Management and Cyber Security (CSOL 550)

Introduction

The field of cybersecurity is relatively new. Before the internet became popular, computers were primarily stand-alone workstations with minimal risk of any technology attacks. Over the last three decades, we have seen IT systems grow from stand-alone computers to today’s globally connected information ecosystem that permits users to access information anytime, anywhere. We also have seen the increase in the numbers of hackers and others who attempt to gain access to information for reasons that include curiosity, personal profit, or competitive advantage (Gregory J. Touhill, 2014).

Business principles are core business foundations that drive decisions and guide the organization towards success. Business principles are often motivated by strategies for profits and market share. Other business principles include managing the organizations’ federal and local obligations, human resources, product development, and a slew of other factors alongside the pursuit for profit. Business executives must prioritize cybersecurity or risk an attack that may destroy the company. Managers at every level need to understand how investing in cybersecurity produces effective, efficient, and secure results leading us to develop the Information Systems Security Plan (ISSP). The Information System Security Plan (ISSP) must fully identify and describe the controls currently in place or planned for the system and should include a list of rules or behavior. The existence of, and adherence to, an ISSP is a fundamental requirement in system security certification. The purpose of the ISSP is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements and delineates responsibilities and expected behavior of all individuals who access the system (FAA, 2021).

Coursework

For my final CSOL550 project, I create an Information Systems Security Plan (ISSP) for a fictitious insurance company.

Reflection

This class explored the balance between technical and non-technical capabilities for an organization to have the highest possibilities of success. Companies need to balance their business priorities and security. When too much protection is applied, it will hinder the business functions affect the bottom line. If security is insufficient, the companies are exposed to a myriad of attacks and possible legal problems. A business should carefully create company policies and utilize current technologies to find that fine line between security and profitability (Iannarelli & O’Shaughnessy, 2015).

Before the turn of the century, computers were stand-alone machines without network connectivity, and security was only an afterthought. Over the last couple of decades, network connectivity allowed the computer to share information and communicate with each other over the internet. Productivity over the internet was exponential, but it also paved a new pathway for criminals to perpetrate crimes (Gregory J. Touhill, 2014). Over the last ten years, cyber-attacks on large companies were only discovered after the fact costing reputable damages and often the company’s executive job. Thus, I believe the leadership team of any origination must prioritize information and technology security. The leadership team has professional and ethical duties to protect their customers.

Sadly, many Company CEOs still prioritize profit over security. Those CEOs will face many legal challenges from state and federal laws and regulations over the next decade. According to (BDO, 2018), CEOs appear to be suffering from a “knowing” versus “doing” gap. We understand that many CEOs are well aware of the cyber risks from our consulting experience and research. Still, for one or more reasons, often short-term financially motivated, they choose not to do what needs to be done to reduce the probability and impact of a cyber breach in their organizations. In the world of cybersecurity, the adage is quite true “You can pay now, or you can pay much more later!”

Reference

FAA. (2021). Develop Preliminary ISSP (Including Basic Security Policy) . Retrieved from https://www.faa.gov: https://www.faa.gov/about/office_org/headquarters_offices/ato/service_units/operations/isse/items/c_prelim_issp/

Gregory J. Touhill, C. J. (2014). CYBERSECURITY FOR EXECUTIVES. Willey.

Iannarelli, J. G., & O’Shaughnessy. (2015). Michael. Information Governance and Security. Elsevier Science.