The risk posed by cyber threats means IT security professionals should be represented on corporate boards
Playing out a cyber crisis ahead of time will help information security priorities inform the corporate response.
There has never been a more important time for information security professionals to be embedded within the boardroom.
The challenge presented by the collision of cyber and business worlds makes it imperative that security teams become more engaged with business leaders and ensure that the capabilities provided by the security function support the business strategy.
The ramifications of any individual event can be immense. Even a small cyber breach has the potential for a disproportionate impact on the business. Damage to strategic relationships and to corporate reputation and the loss of trust with consumers and investors all have ramifications far beyond the scale of what could initially appear to be a relatively small loss of data.
According to the Top Risks 2011 research published in January by Eurasia Group, the risk of cyber threats is now ranked as one of the top three faced by companies. Protection and resilience as an objective have finally made it onto the board's agenda.
Those involved in recovery from these events need a common goal: resilience. Firms taking on the challenge of building resilience start with corporate crisis management, ie building a response capability for any major event considered a threat to their enterprise.
This usually involves engaging the right teams, using specific reporting frameworks and processes, timely escalation, delegation and communication channels.
At an operational level, responses to events which occur on a regular basis will be well practised, but the methods of response when things go drastically wrong or when a cyber incident occurs are often far less scrutinised.
This failure is evidenced when we see headlines about yet another loss of critical data and witness a poor corporate response that focuses on the event and not the results to key relationships.
Crisis-management exercising is a powerful tool in addressing this need to engage. Exercises allow organisations to examine their responses at operational, tactical and strategic levels against real-world events.
Exercising for a response allows the teams to work together in a controlled environment, share challenges and examine the conflicting decisions they need to make.
This is where IS and IT professionals can add significant value and ensure their priorities are integrated with the corporate response.
By using a cyber-based scenario, IS professionals can help develop and support an organisation's knowledge and understanding of the threats and challenges and also highlight the significant corporate issues that would need to be dealt with.
If the exercise runs in real-time, concurrent with normal business, this would even allow for operational testing alongside the crisis-management response, to provide a realistic picture of corporate resilience that is based on the current state of preparedness and capability.
Real-time exercising can be a vehicle for driving forward the conversation that is so clearly required between information security teams and senior leadership. It can and should drive a slew of further activities in terms of further crisis management planning, building response frameworks and communications channels, agreeing protocols and procedures and perhaps setting clearly defined trigger points for when even small cyber breaches or threats really do require senior management involvement.
With the rise of hacktivism, the recent WikiLeaks effect and the ever-growing importance of the cyber world, there has never been a better time to coordinate information security efforts into crisis management.
Those who fail to integrate, exercise effectively and build a capability will undoubtedly lose competitive advantage to better prepared peers.
Those who are capable and confident in their preparation and their ability to respond will quietly shine through in business performance as their name escapes the vilification of the media and the wrath of the regulators.