Featured Product
This Week in Quality Digest Live
Management Features
J. Stewart Black
Eight recommendations to help firms win the war for talent
Eric Whitley
Seven tips for efficient maintenance
Zhanna Lyubykh
Consequences and costs of abusive supervision
Dario Lirio
Modernization is critical to enhance patient experience and boost clinical trial productivity
Oliver Binz
Better internal information systems help managers tell consumer demand from inflationary pressure

More Features

Management News
Attendees will learn how three top manufacturing companies use quality data to predict and prevent problems, improve efficiency, and reduce costs
More than 40% of directors surveyed cite the ability of companies to execute as one of the biggest threats to improving ESG performance
MIT Sloan study shows that target-independent compensation systems can be superior
Steps that will help you improve and enhance your employee recruitment, retention, and engagement
300 Talent acquisition leaders and HR executives from companies gather in Kansas City
FedEx demonstrates commitment to customer-focused continuous improvement
SONY-based 8MP color, UVC USB, high-speed camera provides high dynamic range and dual-stream support
Configuration lifecycle management provider saw 42% increase in annual recurring revenue
Designed to offer a comprehensive safety solution for fleet vehicles and workforce personnel

More News

Dane Warren


A Proactive Approach to Cybersecurity

Locking down your cyber-assurance program

Published: Monday, October 23, 2017 - 12:02

Sponsored Content

As businesses become increasingly dependent on an effective supplier network, more data must be shared with these suppliers to support business goals and delivery business value. This gives rise to the need for a more robust, next-generation approach to supplier assurance and oversight—especially in the realm of cybersecurity. A robust cyber-assurance program can help you be sure that your business is adequately supported, and that your cybersecurity risks are identified.

The cost of security failure

In 2014 the retail giant Target fell victim to a heinous cyber attack that cost them more than $150 million. The attack originated at the supplier of Target’s air conditioning, and compromised the Target network. In 2017, we are seeing hacking groups evolve and adapt to increasing security within organizations, favoring suppliers of large organizations that may not have similar levels cyber-security sophistication.

Although leading studies have seen cyber-attack costs decrease over the last year, businesses are still facing an average breach cost of more than $7 million, which is almost a two-fold increase against 2016 estimations. In addition to this, if a third party is involved in the breach, the cost of the breach can increase by up to 11 percent.

Inside a cyber-assurance program

Whether beginning from scratch, or if your organization already has a cybersecurity program already in place, knowing its scope and testing its effectiveness is key to understanding your current risks. Implementing a program to assess your current cyber risks will also help to mitigate future risks as well. The following five risk assessment exercises can provide clarity to better understand cyber risks to business value and outcomes.

Five cybersecurity assessment exercises

1. Internet hunting assessment: See what a hacker sees from outside.
Your first task is understanding what your organization’s exposure is from the internet. Without spending any money on additional tools, attempt to download and use what is freely available online. Your goal is to imitate the behaviour of hackers as best you can. If you can find a way in to your company’s applications from the outside, be assured a hacker can too. Third-party assistance can be invaluable here. Small blind spots can be big liabilities.

2. Internal compromise assessment: Determine if a hacker is already inside due to lack of controls during previous years.
One effective tactic for assessing internal security risks is to partner with a leading next-generation cybersecurity vendor to confirm the scope of the assessment, and perhaps install a small application on some of your organization’s IT endpoints. This is an effective method to determine the level of compromise, if any, that has already incurred.

3. Internal application risk assessment: Understand the business-driving applications and their associated risks.
The idea here is to better understand the business, income generation, and supporting applications used within your company. Interview your technical and business teams to understand the business impact and technical likelihood of any security issue or incident occurring within each application. This ensures that the output of the assessment is a business-risk view, underpinned by the technical integrity of the supporting hardware and software. This directly links cyber risk to business outcomes.

4. Supplier-assurance program: Investigate business risks within your supplier base.
Nearly 20 percent of businesses are concerned about cybersecurity within their suppliers. With a large number of high-profile breaches being attributed to third-party suppliers, it’s incumbent upon all organizations to assess the top percentage of their suppliers to better understand the additional business risk being introduced by using third parties to store and process their data. If you store your data with 20 different suppliers, your cyber risk can be amplified by more than 20 times.

5. Internal controls assessment
With your security assessment done, controls must be developed—primarily adapted from industry best practices—and the highest risk applications assessed, so that your organization can better understand the supporting reasons for the applications to be in the state they are.

By conducting an internal controls assessment, you can see where your strategic gaps exist. You can use this information to intelligently invest in controls that will cover more risk per dollar spent.

Next steps

By combining these five assessment exercises you can begin to intelligently invest in risk reduction. The outcome is clarity about your company’s cyber risks, which leads to investments in your cybersecurity program that are effective and drive accountability. This means taking care of the right risks at the right time.

You can apply the assurance activities to your supplier network; you can understand—in a single view—where your risks are across your entire technology system. When your view on business via your supplier lens is clear, you can approach your suppliers in a strategic manner commensurate with your business risk appetite.

Assurance in isolation is only a part of the journey; the findings need to land somewhere so that activities can be developed. The most logical landing place is a risk-governance management committee, forum, or group. Your teams can use the data collected through these assessment activities to be better informed on how to direct strategic funding to the most serious risks.

Sign up for the free webinar:
"Intelligent Assurance Cyber Risk Assessments"
to help you identify where your risks and vulnerabilities are, and implement a total cyber-security assurance plan.


About The Author

Dane Warren’s picture

Dane Warren

Dane Warren is currently the Global Head of IT Security (CISO) at Intertek. Warren also spent several years as a Director of IT Security at Zurich Insurance Company, in charge of business information security for several APAC, European and Middle Eastern countries. His earlier roles include Head of Information Risk and Security at Virgin Mobile (Australia), and CSO - Financial Services (APAC) at EDS. Dane has over 15 years of experience in IT Security, and holds a Master in Business IT Management from the University of Technology Sydney and several security certifications and accreditations. Warren was recently recognised as a top 100 global CISO, the list was generated by a nomination process that ran from the beginning of 2017, which culminated in an expert judging panel curating the top 100 CISOs for 2017.