Towards the end of 2019 and at the onslaught of 2020, predictions about the state of cybersecurity have been rich with both real evidence and conjectures about the state of cyber security readiness of both governments and enterprises.
But rather than delving into where organisations are in terms of their cyber security readiness, including how far along they are in terms of complying with local regulations, FutureCIO decide to tackle the issue directly and speak to a risk management expert.
We spoke to Keith Yuen, a partner at Ernst & Young, on how organisations should be preparing themselves against the relentless attacks on their infrastructure.
What do you mean by risk appetite?
Keith Yuen: Risk appetite is a concept that represents how much risk we are willing to take in order to achieve certain goals and objectives of a strategic initiative. Risk appetite comes in the form of statement, showing the risk description, to indicate the risk appetite, whether it is high, medium, or low.
I think it’s a good practice for senior management or board of directors to define the risk appetite and use this to direct the appropriate action going to be taken by the team. This will also define the investment that we need and how stringent of control that we need to put in place.
From a cybersecurity professional perspective, it is the obligation or responsibility to clearly articulate the cybersecurity risk both quantitative and qualitative to assist the board or senior management to define the risk appetite.
Can we expect more cyber incidents in 2020 and beyond?
Keith Yuen: I will expect more, because going forward there will be a lot of new technology continuing to deploy in different environment, such as IoT, blockchain, 5G, AI even.
All these really bring the organization or the general public into another risk level, because for IoT when you collect a lot of different things, the attack point is much broader than a traditional network.
How should organisations prepare for or respond to these cyber incidents?
Keith Yuen: We need to have a very comprehensive and well-prepared incident response plan in advance. Normally when an incident happens it is always very critical and time sensitive, because we want to recover the business as early as possible.
A very well-prepared incident response procedure should contain the following:
- An incident response team that covers the functional departments including legal team, risk management, public relationship, marketing, crisis management, as well as the C-suite level, such as CEO, CFO, CIO. Everyone will play a different role.
- Bring in computer forensic, either in-house or external expertise, to connect all the data and preserve the data as court evidence.
- Have someone who is technical lead the investigation into the root cause, how the hackers broke in, and develop a containment approach. These need to be done within 24 hours following the incident.
- Clean up all the backdoors or the toolkits that the hackers installed in the environment. Afterwards, decide how to recover those systems back to normal business.
What is the composition of a cyber security team?
Keith Yuen: Cybersecurity is an important risk part of an enterprise-wide risk management program. It involves different functional parties such as legal, risk management, the business unit, internal audit, and block level oversight. Most important, everyone must work together.
We suggest setting up a defence framework to manage the cyber risk at the organizational level – divided into three lines of defence.
- The first line consists of the front-line personnel and business unit. We need to decide the different types of control to ensure that the front-line personnel follow the designated control and during when they’re performing their daily works.
- The second line consists of functions like internal control, compliance team, risk management team. This team is to design necessary policy standards and different types of legal requirements that need to be followed by the first line. The second line designs the company policy for them to follow.
- The third line is an internal audit department that plays an independent role to perform audit, to ensure the control is operating effectively from time to time. The report goes up to the senior management, or the committee, and the board of director, to make sure that there is a broad oversight about the whole cybersecurity related agenda.
Where should budget for security come from?
Keith Yuen: I think this really depends. Some of the projects or some of the initiatives that would go from IT- for example if they need to if the project is related to building up a technology platform to monitor the cybersecurity incident, that would go to the IT budget.
But in some cases, there are some legal related compliance work, for example, the company needs to make sure that they comply with the European privacy law, the GDPR, then the budget could come from legal or come from risk management.
This really depends on the substance of the security initiative. Right now, the security is not just a single IT issue. It also covers a lot of different functional departments.
In 2020, how should enterprises prepare for more of these incidents coming and at the same time be compliant with regulations that are continually evolving?
Keith Yuen: I think on one hand we need to take risks. We cannot stop [embracing] a lot of new technologies. But on the other hand, we need to be aware of the risks that are involved.
We need to have a framework because an organisation is big and consists of different functions. A framework can make everyone work together to adjust the cybersecurity-related issues.
We need to identify the risk, we need to protect the asset, we need to have the ability to detect, respond, and recover. So [these are] all the capabilities that form a framework that brings everyone working together.
Last but not least, we always need to prepare for the worst. No matter how strong you believe your organisation is, we always need to have a mindset to prepare for the worst in case something happens – that we know what to do and we know how to handle the unknown, unexpected incident.
