Excerpt from GARP.org
Winning the battle requires ERM-type oversight, ensuring that all risks are being managed
By David X Martin
In terms of cybersecurity today, companies are fighting the good fight but losing the battle. Chief risk officers need to become a more integral part of the solution.
Here is a plan.
Adopt a winning strategy. Most regulators take the approach of “assess the risk and deal with it.” Most companies deal with it by trying to detect the problem early and react to it quickly, which is not working well.
There is a better approach called Defense in Depth, which is modeled after a conventional military strategy and has a much better chance of success. In Defense in Depth, rather than concentrating all resources at the front line, defenders can fall back to a series of pre-planned positions from which they can advantageously attack the advancing enemy. Adapted to cybersecurity, Defense in Depth strategies would use multiple security techniques and products to help mitigate the failure of one component, while slowing down the attacker and buying time to fix the problem.
Become intelligence-driven. The traditional approach to security relies on prevention technologies. It treats intelligence as a product to be consumed, and incident response as an exception-based process.