IT security guide: Understanding cyber-risks means knowing what questions to ask

Computerworld - A good place for senior executives to start in trying to understand their companies' financial exposure to cyberthreats is by getting an overall assessment — not just from IT, but also from business units and corporate operations such as the human resources, legal and public relations departments.

That piece of advice is contained in an information guide that the American National Standards Institute (ANSI) and the Internet Security Alliance (ISA) jointly released today in an effort to help high-level execs prepare for the financial implications of possible cyberattacks.

But as fundamental as that notion might seem, the guide says that the continued failure of chief financial officers and other corporate executives to gather a multidimensional view of IT security threats often leaves companies dangerously unprepared for the sometimes staggering costs that can result when their systems are attacked.

The 40-page guide was put together by a task force of risk management executives from more than two-dozen organizations, including Carnegie Mellon University, IBM, insurers American International Group (AIG) and State Farm Insurance, defense contractor Lockheed Martin and consulting firms Booz Allen Hamilton and KPMG. The document lists a series of 50 questions that CFOs and other executives should be asking the leaders of various internal groups, according to ANSI and the ISA.

The questions are designed to elicit information that can help provide a more holistic picture of a company's exposure to security threats, and the potential costs of either ignoring or mitigating those threats, said Ty Sagalow, president of product development at AIG's general insurance group.

Sagalow, who led a series of workshops that resulted in the new guide, said a lesson that the participants quickly learned during the sessions was that "cybersecurity, which has been traditionally viewed by some companies as an IT issue, is not just an IT issue." Just like, he added, it isn't purely a legal or PR issue.

As for the possibility that some IT managers could view increased involvement in security issues by other departments as encroaching on their turf, Sagalow and other members of the task force said they don't expect that to be an issue. Many IT departments already recognize that they're only part of the solution to cybersecurity issues, said Edward Stull, a software architect at Direct Computer Resources Inc. and chairman of an IT security best-practices group for the InterNational Committee on Information Technology Standards.

According to Sagalow, this is the first time that an effort is being made to provide CFOs, who ultimately have to sign the checks for security investments, with a means for better understanding the financial ramifications of cyberthreats.