Abstract:
The nature and number of online threats faced by organisations have increased to the point where a data breach or cybersecurity incident is inevitable despite an explosion in the number of cybersecurity and data privacy tools on the market today. This article analyses shortcomings in traditional approaches to cybersecurity and data privacy by first examining current laws, rules and regulations across the globe, and second by way of example, through the lens of a recent, major cybersecurity incident. Next, this article proposes an alternative comprehensive approach that focuses on creating defensible cybersecurity and data privacy programmes for organisations through enterprise risk management. The enterprise risk management approach addresses a wide range of risks, including information security and legal risks. This article also explores how a comprehensive enterprise risk management strategy, which includes careful risk definition, crafting of policies and procedures aligned with the organisation’s approach to risk management, and a comprehensive corporate compliance programme that ensures the policies and procedures are being followed, can change the outcome and impact of major security incidents.