Many businesses need to expand the number of in-house departments that focus on cybersecurity beyond IT, with an interdisciplinary group led by the chief financial officer dedicated to assessing and reducing cyberrisk, according to a new report released Monday.
While the IT department should remain a major player in cybersecurity efforts, the CFO and the legal, risk management, human resources, public relations and other departments need to be involved in decisions about risk before cybersecurity breaches happen, the report said. It was released by the Internet Security Alliance (ISA) and the American National Standards Institute (ANSI), a nonprofit group focused on setting standards for U.S. industries.
The two trade groups released the report, "The Financial Impact of Cyber Risk," through a series of workshops in which more than 30 organizations participated. Participants represented the perspectives of several corporate departments, and among the organizations involved were IBM, Lockheed Martin, Crimson Security, State Farm Insurance, Carnegie Mellon University's Software Engineering Institute, and the U.S. Departments of Justice, Commerce and Homeland Security.
"The lesson that this workshop learned quickly was that cybersecurity, which has been traditionally viewed by some companies as an IT issue, is not just an IT issue," said Ty Sagalow, president of product development for general insurance at American International Group (AIG) and the workshop leader. "Just like it is not just a legal issue to be solved by the general counsel. Just like it is not just a reputation issue or a communications issue to be solved by the head of public relations."
The report, subtitled "50 Questions Every CFO Should Ask," recommends that business CFOs become heavily involved in focusing on cyberrisk if they aren't already. CFOs are in a position to see the big picture and budget for increased IT spending, if needed, or cybersecurity insurance or more resources in other departments, Sagalow said. In addition, CFOs need to understand the potential financial risks to breaches or leaks, he said.
Asked if some CIOs or IT department heads would see increased involvement from CFOs and other departments as encroaching on their turf, members of the task force that produced the report said they shouldn't. Many IT departments already recognize that they're only part of the solution to cybersecurity issues, said Edward Stull, a software architect for Direct Computer Resources and chairman of an IT security best practices group for the InterNational Committee on Information Technology Standards.
Many IT departments are underfunded, added Larry Clinton, ISA's president. Increased attention from the CFO could result in additional funding and an additional focus on IT needs, he said.
It may be obvious why the report recommends the legal and public relations departments be involved in cyberrisk decisions. But even human resources has a role to play, as an estimated 70 percent of breaches come from inside the organization, Stull said.
Among the questions CFOs should ask department heads, according to the report:
-- Has the company analyzed our cyberliabilities?
-- What's the potential for us to be named in class-action lawsuits after a breach?
-- Are there valid reasons we're collecting personal information?
-- What is our biggest cybervulnerability?
-- Do we have a documented and proactive crisis communications plan?
The annual economic impact of cyberattacks in the U.S. is about $226 billion, according to a 2004 estimate from the Congressional Research Service. It's time for businesses to look at cybersecurity in a new way, with multiple departments involved in the issue, said members of the report task force. "If companies view cybersecurity as solely an IT issue, then we're not going to be as secure as we can be," Sagalow said.
ISA and ANSI believe the report reflects a new way of looking at cybersecurity and cyberrisk, he added.
"Cybersecurity isn't an IT issue," Clinton added. "It's an enterprise-wide risk management issue that affects every aspect of the organization."