s networks started the attack by targeting the networks of a small heating, air conditioning and refrigeration firm that serviced Target’s stores.

Apr-Jun 2014 Issue

Good Harbor Security Risk Management, LLC