Cyber Breach - IT problem? Right? Think again!

A recent phone call with a Group CEO, of a Business Advisory Organisation, went something like this:

“Hi Joe, it's Patrick from Cybercraft, just following up on my e-mail from a couple of days ago.”

“Refresh my memory, what was it about?”

“No worries, it was about Risk management.”

“Risk management, oh now I remember it was about Cyber….my IT department has that covered.”

“Are you sure Joe? Does your IT department have a Risk Management strategy in place? Have they got the bandwidth and budget to monitor and contain any risk?”

“My IT supplier handles all that stuff.”

“Not to sound pushy, I’m sure they provide a great service, but does your IT provider understand your organisations Risk Appetite? Do they have the expertise in Incident Response and Management?”

“My IT Supplier handles this!” Click…. End of call!

Looking back at this I realise that we were not on the same page to begin with. This CEO thought I wanted to speak to him about an IT issue, which he has delegated to his IT Provider and his IT team. I thought I was talking to the CEO about Risk Management, which is his and his board’s responsibility.

You see, for any organisation to be prepared for a Cyber Incident, the organisation needs to understand that Cyber Risk is not an IT issue. It is an issue that affects the entire organisation.

In New Zealand, over the past 20-plus years, organisations have embraced the concept that Health & Safety is not a HR issue, but impacts the entire organisation, with everyone having a very important role to play. Health & Safety is now incorporated into the organisations culture. In a similar way, organisations need to view Cyber Risk this way and adjust their culture to promote safe practices across the board. As organisations found out adjusting to the Health & Safety changes, an organisation cannot wave a magic wand and contract out their Risk Exposure, without taking ownership of it themselves.

One of the biggest issues facing any organisation is that their staff, especially Senior management and specialist staff are time poor, and adding extra tasks to their workload is extremely difficult. It probably means that priorities need to be adjusted, and there is a reality that some tasks may need to be re-assigned or even mothballed. To achieve this, organisations need to have a clear business case for their Cyber Risk Appetite with respect to their Cyber Risk exposure. As more of us are working mobile, and remotely we don’t want any business disruption. A cyber attack or breach will impact your organisation, clients and reputation. This is why it needs to be discussed at an Executive level.

Unfortunately, most IT departments and even IT Providers don’t have the bandwidth, specific experience, nor business expertise to deal with this. If you are unsure where to begin, why not reach out Cybercraft to discuss.