Cyber crime has resulted in topics that require discussion at the highest executive levels for most organizations:
What is the status of the current impact of cyber attacks on the conduct of business?
What plans and action programs are in place to deal with already identified cyber risks?
How do current cyber security activities compare with accepted standards and best practices?
How many cyber incidents have been detected and disposed?
What are the practices for the notification of cyber incidents to executive management and to the government?
What process is used to prepare and then to validate a cyber incident response plan?
Is there continuous oversight into adherence to cyber security standards for systems, networks and software?
Does key personnel, at the business, technical and management levels, have the skills and training to understand the cyber-risks as well as potential business damage of the decisions they will make?
How to depend on employees, suppliers and business partners to report about serious security problems?
How to verify that the management of the defenses will respond rapidly and appropriately?
The above questions can be seen as constituting an actionable agenda for the executive committee of a commercial firm:
The source and authority of the appraisal of existing cyber risks should specify what are the respective roles or personnel such as the CIO, CSO and legal counsel in delivering status reports in periodic intervals.
Reporting on the current impact of cyber attacks must be sufficiently detailed as to sources, contents and participants so that full disclosures are assured. The roles of the legal counsel in receiving such information must be detailed.
Action programs for countering cyber incidents should be always described in terms of responsibilities of the existing reporting structure of organization and never through committees. Only a “line” organizational structure can be held accountable.
A report that compares actual conditions for managing cyber security exposures as compared with prevailing practices should be delegated to a trusted consultant or to someone who is independent in making such judgments.
The critical responsibility to account and then to report about the detection, conclusion and evaluation of cyber incidents should be delegated to someone who cannot be seen as directly involved. As a general rule only the authority of legal counsel can be expected to perform such an assessment.
Notification to the government as well as for any public disclosure must be guided by legal as well as fiduciary roles. The likely impacts of any financial or publicity disclosures, such as governed by security legislation will mandate what caution will be exercised to prevent premature disclosures. The roles of the legal counsel in this regard should be always followed.
The roles of oversight into adherence to cyber security standards for systems, networks and software is a technical responsibility and can be executed only by the Chief Information Officer.
The qualifications of key personnel, at the technical level for the skills, experience and training to understand the cyber-risks should be the responsibility of the Chief Information Officers.
The qualification of managerial personal for understanding the potential business damage from cyber crime should be held by the Chief Operating Executive and not by personnel accountable for technical compliance.
Coping with cyber crime is becoming a significant, costly and all-encompassing functional responsibility in corporate management. Organizations must now act to counter rapidly rising threats. These could have substantial adverse consequences.