Cybersecurity Series
Cyber Security_Blog_with Book

CIR PgM Rationale for Lack of Cyber Security Prioritisation

Cyber security is a critical requirement for the organization that has been neglected by executive management in the past.

Some reasons why they chose to ignore cyber security include low priority agenda, misunderstood responsibilities, and complacency.

Reference: Chapter 10 Program Management 10.2 Rationale for Lack of Cyber Security Prioritization

Moh Heng Goh

Banner 9 V2CIR Program Management

Rationale for Lack of Cyber Security Prioritisation

CIR PgM Rationale for Lack of Cyber Security Prioritisation

Cyber security is a critical requirement for the organisation that has been neglected (Ernst & Young, 2014) by executive management in the past. Some of the reasons why they chose to ignore cyber security include low priority agenda, misunderstood responsibilities, complacencies;

1. Low-Priority Agenda

The Management has many issues within the organisation, especially the agenda relevant to the organisation's economic success. Cybersecurity is thus set as a low-priority agenda and neglected.

2. Misconception of Responsibilities

In the past, executive management strongly felt that cyber security was the responsibility of the IT department as they targeted information assets. With the heightened global report of cyber security attacks, this threat warrants the attention of the executive management.

3. Overconfidence/ Complacency

Organisations believe that a cyber security threat will not attack them or that their implemented security controls are sufficient to secure their information assets.

4. Difficulty in Analysing CIR Impact

Unlike the traditional organisational risks, during the execution of Risk Analysis and Review and Business Impact Analysis, both the BCM and the cyber security team have difficulty in determining the associated impacts from the various cyber security threats. Hence, they lack the supporting information to make organisation-wide decisions.

5. Lack of Justification on the Return of Investments

The number of resources an organisation has access to is limited; the Management has difficulty allocating resources to improve cyber security within the organisation as when it is contending for other initiatives, they do not see it as a worthy investment.

6. Wrong Priorities

Focusing on prevention or mitigation measures is wise. Some organisations prefer to implement response and recovery procedures to cyber security attacks. However, the over-investment in either mitigation or response procedures, while neglecting the other, is the downfall of specific organisations.

With the recent growing visibility of global cyber security attacks, executive management is beginning to take cyber security seriously. They have begun to see the importance of utilising program management processes, especially in the current situation, where cyber security threats evolve at unparalleled speeds regarding their complexity and impacts on organisations.

New call-to-actionAs the utilisation of information assets increases across all organisations, the cybercriminals aiming to undermine the assets also grow. With this development, the organisations’ thinking process has shifted from “are we secure” to “how do we ensure we are secured enough”. Therefore, the CIR plan's content needs to be reviewed and updated regularly to ensure that the organisation can tackle today's cyber security threats.

 

Related Topic for CIR Program Management
Back To: Rationale for Lack of Cyber Security Prioritisation Plan Maintenance Training and Awareness
CIR PgM Rationale for Lack of Cyber Security Prioritisation CIR Plan Maintenance CIR Training and Awareness
Advanced Testing and Exercising Audit Cyber Security Mindset and Culture
CIR Advanced Testing and Exercising CIR Audit CIR Cyber Security Mindset and Culture

 

 


BCMI Logo

Do You Want to Continue BCM Training onsite or online?

Competency-based Course
Certification Course
New call-to-action New call-to-action [BL-3-Catalog] What Specialist Level Blended Learning Courses that are Available? [BL-5-Catalog] What Expert Level Blended Learning Courses that are Available?

A Manager’s Guide to BCM for Cybersecurity Incident Response

Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.

Reference: Chapter 10 Program Management 10.2 Rationale for Lack of Cyber Security Prioritisation

Note:  This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.

 

 

Comments:

 

More Posts

New Call-to-action