Cyber Governance:
Know What You’re Trying to Protect and From Whom.
The cyber security team, Executive Management and the Board need to be aligned about what are the company’s “crown jewels.” Are they proprietary IP, customer data, uptime of an e-commerce site, ability to operate, ability to manufacture or ability to communicate with customers, for example? A formal threat assessment should:
- Anticipate how cyber criminals would steal, delete, encrypt or alter valuable data or interfere with key business functions;
- Take into account sector-specific threats as well as the company’s unique history of cyber-attacks, if any; and
- Rank the relative likelihood of cyber threats emanating from state-sponsored actors, financially-motivated attackers, hacktivists and malicious insiders.
Developing a formal threat assessment will drive discussion about how to prioritize implementation of defenses applicable to each threat group. Since the global threat landscape changes rapidly, the assessment should be updated every year or two
