The growth in ransomware and other cyber attacks has revealed a hidden truth about the state of cyber security in the United States: Our nation’s critical infrastructures and supply chains are falling victim to devastating attacks because they have not identified the cyber risks that matter most to their operations.
Recent high-profile incidents, including the ransomware attacks against the Colonial Pipeline system and JBS USA, the world’s largest meat processor, demonstrate the urgent need for critical infrastructure owners and operators to adopt a risk-led cyber security program. It is becoming clearer by the day that these major firms are not having the proper risk conversations between their cyber security experts and business executives.
Cyber security must be treated and communicated to executives the same way as other critical business risks. “Cyber security is now a critical enabler for most businesses to continue operating,” said Michael Daniel, President & CEO of Cyber Threat Alliance, in a recent interview. “And it needs to be framed in that way. And I think that’s very much the place that we need to move is putting it in those business terms, framing it in those risk terms.”
Organizations should be quantifying risk – including cyber risk – based on potential financial and operational impact. The process of doing so creates a common goal that unifies security teams and business leaders. My firm, ThreatConnect, recently conducted a survey and found that 70% of security professionals received “medium to high levels of pressure to produce cyber risk quantification data for their business.” A more telling aspect of the survey, however, showed that half of the respondents said they lack confidence in their ability to communicate and report the financial impact of cyber risks, prioritize vulnerabilities and security alerts, and justify their future investments to mitigate those risks.
Written by Adam Vincent, CEO of ThreatConnect in Finance Monthly