Changing the Game on Cyber Risk
The imperative to be secure, vigilant and resilient
Most reports on cyber security revolve around a common theme: despite heightened attention and unprecedented levels of security investment, the number of cyber incidents — and their associated costs — continues to rise. They typically point to the growing sophistication of hackers and other adversaries as a particularly intractable problem and some deliberate over whether being secure is even possible in today’s rapidly evolving landscape of cyber attacks. Important questions, though, remain unaddressed. In particular: what are the underlying reasons for this trend and how can organizations actually reverse it to start winning the cyber risk battle?
The first question has a lot to do with your organization itself, and is not just about the sophistication of external actors. Over the past two decades, we have woven a fabric of connectivity in our economy and society via the Internet — a platform that was designed primarily for sharing information, not protecting it.
This brings us to the second question and the central theme of this paper. Namely, how can organizations reverse the growing gap between security investment and effectiveness in a world where it is not feasible to be 100 percent secure.
- Being secure: You can’t secure everything equally. Being secure means focusing protection around the risk-sensitive assets at the heart of your organization’s mission.
- Being vigilant: By carefully plotting the motives and psychology of adversaries, and considering the potential for accidental damage, cyber risk strategists anticipate what might occur and design detection systems accordingly.
- Being resilient: If response to cyber incidents is viewed as primarily a technical function, you will likely not be equipped for decisive action.
A Secure.Vigilant.Resilient. cyber risk program is not just about spending money differently — it’s a fundamentally different approach.
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.