Featured Video
This Week in Quality Digest Live
Management Features
Harish Jose
The dangers of misapplying linearity
James daSilva
Like it or not, these are the good times
Chad Kymal
A single set of FMEA requirements will ease the burden on suppliers
Michelle LaBrosse
Projects go more smoothly if you have a consistent process for doing them
Rob Magee
The modern security mindset

More Features

Management News
Management's role in improving work climate and culture
Work with and learn from some of the nation’s best people and organizations
Cricket Media and IEEE team up to launch TryEngineering Together
125 strategies to achieve maximum confidence, clarity, certainty, and creativity
MIT awards more than $1 million to organizations creating greater economic opportunity for workers
Earn continuing education units
If you want to understand a system, try and change it
How to engage, retain, and develop talent for maximum performance

More News

Dane Warren

Management

A Proactive Approach to Cybersecurity

Locking down your cyber-assurance program

Published: Monday, October 23, 2017 - 11:02

Sponsored Content

As businesses become increasingly dependent on an effective supplier network, more data must be shared with these suppliers to support business goals and delivery business value. This gives rise to the need for a more robust, next-generation approach to supplier assurance and oversight—especially in the realm of cybersecurity. A robust cyber-assurance program can help you be sure that your business is adequately supported, and that your cybersecurity risks are identified.

The cost of security failure

In 2014 the retail giant Target fell victim to a heinous cyber attack that cost them more than $150 million. The attack originated at the supplier of Target’s air conditioning, and compromised the Target network. In 2017, we are seeing hacking groups evolve and adapt to increasing security within organizations, favoring suppliers of large organizations that may not have similar levels cyber-security sophistication.

Although leading studies have seen cyber-attack costs decrease over the last year, businesses are still facing an average breach cost of more than $7 million, which is almost a two-fold increase against 2016 estimations. In addition to this, if a third party is involved in the breach, the cost of the breach can increase by up to 11 percent.

Inside a cyber-assurance program

Whether beginning from scratch, or if your organization already has a cybersecurity program already in place, knowing its scope and testing its effectiveness is key to understanding your current risks. Implementing a program to assess your current cyber risks will also help to mitigate future risks as well. The following five risk assessment exercises can provide clarity to better understand cyber risks to business value and outcomes.

Five cybersecurity assessment exercises

1. Internet hunting assessment: See what a hacker sees from outside.
Your first task is understanding what your organization’s exposure is from the internet. Without spending any money on additional tools, attempt to download and use what is freely available online. Your goal is to imitate the behaviour of hackers as best you can. If you can find a way in to your company’s applications from the outside, be assured a hacker can too. Third-party assistance can be invaluable here. Small blind spots can be big liabilities.

2. Internal compromise assessment: Determine if a hacker is already inside due to lack of controls during previous years.
One effective tactic for assessing internal security risks is to partner with a leading next-generation cybersecurity vendor to confirm the scope of the assessment, and perhaps install a small application on some of your organization’s IT endpoints. This is an effective method to determine the level of compromise, if any, that has already incurred.

3. Internal application risk assessment: Understand the business-driving applications and their associated risks.
The idea here is to better understand the business, income generation, and supporting applications used within your company. Interview your technical and business teams to understand the business impact and technical likelihood of any security issue or incident occurring within each application. This ensures that the output of the assessment is a business-risk view, underpinned by the technical integrity of the supporting hardware and software. This directly links cyber risk to business outcomes.

4. Supplier-assurance program: Investigate business risks within your supplier base.
Nearly 20 percent of businesses are concerned about cybersecurity within their suppliers. With a large number of high-profile breaches being attributed to third-party suppliers, it’s incumbent upon all organizations to assess the top percentage of their suppliers to better understand the additional business risk being introduced by using third parties to store and process their data. If you store your data with 20 different suppliers, your cyber risk can be amplified by more than 20 times.

5. Internal controls assessment
With your security assessment done, controls must be developed—primarily adapted from industry best practices—and the highest risk applications assessed, so that your organization can better understand the supporting reasons for the applications to be in the state they are.

By conducting an internal controls assessment, you can see where your strategic gaps exist. You can use this information to intelligently invest in controls that will cover more risk per dollar spent.

Next steps

By combining these five assessment exercises you can begin to intelligently invest in risk reduction. The outcome is clarity about your company’s cyber risks, which leads to investments in your cybersecurity program that are effective and drive accountability. This means taking care of the right risks at the right time.

You can apply the assurance activities to your supplier network; you can understand—in a single view—where your risks are across your entire technology system. When your view on business via your supplier lens is clear, you can approach your suppliers in a strategic manner commensurate with your business risk appetite.

Assurance in isolation is only a part of the journey; the findings need to land somewhere so that activities can be developed. The most logical landing place is a risk-governance management committee, forum, or group. Your teams can use the data collected through these assessment activities to be better informed on how to direct strategic funding to the most serious risks.

Sign up for the free webinar:
"Intelligent Assurance Cyber Risk Assessments"
to help you identify where your risks and vulnerabilities are, and implement a total cyber-security assurance plan.

Discuss

About The Author

Dane Warren’s picture

Dane Warren

Dane Warren is currently the Global Head of IT Security (CISO) at Intertek. Warren also spent several years as a Director of IT Security at Zurich Insurance Company, in charge of business information security for several APAC, European and Middle Eastern countries. His earlier roles include Head of Information Risk and Security at Virgin Mobile (Australia), and CSO - Financial Services (APAC) at EDS. Dane has over 15 years of experience in IT Security, and holds a Master in Business IT Management from the University of Technology Sydney and several security certifications and accreditations. Warren was recently recognised as a top 100 global CISO, the list was generated by a nomination process that ran from the beginning of 2017, which culminated in an expert judging panel curating the top 100 CISOs for 2017.