Excerpt from BitSight.com
David X Martin was interviewed for BitSight’s global report.
BitSight: You were Chief Risk Officer (CRO) at several major financial institutions. What is the role of the CRO with respect to understanding and overseeing newer, disruptive risks such as cyber?
DXM: The best CROs are the glue that ensures that all of the organization’s risks are being managed. CROs need to become more integral in the management cybersecurity by: providing oversight from a strategic business perspective, creating an effective constructive challenge function, and ensuring that cybersecurity is integrated effectively into enterprise risk.
BitSight: As a board member, how do I get comfortable with my organization’s approach to cyber risk management?
DXM: If your organization has a strong cyber-immune system, you can feel reasonably confident that your company is thinking about cybersecurity in the right way and taking appropriate steps to protect the enterprise. Analogous to the human immune system, which mounts a three-step defense, a cybersecurity defense would:
• Sound the alarm. Constant surveillance is critical, with early warning indicators and multiple layers of defense.
• Solve the problem. Manage cyber security at the enterprise level and not treat it as “just a technology issue.”
• Recover and remember. When things go wrong, the ability to identify and respond to a problem quickly will determine your company’s ultimate recovery. Your organization’s cyber-resilience program must bring together the areas of information security, business continuity, and organizational resilience.