'You need to be prepared for a breach'
No one is immune: Anybody can be a victim of a cyberattack. Some of the top security companies in the world have been breached. It just shows that you have to be humble, you have to be prepared, and you can never get overconfident.
Understand your data: Probably the most difficult thing in cybersecurity for most businesses is around data management, truly identifying your data, knowing where it resides, and understanding the state of your data throughout its life cycle from cradle to grave. It's essential to understand your own data and its location internally and with respect to your customer and vendor relationships, so that if there is a breach, you can understand what systems and parties may be impacted. Disregarding the responsibilities that come with proper data management puts you at a higher level of risk.
Controls and safeguards: You have to have the appropriate controls and safeguards around your data throughout its entire life cycle. You also must have controls that help you detect incidents in a timely manner, and you need a plan that will help you respond quickly and effectively when there is an incident, to minimize the cost and impact of a potential breach. Think of incident response as the way to identify, respond, and communicate an incident in order to manage the potentially exponential costs associated with a confirmed breach. When an incident occurs, identifying the root cause is a necessary step in reevaluating the design and effectiveness of the controls established to initially manage that risk.
Educate the leadership: Awareness is huge. A big push has been to educate and build transparency to executive management, stakeholders, and the board of directors, making sure that your board of directors and your leadership team are privy to statistics, facts, and measurement indicators in any of their ongoing regular meetings, so that they understand and can accurately measure the level of governance their organization needs to have in order to properly allocate resources. The leadership needs to know that allocating the appropriate resources around incident response and damage control is as important as the resources that need to be allocated to help prevent an incident in the first place.
Build a reasonable defense: It really comes down to having the appropriate resources allocated to develop a mature security governance program in order to manage cybsersecurity risks and adequately respond to potential incidents. Management has to identify an appropriate budget based on the overall risk to the organization and the cost of the assets that they're protecting.
—As told to Ken Tysiac (Kenneth.Tysiac@aicpa-cima.com), a JofA editorial director.