The cybersecurity Even the most insulated CXOs are certainly cognizant of the constant stream of news related to cyber attacks. News feeds are full of reports of IT security breaches, to the point where awareness is no longer an issue. My own mother mails me cybersecurity articles cut out from her local newspaper.
Good executives devote time to understanding the risk in their organizations and play an active role in implementing cybersecurity practices, if for no other reason than to attempt to stay off the evening news and avoid the impact to stock prices. Boards have increased their interest, as well, as they recognize that cyber risk management and regulations require their oversight as much as any other risk to the business.
But no matter how much attention (or budget) is lavished on cybersecurity, executives need to understand that getting hacked isn’t a matter of if but when. This is the new normal in cybersecurity, and it changes the approach to preparation and risk management.
Mitigating Cyber Risk Means Understanding Time
In cybersecurity terms, there is protection time and exposure time. Protection time can be defined as the collective ability of your security policies, controls, people and processes to identify and protect the confidentiality, integrity and availability of your sensitive information and IT services for a certain amount of time against specific threats. You can think of protection time in more simplistic terms as being analogous to a fire-proof safe that you buy for your home that can protect cash up to 400 degrees Celsius for 30 minutes. You know what it can protect (cash), for how long (30 minutes) and against what threat (a 400-degree fire).
Exposure time acknowledges the fact that we live in a world full of hackers who get better at their craft every day. It is composed of the time it takes to detect, respond and recover from a cyber attack that is attempting to penetrate the protections described above. In our analogy, it would be the equivalent of a home alarm system that can detect a fire and contacts a call center, which attempts to confirm with the homeowner whether the alarm is legitimate and sends the fire department to extinguish the fire. Ideally, the exposure time is less than the protection time, in order to avoid the loss of confidentiality, integrity or availability.