Genuinely Understanding What’s Happening
It is critically important that organizations pay close attention to the loss history -- both within their own organization, and outside their organization -- in order to get a sense for what is actually happening in the fast-changing information security and privacy field. Loss history data points of note should include not just the security and privacy breaches reported, but also:
- internal accounting frauds suffered
- related insurance claims filed
- security vulnerability reports received
- staff grievances about security and privacy submitted
- third party reported vulnerabilities not addressed
- shareholder lawsuits filed
- budget overruns occasioned by security or privacy problems
- lost staff days due to system downtime
- lost business deals caused by inadequate intellectual property controls
- government regulator interventions triggered
- adverse external audit reports received
The Need for Management Intervention
Far too many organizations delegate the information security and privacy area to technical staff, and leave it at that. This hands-off delegation isn't working very well. For example, PWC released a 2017 report entitled the Global State of Information Security. That report noted that only 44% of Boards actively participate in the management of their companies overall security strategy. What's often missing is a top-down strategy to manage information security and privacy. Technically, this process involves a risk management system, and it is described in various international standards such as ISO 27001 (from the International Standards Organization) and COBIT5 (from the Information Systems Audit and Control Association).
The number of attacks is increasing.
Attacks Are Costly
Percent of Incidents by Category
Establishing an organization-wide IT governance structure to ensure that the information security and privacy area is adequately addressed, on an ongoing basis, is a multi-project endeavor. One often overlooked part of this endeavor is the establishment of a loss history record-keeping process, a related analysis process, and a related report generation process. Another part is clarifying roles and responsibilities in this same area. Still another part is the implementation of a formal risk management system. There are many others... Only when information security and privacy is approached from multiple angles, using multiple techniques, and multiple tools, and only when all these projects are formally integrated with the organization's risk management process, can there be hope that the protective steps that have been taken will be adequate.