Cybergovernance Journal Update – 2/5/2016
Regulations, periodic assessments and theoretical models can only lead the way to a partial, but not comprehensive, cybersecurity solution. This is especially true when it comes to making cybergovernance accessible to executives — until now.
TexasCEO, Jan. 30
We found a growing understanding that cybersecurity is more than just a technology problem. A friend pointed out that cybersecurity governance (aka cybergovernance) is tracking a path similar to financial governance. The recent tsunami of highly publicized cyber breaches is creating a similar pressure for cybersecurity compliance.
Cybergovernance Journal, Feb. 1
Global threat intelligence providers report on over 500,000 malicious websites – and that list of websites turns over every day. To suggest that firms can optimize their perimeter defenses against 500,000 new threats every day is unreasonable. This fact is an uncomfortable reality for those who’ve based their risk ratings on externally available data.
Cyber risk isn’t primarily about technology. It is first and fore-most about governance requiring proactive involvement by the board in companies and organizations of all sizes. In 2015, many cases of cyber-risk management gone wrong were disclosed.
JDSupra Business Advisor, Jan. 29
“Unsolicited advice” to organizations faced with developing data security plans: Neuman said that the tone set at the top percolates throughout an organization and that buy-in from senior leaders is needed to create an effective organization-wide plan.
LinkedIn, Jan. 31
Empowering the board to oversee cybersecurity risk mitigation is vital. The issue of cybergovernance is tracking the path that financial fraud followed in the early 2000’s before Sarbanes-Oxley Act. How will corporate boards comply with a new cybersecurity bill that delineates their liability for overseeing company progress?
It’s been a widely accepted “check the box” cybersecurity practice to engage in periodic cyber risk assessments designed to give management assurances that their cyber defenses are adequate or not. Any cybersecurity process that relies heavily on periodic risk assessments is not only giving the company a false sense of how safe they are, it’s reflecting energy and resources away from discovering, mitigating and/or preparing for real active and immediate cyber threats.