Spring 2014 issue of Horizons

The plan needs to be flexible to allow quick responses to attacks and the consequences from those attacks. To do this, cross-functional teams from varying business disciplines should develop and test the plans. The team should also ensure everyone is prepared to respond quickly and communicate with all affected stakeholders in the case of an incident arising. Step Three: Define Responsibility for Maintaining Security and for Responding A recovery plan must be flexible so it can adapt to a variety of attacks, while also being specific, comprehensive, and most importantly, achievable by those within the organization. In the plan, two primary responsibilities should be assigned to leaders with authority and support. These responsibilities are for: Define your Cyber Resilience Team 1. Executives – To provide governance as well as a conduit to the audit committee and board level questions 2. Internal Audit – To be an independent resource to report on the processes supporting cyber security and resilience 3. Communications – To provide broad communication, including public relations management ∙ Maintaining the security ∙ Leading the response

Avoid Apathy With Your Cyber Security Strategies by Jack Zaloudek, Lecturer and Program Director Information Management & Masters in Cyber Security Management, Washington University in St. Louis Since cyber security is all about risk management, it is essential that the risk strategy be managed throughout the organization.

It is the responsibility of the c-suite to ensure that the strategy is:

∙ Understood by the employees of the firm

∙ The employees have the tools and training to implement the strategy

∙ Executives monitor the execution and absorption of the daily action plans necessary to make the employee awareness campaign a “muscle memory” response at every level of the business It is very easy for one of the common killers of a good plan—apathy—to set in. Apathy can affect the senior level of leadership, but can also be experienced by the employees who will revert back to the status quo after the initial push and training is past. Strong leadership and monitoring for lapses in following the policies and procedures are essential “watchdog” elements to counteracting cyber security malaise and apathy. “It will not happen here” is not a suitable organizational response.

4. Insurance – To ensure clarity in the policies

5. Legal – To advise and monitor on current regulatory and other legal insights

6. Technology – To be a liaison and ensure an on-call technical response team is under contract

7. Finance – To enable transparency in the cost

www.RubinBrown.com | page 11