Chapter 23 Cybersecurity Systems: Acquisition, Development, and Maintenance

Deloitte Michael Wyatt, Managing Director, Cyber Risk Services, Deloitte Advisory, USA

It looks like we have some real exposure.” The words so softly addressed to Tom by his general counsel, Alain, slowly sank in. So what happened? A small marketing department in a third-tier market decided that the customer relationship management (CRM) solution offered by headquarter does not meet their needs. So they went ahead, found this very affordable cloud-based solution, and were up and running in no time. And now the cloud provider had a data breach. IT was never involved in managing this application. Nobody seems to know what data was stored there. There is a chance that data from all customers globally was loaded into the cloud. And the contract with the cloud provider does not give us any leverage to do our own investigation.

There is an increased push on business functions to drive value for the company in a short time frame. Thus, business functions are likely to look into technology solutions, including disruptive technologies, to increase automation, optimize processes, reduce costs, and achieve competitive advantage. Too often, cybersecurity is treated as something to be added or “bolted on” to existing applications and systems. This chapter is intended to help executives understand the foundational elements needed to establish a solid risk-aware process to acquire, develop, and maintain information ...

Get The Cyber Risk Handbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.