Information Security Risk Management
FTI Consulting Information Security professionals have extensive consulting and client-side experience developing sound and effective policies and procedures to prevent data loss and meet compliance requirements. We look at information security management – establishing policies, controls and practices to manage information across the extended enterprise by addressing confidentiality, integrity and availability - from a unique composite perspective. Our team includes credentialed information security technical experts and former chief information security officers (CISO); cyber and breach response insurance risk analysts; cyber insurance liability professionals; risk modeling and quantification analysts; government action risk professionals; forensics analysts; and experts in business continuity, disaster recovery, and crisis management. We help clients understand the unique intersection of information security management and the risk financing interests of underwriters and re-insurers that write cyber risk insurance policies – and to close the gaps between coverage and practical risk, by means of cyber risk quantification and targeted risk mitigation. Our solutions balance strong information security preparedness with the organization’s practical requirements for operational efficiency and manageable intrusion. Solutions address the leading edge information security risks resulting from the transition to the cloud, the quantum increase in data residing on mobile devices, growing vendor access to the network, and the reality of organized criminal and sovereign attacks.
C-Suite and Board Level Risk
While the average cost of data breaches has been pegged at $204 per lost record for the effective cost to repair trust, the loss of customers, funding crisis public relations, and rebuilding the reputation - the long term loss of shareholder value from public and market perception of poor cyber crisis preparation and response can last for years after a major incident. Government actions that can result from sometimes excessive or ineffective sovereign, federal or state legislative and regulatory response to high profile cyber breaches - especially if they involve loss of personal financial and medical records – may represent an existential risk to some organizations. Strong information governance and forensic readiness, and a host of compliance regulations dealing with data protection, confidentiality and corporate governance mean that information security practices should be appropriate to the risks and consistent with industry and peer practices.
There may be a false sense of security in the Boardroom and C-Suite of organizations whose risk management or compliance committees have received inaccurate assurances that the organization’s cyber insurance policy is sufficient to address its information security risk. Such assurances are profoundly weak if the risk manager has not met with the CISO or aligned the insurance strategy with the real threats, risks and vulnerabilities that are built into almost every organization’s IT infrastructure and information management practices. Without a sound risk mitigation strategy, even a good insurance policy – alone – is not enough. In today’s risk environment, some well-prepared companies make the fundamental assumption in their cyber strategies that organized industrial, criminal, and sovereign attackers are actively targeting them – enhancing their protections. For all these reasons, data security risk ranked as a Top 10 risk concern of directors and general counsel in a survey conducted by FTI Consulting and The Corporate Board Member magazine.