| | MARCH 20178CIOReviewWhen U.S. financial regulatory bodies released an advance notice of proposed rule-making regarding enhanced cyber risk management standards for large and interconnected entities, conversations about the need for effective cyber risk management increased as a result. For years, the information security profession has been responsible for cybersecurity and, at times, has wrestled with how risk management principles should integrate with information security principles. While well-intentioned, this integrative approach avoids the complementarian nature of these two programs that are truly one in the same.In order to assure clarity, it is best to define our terms. Cybersecurity centers on the protection of the confidentiality, integrity and availability of information. This includes systems, hardware and networks that process, store and transmit this information. Risk management involves understanding risk and applying the appropriate controls commensurate with the mission and goals of the organization. Like security, risk management involves governance, management, consideration of internal and external risks, and incident response. At first glance, these two concepts may understandably appear contradictory. Yet, one implies full protection with less regard for cost or mission, while the other implies knowledge, decision-making and judgment of controls appropriate for the mission. Security purists may speak of the need to protect information at any cost, whereas the risk management mindset would focus on the benefit, reward and practicality of controls weighed against business objectives.To be clear, however, there is no contradiction. The security profession has By Tim Callahan, SVP-Global Security & Global CSO, Aflac [NYSE: AFL]A Complementary Approach to Cybersecurity and Cyber Risk ManagementTim CallahanIn MyOpinion
< Page 7 | Page 9 >