Eric Krell: When it comes to budget considerations for 2012, what should risk managers and information security personnel keep in mind?
Eric Krell: What are some common — and potentially troubling — misconceptions about organizational information security and data privacy risks?
Brian McGinley: Data risk management should be front and center consideration for 2012. We are chasing cybercrime and are behind the curve in terms of protection and countermeasures. We unfortunately too often use an investment model of “too little — too late” and our organizations, customers and citizens are paying a high price for it. The cyber-threats are getting more and more insidious. What used to be a possibility is now a probability when it comes to the risk of damaging information security events and breaches impacting your organization. What you don’t know can and will hurt you — it is no longer a matter of “if” but rather a matter of “when.”
Eric Krell: Within companies with the most effective cyber security programs, what are some key elements of the finance function involvement in these efforts?
Frankly Big Fat Finance, some risk management folks fail to make strong, cogent business cases to support their resource needs in the language their business understands. In other cases, in spite of their best efforts, their outcry goes unheeded. CFOs need to understand there is significant filtering that occurs in lower echelons of the organization that data risk issues may not make it to the top of the house. For this reason, we recommend that they create or plug into risk forums closer to the source of the subject matter experts and foster open communication in these critical areas.
In my last post, I discussed the contentious and confusing nature of cyber risks. In this post, I check in with an expert, Identity Theft 911 Senior Vice President of Data Risk Management Brian McGinley, to get a read on the most important facets of information security in the coming year. McGinley’s firm is a provider of organizational data risk management services.
Brian McGinley: One of the common themes we often see in the executive suite is the tendency to look to the past to determine the future in the data risk area when evaluating risk and prioritizing funding and resources. It’s what we call, “there is never a problem — until there is a problem!” While you can learn from the past, it is a mistake to predict from it — especially in the cyber-threat arena. If the company is fortunate enough to not yet have been impacted by a data risk event, they may be in denial of the threat and complacent in addressing known exposures.
Two, the CFO together with Legal Counsel needs to take a hard look at the provisions contained within their company’s customer account holder agreements with their bank(s). It is important to understand where the liability for fraudulent transactions like unauthorized wire transfers, ach transactions and counterfeit checks resides and under what circumstances. Many assume that the bank is responsible in the event of an unauthorized transaction and often, this is not the case. The other considerations related to bank accounts includes a determination of whether the accounts are set-up correctly for their intended purpose with appropriate transaction restrictions for internal accounts like a ZBAs and taking advantage of available protections like positive pay for checks and ACH, special alerting features, use of dynamic password tokens for on-line access and other features. Many times, these areas are not looked at until there is a major fraud issue and the parties are then in adversarial positions. Have the hard conversations with your bankers before there is an issue. Forewarned is forearmed.
Another area of focus will be compliance with the Payment Card Industry Data Security Standard (PCI-DSS). There are many organizations that still have a long way to go towards getting their systems and processes in-line with the requirements.
Eric Krell: How will regulations and laws affect the way businesses manage and transfer data?
Brian McGinley: Whether it is fraud or finance — it’s all about the money. Finance can be the boon or bane in helping to support the building a solid loss resistant organization. Finance is often uniquely positioned to balance the demands of the business lines with the needs of the infrastructure.
There are also some misconceptions in two specific areas that the CFO should be looking at to avoid nasty surprises. One is around business insurance coverage and its relation to cyber-events. You need to know specifically what is covered and what is not covered under your general business liability provisions in the event of various cyber-threat issues. You then need to take a look at your business and determine whether specific cyber-liability coverage makes sense for the organization.
Bolstering a company’s information security posture can be hard, expensive work. Early planning is essential. Assessment, remediation, and upgrading of systems are often a slow, staged and cumbersome process. There is a long solution identification, vetting, selection, approval, funding and procurement process. The System Development Lifecycle (SDLC) is a double-edged sword — it is vital to successful system implementation and change management, but can hurt us in terms of rapid deployment of system countermeasures as emerging threats manifest themselves. Beyond the systems, is the need to make sure that the right organization structure and human capital is in place to manage to programs, systems and supporting processes end-to-end. Data risk management is an area where “you need to dig your well before you are thirsty!”
Eric Krell: Information privacy and security is a growing issue in the U.S., but it still does not seem to receive the cross-functional attention it garners in other parts of the world, namely Europe. How and why are these concerns important to CFOs and the corporate finance function?
Brian McGinley: Appropriate remedies require appropriate resources which must be carved out of a finite funding pool. Failure to make adequate investments to create and sustain a solid data risk management environment will typically come home to roost with much larger downstream consequences, expense, and operational impact than ever contemplated when first decided. Experience teaches, it is a “pay now” or lose a bundle and pay big later situation. If the exposures are there and are not remediated, they will be exploited usually sooner rather than later.
Brian McGinley: If you are in a regulated industry and you maintain personally identifiable information (PII), Protected Health Information (PHI) or Payment Card Information (PII) — there is a “feeding frenzy” in the wake of lost data due to insufficient data risk management practices. The expectation is that data of this nature that has been entrusted to you will be adequately protected from foreseeable threats. The various regulators as well as the Federal Trade Commission, US Attorneys’ Office and local state’s Attorneys General are showing little sympathy to companies impacted by data breaches. For many companies, their troubles and pain are just beginning once they have identified and remediated a breach and the regulatory bodies and law enforcement entities come a knocking at their door. It is an unforgiving environment and the operational and reputational risks are high.
Companies with successful cyber security programs typically have some tenets in common, including the following:
• Finance has developed an appreciation for how strong risk organizations contribute to the bottom-line performance of the organization;
• Finance is an advocate for doing the right thing when it comes to making proactive investments in the risk infrastructure;
• Finance has a good working relationship and is plugged into the risk entities within the organization; and
• Finance assists in helping the risk organizations to make strong business cases that support the right investments.
http://coachfactorystore-bag.weebly.com
0 comments:
Post a Comment