Can you or your customers claim “legal defensibility” when it comes to the information security of the business? Do you have a security plan? Have you done a risk assessment? What is “legal defensibility?” “Legal defensibility,” with regard to cyber security and the protection of information is being able to show you have a plan, it has been implemented, strategic decisions were made, a risk assessment was done, assets were identified and categorized based on level of importance, employees are regularly made aware of current threats and trained to respond, an incident response plan is in place, and the list goes on. Most importantly, can the company leaders articulate this plan, the decisions that were made, why, how it protects operations, resources, return on investment, the bottom line,brand/reputation, customers and their data? If the company suffers a security incident, data breach, is hacked, or whatever term fits, and the owner(s), executive(s), or manager(s) are approached by the media, called to provide a deposition or testify, or better yet, answer to the shareholders, can they confidently claim that a security plan exists, they are very familiar with it, helped to implement it, show due care/diligence, best practices? Company leaders cannot simply push security to the IT department, CIO, CSO or others. Information security is no longer an IT issue, it is a management issue since computers, networks, technology and the flow of information encompasses every aspect of most businesses today, and the IT department, CIO, CSO must have the ear of the leadership. An information security incident can have a devastating impact on any company.
“Legal defensibility” is having a plan, being able to articulate it, being prepared for the inevitable. Don’t get caught in the dark. If your vendor is telling you your company is secure you need to challenge that statement. NO ONE IS 100% SECURE! Experts say getting hacked is not a matter of if, but when! So, preparation is the KEY. A risk assessment can be used to measure the state of the company; the level of security currently in place can be measured to show probability of an incident; and, measuring the preparation plan for the inevitable security incident will show the significant reduction in liability and impact to operations, as well as the increase in return on investment, protection of brand/reputation, and confidence of both the company and its customers.
Watch for, “How to Measure Risk and the Benefits of Being Prepared.”