The Tribune

Rigorous IT security assessments should be performed by specialists. They can give you a head start towards understanding your company’s capabilities for managing and mitigating the ever-present risk that cyber threats pose today.

We believe that exploring cyber threat risks with your executive team can yield value beyond helping you improve governance over this area alone. It can also give you the opportunity to build a more productive dialogue with executives about IT risk management in general. We encourage you to use these discussions with management both as a way to strengthen your company’s cyber threat risk management practices, and as a springboard to greater engagement with them on all aspects of IT risk.

Ten steps toward more effective cyber threat risk governance

1. Stay informed about cyber threats and their potential impact on your company.

2. Recognise that risk intelligence is as valuable as traditional business intelligence.

3. Hold a C-level executive accountable for cyber threat risk management.

4. Provide sufficient resources for the company’s cyber threat risk management efforts.

5. Require management to make regular (quarterly) substantive reports on the company’s top cyber threat risk management priorities.

6. Expect executives to establish continuous monitoring methods that can help the company predict - and prevent - cyber-threat-related issues.

7. Require internal audit to evaluate cyber threat risk management effectiveness as part of its quarterly reviews.

8. Expect executives to track and report metrics that quantify the business impact of cyber threat risk management efforts.

9. Monitor current and potential cyber security-related legislation and regulations.

10. Recognise that effective cyber threat risk management can give your company more confidence to take certain “rewarded” risks for new value.

• NB: The information in this article is based on a collection of Deloitte & Touche ‘white papers’ and statistics collected from Ponemon Institute, a company that conducts research on privacy, data protection and information security policy. For more information on Deloitte Bahamas Risk Advisory Services’ cyber security offering, contact Lawrence Lewis, risk advisory services partner, at 1(242) 302-4898 or llewis@deloitte.com, or Shavonne Smith, senior risk advisory services consultant, at 1(242)302-4880 or shasmith@deloitte.com.

Ms Smith holds a Master of Science (MSc) degree from Capitol College in Baltimore, Maryland, and specialises in information assurance and network security. She also holds the CISA designation (Certified Information Systems Auditor), and several Microsoft certifications.