The cyber risks that confront businesses seem to be multiplying. Hacktivists have staged attacks that brought down the websites of major banks, companies are fretting about thefts of intellectual property, there are regular reports of breaches that expose the personal data of large numbers of consumers, and the White House is warning about the possibility of attacks targeting critical parts of the U.S. infrastructure.
Cyber criminals are also increasingly sophisticated, able to slip through the security measures organizations employ. And the price tag for cyber events is rising. The Ponemon Institute’s 2013 study of the cost of cyber crime found the average annual cost for organizations was $11.56 million, up 26% from the previous year. According to Ponemon, companies are seeing more successful cyber attacks and it takes them longer to resolve such attacks.
Effective IT risk management starts at the top, Stroz said, with the company’s board. He argued that the executive who heads IT risk management shouldn’t be the company’s chief information officer: “It puts IT people in a difficult position if the head of IT, who will get in trouble if systems are penetrated, is the same person who tells you whether that condition exists.”