Tag Archives: board of directors

Immediate Vault Immediate Access

Boards Are Failing at Cyber, New Report Finds

Posted on by

SAN FRANCISCO—Information security executives are telling boards what they want to hear, not what they need to hear, and boards are frequently not asking the right questions or understanding the responses, according to a report released today by Bay Dynamics at the RSA Conference.

“The report reveals that both the board and security professionals are not doing their jobs when it comes to security reporting,” said Feris Rifai, co-founder and CEO at Bay Dynamics. “The board isn’t holding IT and security executives accountable for providing accurate, traceable and actionable information and security executives are failing to report information that is accurate, traceable and actionable. Both parties must do better if they want to make the right decisions that minimize their cyberrisk”.

While the majority surveyed say they know what to present to the board, only two in five IT and security executives feel that the information they provide to the board is actionable, and even fewer believe they are getting the help they need from the board to address cyber security threats. This may be in part because of the ongoing struggle to fully understand and measure cyberrisk exposure and the costs of failure.

buy doxycycline online familyvoicesal.org/resources/images/jpg/doxycycline.html no prescription pharmacy

Just over half of boards expressed a strong preference for qualitative information, while 38% have a preference for quantitative data. To truly make appropriate decisions, however, the board must focus more on quantitative information in context, meaning qualitative information must be wrapped around quantitative information, the report explained.

Regardless of what information they provide, only a third of IT and security executives believe the board understands the information they are given about cyber threats. In turn, only 39% think they are getting the support they need from the board to address threats. Some other major issues these executives identified in their reporting included:

cyberrisk information reported to board

While 36% of boards want recommendations for additional spending and 34% want recommendations to reduce cybersecurity spending, boards are getting little data about the specifics of information security investments. The most common type of information reported about cybersecurity issues is known vulnerabilities within the organizational systems, followed by recommendations about cybersecurity program improvements and specific details on data loss incidents, Bay reported, while information about the cost of cybersecurity programs and details about expenditures on specific projects or controls are not as commonly reported.

cyberrisk information reported to board

Reporting is also relatively infrequent for such a rapidly evolving high-risk exposure, with most executives only presenting to the board quarterly, and 18% even less frequently.

reporting frequency

Looking forward, Bay Dynamics had the following suggestions for how both boards and IT and security executives can improve:

Issues the board must address:

  • The board is not doing its job when it comes to effectively managing cyberrisk.
  • Boards of directors must hold IT and security executives accountable for providing accurate, actionable information about their cyberrisk to help the board make effective decisions about their cybersecurity programs.
    buy mobic online familyvoicesal.org/resources/images/jpg/mobic.html no prescription pharmacy

    Boards cannot make decisions about what they consider acceptable risk if they don’t have actionable information.

    buy tenormin online familyvoicesal.org/resources/images/jpg/tenormin.html no prescription pharmacy

  • Boards must demand actionable information from IT and security executives about their cyberrisk since the board is responsible for the company’s risk appetite. Strengthening their cyberrisk program begins with the board.

Issues IT and security executives must address:

  • IT and security executives must communicate to their boards more effectively and more completely using quantitative and qualitative information. They should communicate the value of data at risk using numbers that explain what it is and how to take action to protect it.
  • Given that board members in many organizations are typically less technical than the IT and security executives reporting to them, the latter must contextualize the information in order to make it both understandable and actionable.

Enterprise Risk Lagging Globally, Study Finds

Posted on by

Despite a widening range of risks faced by organizations globally, less than 35% of companies say they have an enterprise risk management (ERM) plan in place. What’s more, 70% would not describe their oversight as mature, according to the Chartered Global Management Accountant (CGMA) report Global State of Enterprise Risk Oversight 2nd Edition.

The study found that 60% of boards of directors globally are pressuring their companies to increase involvement of senior management.
buy vardenafil online https://royalcitydrugs.com/vardenafil.html no prescription

The U.S. is lagging in some areas, with only 46% of its boards assigning risk oversight responsibilities to a committee compared to 70% globally.

One survey conclusion:

Unfortunately, many executives view risk management as mostly focused on compliance and loss prevention with little connection to strategy and value creation. As organizations evaluate their risk management processes, they may benefit from providing an honest assessment about the extent to which risk management in their organization is an important input to the strategic planning process. Given executives understand the importance of taking risks to generate returns, shouldn’t risk management be an important strategic tool by providing risk insights that inform strategy?

Other key findings of the study include:

Navigating the risk landscape infographic

5 Questions Boards and the C-Suite Should Be Asking About Cyberrisk

Posted on by

There is growing concern that corporate boards and senior executives are not prepared to govern their organization’s exposure to cyberrisk. While true to some degree, executive management can learn to identify and focus on the strategic and systemic sources of cyberrisk, without becoming distracted by complex technology-related symptoms, by understanding the organization’s ability to make well-informed decisions about cyberrisk and reliably execute those decisions.

Making well-informed cyberrisk decisions

To gain greater confidence regarding cyberrisk decision-making, executives should ensure that their organizations are functioning well in two areas: visibility into the cyber risk landscape, and risk analysis accuracy.

1. “How good is our cyberrisk visibility?”

You can’t manage what you haven’t identified. Many companies focus so strongly on supporting rapidly evolving business objectives that they lose sight of closely managing the technology changes that result from those objectives. Consequently, it is common to find that organizations have an incomplete and out-of-date understanding of:

  • Their company’s network connectivity to other companies and the Internet
  • Which systems, applications, and technologies support critical business functions
  • Where sensitive data resides, both inside and outside their company’s network

Without this foundational information, an organization can’t realistically claim to understand how much cyberrisk it has or where its cyber risk priorities need to be.

2. “How accurately are we analyzing cyberrisk?

buy keflex online azimsolutions.com/wp-content/uploads/2023/10/jpg/keflex.html no prescription pharmacy

It is common to find that over 70% of the “high-risk” issues brought before management do not, in fact, represent high risk. In some organizations more than 90% of “high risk” issues are mislabeled. When it comes to analyzing cyberrisk, several foundational challenges exist in many organizations:

Nomenclature

How anxious would you be to ride on a space shuttle mission if you knew that the engineers and scientists who planned the mission and designed the spacecraft couldn’t agree on definitions for mass, weight, and velocity?

Odds are good that if you ask six people within your risk management organization to define “risk” or provide examples of “risks” you’ll get several different, perhaps very different, answers. Given this, it isn’t hard to imagine that risk analysis quality will be inconsistent.

Broken models

In the cyberrisk industry today, there is heavy reliance on the informal mental models of personnel. As a result, very often the focus of a “risk rating” is strongly biased on a control deficiency rather than a more explicit consideration of the loss scenario(s) the control may be relevant to. Without applying a probabilistic lens to risk analysis it is much more difficult to differentiate and prioritize effectively among the myriad loss events that could, possibly, happen.

buy tenormin online azimsolutions.com/wp-content/uploads/2023/10/jpg/tenormin.html no prescription pharmacy

Another challenge is that most technologies that identify weaknesses in security generate significantly inflated risk ratings. The outcome is wasted resources, unwarranted angst, and an inability to identify and resolve the issues that truly deserve immediate attention.

Although risk management programs within some industries have begun to examine and manage the risk associated with poor models, this focus is often limited to models that do quantitative financial analysis. This leaves unexamined:

  • The mental models of risk professionals and whether their off-the-cuff risk estimates are accurate
  • Home-grown qualitative and ordinal models
  • Models embedded within cyberrisk tools

Yet these models, with their implicit assumptions and weaknesses, are responsible for driving critical decisions about how organizations manage their cyber risk landscapes.

Reliable execution

Although risk management expectations and objectives are set through decision-making, execution is the deciding factor on whether the organization is able to consistently realize the intended outcomes.

3. “How well do personnel understand what’s expected of them?”

In one organization, the information security policies were written at a grade 21 level. Most organizations today have some form of information security policy and related standards, and many even require personnel to read and acknowledge those policies annually. Very often however, the policies have been written by consultants or subject matter experts using verbiage that is complex and/or ambiguous. As a result, personnel may dutifully read and acknowledge the policies but they may not have a clear understanding of what actually is expected of them.

4. “How capable are personnel of meeting expectations?”

Things change. When budget belts get tightened organizations often cut training budgets. Given the rapid pace of change in the cyberrisk landscape, this can create serious skills gaps for cyberrisk professionals and technologists.

Another challenge in this regard has to do with outdated technology. Many organizations hang on to technologies well beyond the point where they can be maintained in a secure state. As a result, “policy exceptions” for these technologies become routinely accepted, which limits the ability of the organization to achieve or maintain its own security objectives.

5. “How well are personnel prioritizing cyberrisk?”

Which is more important; revenue, budgets, deadlines, or cyber risk?

Root cause analyses performed on cyberrisk deficiencies have found that personnel routinely choose not to comply with cyberrisk policies because they believe revenue, budgets, and/or deadlines are more important. This is influenced in part (perhaps a significant part) by the challenges noted above regarding risk-rating inaccuracies. It isn’t unusual to find that overestimated risk ratings create a “boy who cried wolf” syndrome within organizations. The result is that organizations don’t consistently or meaningfully incentivize executives to achieve cyberrisk management objectives because there is tacit recognition that much of what is claimed to be high-risk is not. Another factor is that revenue, cost, and deadlines are measureable in the near-term, whereas many high-impact risk scenarios are less likely to materialize before they become “someone else’s problem.”

The bottom line is that prudent risk-taking is only likely to occur if executives are provided accurate risk information and if they are appropriately incentivized based on the level of risk they subject the organization to.

At the end of the day…

Effectively governing cyberrisk is within the grasp of senior executives who deal with complex and dynamic challenges every day. By examining their organization’s ability to make well-informed decisions and to execute reliably, senior executives can more effectively identify and address the strategic and systemic sources of risk within their organizations.

buy amoxil online azimsolutions.com/wp-content/uploads/2023/10/jpg/amoxil.html no prescription pharmacy

Executive Focus Shifting to Operational Risks in 2015, Study Finds

Posted on by

Board members and C-suite executives across industries perceive the global business environment in 2015 as somewhat less risky for organizations than in the past two years. In “Executive Perspectives on Top Risks for 2015,” consulting firm Protiviti and the Enterprise Risk Management Initiative at the North Carolina State Univeristy Poole College of Management found that this is far from bad news for risk managers, as organizations are actually more likely to invest additional resources for risk management. Internal challenges like succession, attracting and retaining talent, regulation and cybersecurity are drawing the most attention, according to the report.

online pharmacy zofran with best prices today in the USA

“Our survey findings indicate that operational risk issues are keeping many senior executives up at night,” said Mark Beasley, Deloitte Professor of Enterprise Risk Management and NC State ERM Initiative director. Indeed, for the third consecutive year, regulatory changes and heightened regulatory scrutiny ranked as the number one risk on the minds of board members and corporate executives, with 67% indicating that it will “significantly impact” their organizations. More than half of global survey respondents indicated that insufficient preparation to manage cybersecurity threats is a risk that will “significantly impact” their organizations in 2015, pushing cyberrisk up three spots from last year to the third-greatest risk.

The Top 10 Risks for 2015

The top 10 risks identified in the annual risk survey, along with the percentages of respondents who identified each risk as having a “Significant Impact” on their business, were:

1. Regulatory changes and heightened regulatory scrutiny may affect the manner in which our products or services will be produced or delivered (67%)

2. Economic conditions in markets we currently serve may significantly restrict growth opportunities for our organization (56%)

3. Our organization may not be sufficiently prepared to manage cyber threats that have the potential to significantly disrupt our core operations and/or damage our brand (53%)

4. Our organization’s succession challenges and ability to attract and retain top talent may limit our ability to achieve operational targets (56%)

5. Our organization’s culture may not sufficiently encourage the timely identification and escalation of risk issues that have the potential to significantly affect our core operations and achievement of strategic objectives (51%)

6. Resistance to change may restrict our organization from making necessary adjustments to the business model and core operations (49%)

7. Ensuring privacy/identity management and information security/system protection may require significant resources for us (52%)

8. Our organization may not be sufficiently prepared to manage an unexpected crisis significantly impacting our reputation (46%)

9. Sustaining customer loyalty and retention may be increasingly difficult due to evolving customer preferences and/or demographic shifts in our existing customer base (48%)

10. Our existing operations may not be able to meet performance expectations related to quality, time to market, cost and innovation as well as our competitors (46%)

The survey also identified differing perceptions of the current risk environment between boards of directors and members of the executive team. CEOs and boards of directors reported more optimism about risk issues, while CFOs and chief audit executives perceived a more risky business environment.

online pharmacy bactroban with best prices today in the USA

“Given encouraging signs in the economy, we’ve observed an overall shift in focus from macroeconomic risks to operational risks, which had the greatest increase in risk scores from 2014.

online pharmacy zithromax with best prices today in the USA

Notably, however, CEO respondents remained extremely focused on macro trends affecting their business,” Beasley said.

Check out the infographic below for more of the study’s key findings:

Protiviti Top Risks for 2015