CIR Program Management
Rationale for Lack of Cyber Security Prioritisation
Cyber security is a critical requirement for the organisation that has been neglected (Ernst & Young, 2014) by executive management in the past. Some of the reasons why they chose to ignore cyber security include low priority agenda, misunderstood responsibilities, complacencies;
1. Low-Priority Agenda
The Management has many issues within the organisation, especially the agenda relevant to the organisation's economic success. Cybersecurity is thus set as a low-priority agenda and neglected.
2. Misconception of Responsibilities
In the past, executive management strongly felt that cyber security was the responsibility of the IT department as they targeted information assets. With the heightened global report of cyber security attacks, this threat warrants the attention of the executive management.
3. Overconfidence/ Complacency
Organisations believe that a cyber security threat will not attack them or that their implemented security controls are sufficient to secure their information assets.
4. Difficulty in Analysing CIR Impact
Unlike the traditional organisational risks, during the execution of Risk Analysis and Review and Business Impact Analysis, both the BCM and the cyber security team have difficulty in determining the associated impacts from the various cyber security threats. Hence, they lack the supporting information to make organisation-wide decisions.
5. Lack of Justification on the Return of Investments
The number of resources an organisation has access to is limited; the Management has difficulty allocating resources to improve cyber security within the organisation as when it is contending for other initiatives, they do not see it as a worthy investment.
6. Wrong Priorities
Focusing on prevention or mitigation measures is wise. Some organisations prefer to implement response and recovery procedures to cyber security attacks. However, the over-investment in either mitigation or response procedures, while neglecting the other, is the downfall of specific organisations.
With the recent growing visibility of global cyber security attacks, executive management is beginning to take cyber security seriously. They have begun to see the importance of utilising program management processes, especially in the current situation, where cyber security threats evolve at unparalleled speeds regarding their complexity and impacts on organisations.
As the utilisation of information assets increases across all organisations, the cybercriminals aiming to undermine the assets also grow. With this development, the organisations’ thinking process has shifted from “are we secure” to “how do we ensure we are secured enough”. Therefore, the CIR plan's content needs to be reviewed and updated regularly to ensure that the organisation can tackle today's cyber security threats.
Related Topic for CIR Program Management
Back To: Rationale for Lack of Cyber Security Prioritisation | Plan Maintenance | Training and Awareness |
Advanced Testing and Exercising | Audit | Cyber Security Mindset and Culture |
Do You Want to Continue BCM Training onsite or online?
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference: Chapter 10 Program Management 10.2 Rationale for Lack of Cyber Security Prioritisation
Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.