Security By Design -Part 5

My last blog post presented the changes released by the Security and Exchange Commission on July 26, 2023 to their “SEC New Rules on Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure by Public Companies.”

These changes are quite impactful to Public Companies and their regulatory reporting concerning cybersecurity and have been welcomed by professional practitioners in the cybersecurity fields. Some of us may wish that the SEC had gone a little further in and with their new rules, but …. progress is progress. If you are a member of a private company breathing a sigh of relief that you are not “required” to make such reporting and disclosures, I would suggest that you take a close look at these new SEC Rules and consider how your Cybersecurity practices compare to these “rules” for public companies. I will be coming back to this topic in future posts to explore some of these new rules in more depth. These are just a small sample of things we learn about as children that can harm us or cause injury.

These are threats to our well-being.

These four threats are very specific. Each of these threats has a specific range of impacts. We can easily be hit by a car when crossing a street and be injured or killed. Some strangers may wish to do us physical harm. Being struck by lightning will cause grievous bodily harm or outright death. We can easily suffer frostbite or hypothermia and potential death if exposed to cold temperatures for an extended period.

The specific actions we have been taught as children to avoid harm are very specific threat avoidance and mitigation actions we can practice.

Every time we check traffic before crossing a street or intersection to determine if we can cross safely, we are evaluating the probability of a potential event, i.e., that we may be struck and injured by a vehicle.

Practicing Risk Management in our personal lives is no different from practicing Risk Management in our business lives and roles! Risk Management entails:

1. Acknowledging that Threats Exist
2. Determining the probability that a potential Threat will occur.
3. Understanding and assessing the potential Impact of a Threat Event if it occurs.
4. Ranking or Scoring Threat Risks for their Impacts (I.E., Probability X Impact = Risk Score)
5. Implementing Risk Actions / Plans to avoid and/or mitigate the impact of Threat Events.

Effective Risk Management requires both Knowing and Doing

Now, let me circle back to Risk Behaviors. I stated earlier that throughout my career I have been amazed by the disconnect I have seen and experienced between the way we behave in our personal lives as compared to how we behave in our business lives regarding Risk. In our daily lives, we naturally embrace our roles as Risk Managers for our own safety, and the safety of our family members and loved ones. Yet it always seems that as soon as we enter our work environments (in an office place or remotely from home or hotel) we often witness employees, at staff, management, and executive levels, unconsciously ignore or abandon any sense of understanding of Business Risk. Most Risk Event impacts occurring today in business, especially related to Cybersecurity and Cyber Insecurity, occur because individuals did not practice the same level of acceptance and ownership of their roles as Managers of Risk in their business lives as they do every day when they leave their work environments and enter their personal life environments. If we did, no staff member, manager, or executive of a company would ever click on a phishing link, be fooled by social scamming, or not fund mandatory security awareness training and certification for every employee of a company, from bottom to top.

In my next blog post, it is my intention to explore Systemic Risk in Business with you. 

Feedback and comments are welcome, as well as any specific Cybersecurity or Cyber Insecurity topic you might want me to comment upon.

Joseph F. Norton is a Risk, Security, and Crisis Management professional.

He is a founding member and Qualified Technology Executive of the Digital Directors Network, Chair of the Advisory Board with Next Era Transformation Group, and Chief Security Officer with APF Technologies.

He has served as Chief Security Officer, SVP at Atos, Chief Technology Officer and Head of Operations, SVP at Philips, Chief Technology Officer, SVP at Novartis, Executive-in-Residence with McKinsey & Company, and Chief Technology Officer at McDonald’s. He has also held professional roles during his career with JPMorgan Bank, Oracle, Sybase and Grumman Aerospace Corporation, and the United States Navy.