Countering cyber risk is one of the major concerns for leaders across different industries. The vast technological advances in the area of networked technology however present several opportunities that can be used by organizations as an advantage for countering the cyber risks in their early stages. Cyber security is about protection of the interconnected systems that includes data, hardware and software from the cyber attacks. For example: the implantable cardiovascular defibrillators in the healthcare sector are susceptible to short-range wireless attacks. For this purpose, short range radio can be used for managing the capabilities of the device (Cavelty, 2014).
With the advancements in networked technology, the power of cyber attackers has also significantly increased and with this, the concept of cyber resilience came into existence. Cyber resilience is a broader approach that includes both the business continuity management and the cyber security. Cyber resilience not only aims at defending the cyber attacks but it also helps in ensuring the survival of an organization followed by an attack. This indicates that resilience of an organization towards the cyber attacks is one of the critical survival traits in the future (Bagheri & Ridley, 2017). Cyber resilience is a concept that is constantly evolving and rapidly gaining recognition. This concept brings together the areas of business continuity, organizational resilience and the information security. In order to be resilient to the cyber attack, some of the essential elements include critical infrastructure, business processes and IT systems. The adverse cyber attacks can be referred to as the events, which can negatively impact the integrity, availability or the confidentiality of the information system and the IT systems. The overall objective of cyber resilience is to maintain organization’s ability to continuously deliver the outcomes even when the regular delivery mechanisms of the organization fail such crisis after the breach (Wilding, 2016).
There are some major principles associated with cyber resilience in an organization. One of the ten principles given in the report of the World Economic Forum is the principle associated with the integration of the cyber resilience. According to this principle, the board of an organization ensures the integration of the cyber resilience and the risk assessment related to the cyber risk with the overall strategy of the business, resource allocation and the budgeting (World Economic Forum, 2017).
This report will focus on how the organization can integrate its cyber security and resilience protocols to ensure continued corporate survival and improved business performance. In addition, this report will also present the examples of best practice and a clear set of recommendations for organization on initiating a cyber resilience policy at the corporate board level. The two major ideas in the context of integrating the cyber security and resilience protocols focus on leadership and a mindset that goes beyond cyber security so as to build an effective corporate strategy that can be incorporated in the overall strategic thinking. The report will focus on the tools that are used at the corporate board level for integrating the cyber security and resilience protocols. This will help the organization in growing and innovating sustainably (World Economic Forum, 2017).
The integration of cyber strategy into the organizational strategy or the business strategy is a challenge. The board of the organization should ensure the integration of cyber resilience and risk assessment in the strategy of the business, budgeting and the resource allocation of the business (World Economic Forum, 2017). In this context, the board of the organization should focus on evaluation of the cyber resilience and cyber risks with the help of risk assessment. For this purpose, the board can use the Risk Benchmarking method. It is a method with which different types of risks involved in the business are identified using a benchmark such as NASDAQ (Peter, 2017). Some of the potential items that can be used by the board for the risk benchmarking include the demographic factors, risk portfolio factors, risk controls and threats. Another risk assessment tool that can be used by the board of the organization is the risk assessment matrix. The cyber risk portfolio will be identified by the executive team of the board. The portfolio should take the considerations such as the financial, operational, reputational and the strategic risks into consideration. A risk assessment matrix is the two dimensional matrix with two dimensions of risk impact and risk probability that range from high to low level. The figure presented below shows an example of the risk matrix (World Economic Forum, 2017).
Source: (World Economic Forum, 2017)
Further, the organization should critically focus on its governance body for the cyber security management, as it is one of the three pillars of the overall cyber risk management. It should be ensured that the governance body for the cyber security management should include the decision makers, risk decision experts along with engaging the key stakeholders in the governance (Tobar, 2017).
The senior executives and the board members of the organization should also review the principles of cyber resilience so as to set the cyber resilience expectations and engage with the management. Further, the organization board should focus on the annual review of the strategic plan of the organization. The annual strategic plan should allocate an optimum budget for the cyber security along with setting the strategic priorities for cyber security. The annual review of the cyber security policies will help in improving the overall cyber security of the organization (Terrill, 2017). The annual review should also be accompanied by a periodic review of the business strategy that should focus on the key cyber security priorities. For the integration of the cyber resilience with the overall business strategy, it is essential to incorporate the awareness at the operational level of the organization. For this purpose, the board should allocate the optimum budget for creating the awareness regarding the importance and ways that can help in creating organization cyber resilient. This committee will help the organization in assisting the boards in fulfilling the responsibilities regarding the risk management compliance and policies (Klíma, 2016). The board members of the organization should have clear goals and objectives so that they can perform their tasks and responsibilities. The members of the committee should be entitled to rely on the expertise and integrity of the people providing the information and the completeness and accuracy of such information. The committee should also have the optimum resources as well as the authority for discharging its responsibilities (North & Pascoe, 2016).
Some of the best practices and recommendations for the organization, for initiating cyber resilience policy at the corporate board level are discussed below:
In order to initiate the cyber resilience at the corporate governance level, the organization should focus on identification and management of the risks associated with the overall network and information system (Linkov & Kott, 2018). In this context, the systems and information of the organization should be protected from the cyber attacks, unauthorized access and the failure of the systems. The organization should continuously monitor the information system and the network so as to detect the anomalies before the cyber attacks or security incidents take place and cause a significant damage (Swinney, 2016).
It also requires the protection of information and systems from cyber attacks, system failures, or unauthorised access. A robust cyber resilience posture also requires continual monitoring of network and information systems to detect anomalies and potential cyber security incidents before they can cause any significant damage. In order to identify, protect and detect the anomalies, an information security management system (ISMS) should be implemented along with the regular penetration testing. ISMS is a system of process, technology, documents and the people that will help the organization in managing, monitoring, auditing and improving the information security of the organization. (Park et al., 2010). This information system will also help the board in managing the security practices consistently and cost effectively. The information system should also be combined with the penetration testing. (chessict, 2012) A penetration test is also known as a pen test that is an attempt to evaluate the overall security of IT infrastructure by exploiting the vulnerabilities. The vulnerabilities might be present in the application flaws, operating systems, improper configurations etc. (Buglab, 2017).
The above steps will help in improving the information security defences along with reducing the overall risk of cyber attacks (Fomin et al., 2012).
Once the system is implemented for regular monitoring of the information system and the IT systems, the focus should be on responding or recovering stage. A comprehensive cyber resilience programme will help in building the capacity of the organization along with business continuity management. The recovery and response measures will help in minimizing the impact of security attack. These response and recovery measures will help organization in taking the essential steps that can be used for minimizing the impact of the cyber-attack (Hult & Sivanesan, 2014).
A business continuity management system (BCMS) should be implemented in the organization. It is one of the comprehensive approaches that can help in achieving the organisational resilience. A BCMS involves the risk management along with ensuring the continuity of the essential function even during the crisis phase. For example: Accenture that is a leading professional services company of the world that is involved in a broad range of services such as – consulting, technology, operations and strategy. It uses the BCM for building and aligning the strategic objectives of the organization with an integrated planning and response. The corporate governance of the organization is involved in the establishing, implementing, monitoring and maintaining BCMS (Accenture, 2017). Many successful organizations utilize the response management systems for protecting their organization against the cyber security threats or the attacks (Cavelty, 2014). Incorporation of a comprehensive response management system or a programme by the BCMS will also ensure that the system responds effectively against an attack.
Another major recommendation that can be followed by an organization for initiating a cyber resilience policy at the corporate board level and protecting the organization against the cyber threats and breach is utilizing the cyber insurance policy. The board members should take the decisions regarding the optimum allocation of funds for the insurance policy. The cyber insurance policy cover is one of the effective risk transfer options that are used in a number of countries that have the laws related to mandatory data breach (Romanosky & Ablon, 2014). A cyber insurance policy is also known as the cyber risk insurance coverage, cyber liability insurance or the cyber risk insurance coverage that help the organization in mitigating the risks by offsetting the risk that are involved in the recovery of the security breach or any other similar event. Some of the most successful and sophisticated organizations of the world use the best protocols related to cyber security in the organization offer a full security to the organizations. A significant increase in the cyber attacks in the business world is seeking for the cyber insurance for protecting the organization against the cyber threats (Marotta et al., 2017).
The pattern of risks of the organization changes from time to time. In order to manage the cyber security risks of the successful organization that is listed on the Australian Stock Exchange and ranked within the ASX 200, it is essential to monitor the changes in the risk patterns with the changing business model, mergers and acquisitions and the new market entries. For example: a new technology can be introduced for reducing a certain type of risk or threat in the organization. Communication is another important element that cannot be ignored by the board of the organization. There should be a political correctness in the corporate communication that is done among the board members. For this purpose, an effective communication strategy should that should focus on open, transparent communication and should also focus on the engagement of the relevant stakeholder in the governance process of the countering risk. The actual risk of cyber security depends on the underlying technologies and the business model of the organization. The organization in this context should focus on the regular and frequent review of the risk management strategy used by the organization (Park et al., 2010).
Apart from the recommendations discussed above, some of the other strategies that should be adopted by the board of the organization are discussed below:
Awareness of emerging technology risk: The board of the organization should be always actively involved in understanding the risks related with the emerging technology. The board should also suggest all the informed presentation of the risks related to the cyber security threat before the organization ventures are approved for the same. Board Cyber Risk can be used for the risk assessment for the new systems and technologies (Bagheri & Ridley, 2017).
The board should be actively involved in understanding and managing the risks associated with emerging technology. Board members should suggest an informed presentation of the risks before business ventures are approved as well as continuously manage risk through periodic assessments using frameworks such as the Board Cyber Risk Framework to new technologies. Board Cyber Risk can be used for the risk assessment for the new systems and technologies (World Economic Forum, 2017).
The board of the organization should also focus on enquiring the security of the initial technology endeavours that have been taken by the organization. For example: an information system implemented for managing the human resource or improving the efficiency of the processes (Merrey et al., 2017).
The continuous improvement of the control processes should be the responsibility of the cyber risk officers in the organization. Continuous improvement can be achieved by frequently conducting the control assessments and the reviews for managing the risks that are associated with the existing or the emerging technologies (World Economic Forum, 2017).
Conclusion
The above report has focused on the importance of cyber security and cyber resilience in an organization. The cyber resilience is a new approach or a concept that has gained a significant importance in the business world. The report indicates the ways and recommendations on how the corporate governance of an organization should integrate the cyber resilience strategy in the overall business strategy, planning and resource allocation. The report has recommended a number of strategies and the ways that can help in initiating the cyber resilience strategy at the board level. The corporate governance of an organization will have deep impact on the overall cyber security of an organization.
References
Accenture, 2017. How to Build Resiliency through Business Continuity Management. [Online] Accenture Available at: https://www.accenture.com/t20170113T003242Z__w__/us-en/_acnmedia/PDF-40/Accenture-InsideOps-Business-Continuity-Management.pdf [Accessed 03 September 2018].
Bagheri, S. & Ridley, G., 2017. Organisational Cyber Resilience: Research opportunities. In Australasian Conference on Information Systems. Hobart, Australia, 2017.
Buglab, 2017. Cybersecurity Penetration Testing on the Ethereum Blockchain. [Online] Available at: https://buglab.io/assets/docs/Buglab_WhitePaper.pdf [Accessed 05 September 2018].
Cavelty, M.D., 2014. Cyber-security. [Online] Collins Available at: https://poseidon01.ssrn.com/delivery.php?ID=0660970671021070810900000041010201240610450660840380661090980050110931151041230710930020500321250610990540671101160241141270660530810070210451190931020700830210081250220540360670251231111240640740050871060850921 [Accessed 03 September 2018].
chessict, 2012. CyberSecurity Penetration Testing. chessict.
Fomin, V.V., Vries, H.J.d. & Barlette, Y., 2012. ISO/IEC 27001 Information Systems Security Management Standard. [Online] Available at: https://pdfs.semanticscholar.org/2be0/f60530378b5595cb6138be39a13c0fa60e13.pdf [Accessed 05 September 2018].
Hult, F. & Sivanesan, G., 2014. What good cyber resilience looks like. Journal of business continuity & emergency planning, 7(2), pp.112-25.
Klíma, T., 2016. PETA: Methodology of Information Systems Security Penetration Testing. Acta Informatica Pragensia, 5(2), pp.98–117.
Linkov, I. & Kott, A., 2018. Fundamental Concepts of Cyber Resilience: Introduction and Overview. In Cyber Resilience of Systems and Networks. Switzerland: Springer. pp.1-27.
Marotta, A., Martinelli, F. & Nanni, 2017. Cyber-insurance survey. Computer Science Review, 24, pp.35-61.
Merrey, P., Smith, M. & Martindale, M., 2017. Seizing the cyber insurance opportunity. KPMG International.
North, J. & Pascoe, R., 2016. Cyber security and resilience — it’s all about governance. [Online] Available at: https://www.governanceinstitute.com.au/media/874783/cyber_security_resilience_governance_april_2016.pdf [Accessed 05 September 2018].
Park, C.-S., Jang, S.-S. & Park, Y.-T., 2010. A Study of Effect of Information Security Management System[ISMS] Certification on Organization Performance. IJCSNS International Journal of Computer Science and Network Security, 10(3), pp.10-20.
Peter, 2017. Cyber resilience preparedness of Africa’s top-12 emerging economies. International Journal of Critical Infrastructure Protection, 17, pp.49-59.
Romanosky, S. & Ablon, L., 2014. Content Analysis of Cyber Insurance Policies. ftc.
Swinney, J., 2016. Safe, Secure and Prosperous: A Cyber Resilience. [Online] Available at: https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map/ScotlandNCSS.pdf [Accessed 05 September 2018].
Terrill, C., 2017. How To Build A Cybersecurity Strategy For 2017. [Online] Available at: https://www.forbes.com/sites/christieterrill/2017/02/14/how-to-build-a-cybersecurity-strategy-for-2017/ [Accessed 05 September 2018].
Tobar, D., 2017. 7 Considerations for Cyber Risk Management. [Online] Available at: https://insights.sei.cmu.edu/insider-threat/2018/02/7-considerations-for-cyber-risk-management.html [Accessed 05 September 2018].
Wilding, N., 2016. Cyber resilience: How important is your reputation? How effective are your people? Business Information Review, 33(2).
World Economic Forum, 2017. Advancing Cyber Resilience. [Online] Available at: https://www3.weforum.org/docs/IP/2017/Adv_Cyber_Resilience_Principles-Tools.pdf [Accessed 05 September 2018].
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download