As enterprises strive to gain value by leveraging technology, the risk associated with digital business is increasing. Isolated approaches to information security, business continuity and incident response are a thing of the past; today, the urgency of providing continuously available services for customers and business partners in the digital economy requires enterprises to become resilient. A resilient enterprise protects itself from attack, but also recognizes that defense is not the end-all. A resilient enterprise needs to connect protection and recovery to the mission and goals of the enterprise, implementing integrated programs in order to provide sustainability of essential services. C-Suite & Board members need to evaluate the operational risk inherent in digital business and direct management to ensure that the enterprise is more than just protected—it is resilient. When coupled with technical risk and the potential for intrusion and compromise, enterprise risk management necessitates the implementation of new approaches to protection and response. Information technology is an essential part of how business is conducted, and cyber-protection is no longer a technical issue; it is a business issue requiring board attention. It is incumbent upon organizations to implement risk management practices base on the following questions that executive leadership must ask to gain assurance (Hale, 2015):
• Is the organization from the boardroom to the break room equipped with the right competencies to understand cyber-related risk and determine if management is taking appropriate action?
• Does the enterprise have the ability to detect changing threat conditions and understand the potential enterprise risk associated with these changes?
• Are the board and senior leadership sufficiently informed about changes to the business’s use of technology and associated operational risk to exercise its responsibility?
• To what extent do information and cybersecurity programs align with business requirements?
• Do information security and business line leaders collaborate in understanding risk and appropriate technical solutions?
• Do the board and executive leaders get direct feedback and except the recommendation of the chief information security officer or some equivalent officer who can explain in business and strategic terms the cyber risk and controls approach?
The value of digital business and the threat of compromise require executive leaders to ensure that effective programs are in place not only to defend the enterprise, but also to detect and respond to incidents and expeditiously recover essential services and functions.
Hale, R. (Ed). (2015). The Cyberresilient Enterprise: What the Board of Directors Needs to Ask. Chicago, IL: ISACA