The following article is part of our National Cyber Security Awareness Month (NCSAM) Article Series and was written by John Araneo, General Counsel, Align, and Managing Director, Align Cybersecurity™.
Photo Credit: © turbomotion046 - stock.adobe.com
If you missed last Thursday’s article, read “How to Protect Your Firm in a BYOD World” here.
The Cybersecurity phenomenon has changed the risk management game categorically. The world’s largest and most prominent corporations have fallen victim to both sophisticated and rudimentary attacks. Prominent law firms, big banks and world-class accountancy and consulting firms have all been successfully attacked. Government entities (even those that regulate and enforce cybersecurity compliance), elections, buildings, utilities, devices and, well, the list of targets goes on and on. Cyber-attacks are as invisible as they are pervasive, as ephemeral as they are indelible. Indeed, recent events clearly demonstrate that cyber threats have created a new risk management paradigm entirely. In determining how to approach cybersecurity compliance, there are several threshold issues that every organization must consider.
A Dynamic, Multi-factorial Issue
Cybersecurity compliance presents a dynamic, multidisciplinary challenge that requires a collective effort between typically dislocated business units and personnel with disparate skill sets. There are several factors involved – the IT architecture, technologies, employee awareness, various workflows and data usage practices, third-party management and ever-evolving threat points and attack vectors. Making matters worse, the legal landscape is a patchwork of federal statutes, state laws, regulations, industry-specific rules and emerging best practices. Although this body of jurisprudence is far from being harmonized, there are certain core elements that are taking form as reliable “common denominators” for cybersecurity compliance. We have found that under all the governing laws and pertinent rules and regulations, creating a model Cybersecurity Program time and time again requires input from various sources, including:
- Legal/compliance, to understand legal/regulatory landscape;
- IT, to understand the current IT architecture and its limitations;
- HR, to address employee training needs;
- Operations, to understand the firm’s data work-flows;
- Third parties, to understand and address vendor risk; and
- Management to identify all IP and data inventory, to understand the types of data the firm stores, transmits or uses, such as confidential, third party, proprietary, or other sensitive data.
And even then, each firm needs to weave these data points together and design a thoughtful, compliant and highly tailored Cybersecurity Program that creates a viable framework for addressing the attendant risks involving its customers, vendors, employees and its counter-parties. Clearly, a multi-disciplinary approach is critical to building an unimpeachable, model Cybersecurity Program.
A Culture of Compliance
The installation of a point-person or a manager of the program, a Cybersecurity Program Administrator, is a good first step and in fact, under most regulatory regimes, it’s generally required. But the organization’s commitment to cybersecurity compliance must be deeper than that. The Cybersecurity Program Administrator must be empowered to effect change and be held accountable if the program fails. Straddled between the Administrator, Company leadership above must demonstrate a full-throated buy-in to putting cybersecurity as a top-line focal point and the employees below must be compelled, encouraged and/or incentivized to increase their knowledge, awareness and proficiency of these risks and how the program attempts to address them. And once the program has been successfully imbued throughout the organization, an external exercise should ensue, wherein the organization must ensure the same or similar controls to that of its program have been adopted by certain of its vendors, counter-parties and other third parties.
The Human Element
Ironically, this inherently digital phenomenon invariably breaks down due to human error and/or manipulation. No technology, no black box and no IT architecture can remove this variable from the cybersecurity risk matrix. An organization’s staff – its employees, consultants, advisers and other agents — serve as its human firewall. Just as firewalls need to be updated and enhanced to maintain its capabilities, employees and staff members also need to be updated and trained on the basic concepts of security awareness as well as with regard to emerging threats and risks. All employees should receive routine training and be subject to testing and phishing campaigns. Moreover, the education program should be reportable and trackable, to ensure each employee receives additional training when necessary.
Putting the Pieces Together
Building a model Cybersecurity Program is generally perceived to be somewhat of a harrowing, anomalous exercise because it involves creating a synergy between typically dislocated workflows and unfamiliar technical experts in one underlying framework. And there really is no way around this and, in fact, the global cybersecurity spend has been reported to exceed $86.4 billion, this year alone. The reality is that, like many compliance endeavors, those that approach cybersecurity compliance methodically (as a journey, not a destination) and routinely (think quarterly and annual assessments) will show that it’s not impossible to ‘crack the code’ of cybersecurity compliance.
Keep an eye out for the next article in our NCSAM Series, which will be published this Thursday! Additionally, follow along on social media using the hashtag #NCSAMSeries!
For more information on Align's Cybersecurity Services, visit here.