Introduction
Research has found that cybersecurity has become a critical part of the current society which solely depend on technology since both threat actors as well as defenders continuously come up with new services and products to pawn each other. The far-reaching need as the ever transforming cybercrime environment is one of the reasons that has resulted in the cybersecurity department to experience such a challenging time to gain acknowledgement as an authentic sector. Even though additional technological segments are being propelled by higher production and declining high-tech inadequacies, the cyber security industry is being propelled by exponentially skyrocketing cases of cybercrime. As a result, this is the primary reason as to why the cybersecurity industry is existent (Trautman, 2015). Consequently, the sector of cybersecurity paybacks to the society in the sense that it safeguards all user’s data and information from getting into wicked hands that could lead to catastrophic losses in terms of money as well as privacy. Indeed, in the absence of cybersecurity practices put in place, organizations could lose vital resources as well as clients that cannot trust them to secure their digital resources and data. There are many sources that call for cybersecurity services and products such as endpoint protection for personal computers (PCs) mobiles devices and laptops, consultation to strengthen or build defenses, and network security to secure networks against intrusion and unauthorized accessibility. In light of this statement which discuss about the significance and the need for the presence of cybersecurity sector, this paper will explore major features of risk management for procurement of cybersecurity services and products by buyers and suppliers to involve product accountability concerns, operational risks, and the significance of IT control frameworks.
Product Accountability in the Industry of Cybersecurity
Product accountability is defined as the provider being held accountable for inserting a faulty merchandise for use by the end user either intentionally or not. The product is supposed to adhere to the normal expectations of the customer. Therefore, in case the consumers experience a fault or loss, the producer is said to be responsible for failing to meet the rational expectation of their produce. Indeed, product accountability is the propelling aspect for business operations to ensure that their merchandises as well as services attain the prospects to avert getting sued. Nonetheless, product liability is a state that that is almost non-existent in the industry of cybersecurity. Almost all cybersecurity corporations if not all declare their selves as leaders in cybersecurity sector having the capability to safeguard clients information and data without any incidents despite the fact that this could not be true.
The dependability is that cybersecurity services and products could backfire as cyber risks keep on evolving. Nevertheless, cybersecurity corporations are not held accountable in case their merchandises miscarry. Consequently, this leads to cybersecurity sector is likely to become more reactive and not practical. The deficiency of merchandise accountability levied on cybersecurity companies has been hazarded to be key essence for some cyber related attacks and support for the cybersecurity legal responsibility being on high demand in the current corporate world (Park, 2018). The increase in cyber product charge due to the intensified regulations has been put in place, nevertheless, no any industry standard that has led to a more challenging setting for cybersecurity purchasers making attempts to ensuring that they buy the best cybersecurity services and products.
According to Von Solms and Van Niekerk (2013) till that time that cyber product liability will realize complete achievement, is when the risk management strategy of many organizations will adopt product accountability in the procuring of cyber cover. Cyber coverage aids companies to recuperate from cyber-attacks resulting from the provider’s product failure to secure their cyber assets. Although cyber coverage plays a critical part in a corporate to financially improve, clients are still suffering with their information being filched minus any actual reimbursement. In this sense, cyber insurance acts as an intermediate ground for companies to be safeguarded in the event of a cyber-attack. However, cyber insurance is not an appropriate spare for appropriate cyber product accountability requirements.
Operational Risk
Peltier (2016) defines cybersecurity operational risks as risks which have consequences which impact on the availability, confidentiality, information integrity and information systems. In this essence, operational risks can occur in different forms, however, all these risks can significantly affects the buyers and suppliers of cybersecurity products and services. The sources of cybersecurity operational risks are grouped into four key groups: actions of individuals, technology and system failure, internal processes and lastly but not least external events. Research has found that the most prevalent cyber operational risks originate from actions of individuals which could be as a result of human mistakes and errors, unintentional or deliberate, sabotage, fraud and theft (Cebula, & Young, 2010). Nevertheless, the occurrence of operational risks compromises security leading to users and suppliers experiencing major cybersecurity impacts.
If it happens that a cybersecurity supplier overlook a key operational risk, such as a software coding personnel failure to update the software appropriately, it can lead into catastrophic results. Therefore, compromised cybersecurity services and products could result in massive losses experienced by companies and this could result in losing of millions of shillings to fix the problem or even lead to closure of the business (Chou, 2013). Apart from the expenses incurred to fixing the compromised system and losing data, the existent and potential customers will start to have doubts due to losing faith in the company and seek a different company that they can entrust. The loss of customer support will not only happen to the business that suffered from operational risk, but as well as the cybersecurity supplier that created the risk. In this sense, to mitigate such operational risks from cybersecurity products as well as services, a risk transfer treaty is usually made.
According to Liscouski (2014) risk transfer is an operational risk management approach through which a company decides to transfer the risk away from itself by demanding the users to purchase a premium from insurance firms in exchange for protection. The purchase of the insurance then protects the cybersecurity supplier in case of an event where operational risk occurs that will cover the business financially. Even through the transfer of risks aids suppliers to offset the fiscal impact of cyber-event the purchasing organization brand name could still not be easier to recover. The best cybersecurity suppliers understand that they are supposed to design products and services which support mobility and decline operational risks to the greatest possible extent. Therefore, if it happens that suppliers are not capable of realizing this need then, there is high probability that these suppliers will be heading to losing a competitive advantage very quickly in the market (Martyn, 2015).
Significance of IT governance frameworks
Information technology governance offers a structure for corporations to make sure that their IT investment supports the business objectivities (Lindros, 2017). Organizations face numerous regulations that govern the protection of data and at the same time they are piled up with pressure from customers, shareholders and stakeholders. Research has shown that when IT investment work with their focus being on the business goals, they end up producing measurable results that help in attaining their organizational goals in an effective way. In order to ensure that a business meet both internal and external IT needs, a formal IT governance structure has to be implemented such as Information Technology Infrastructure Library (ITIL), Control Objectives for Information and Related Technology (COBIT) and ISO/IEC 27002 standard.
COBIT is a governance structure that was advanced by the ISACA, which offers extensive framework tools, practices and models for managing IT enterprises world over. COBIT is extensively used companies which their focus is risk mitigation and risk management (Kohgadai, 2017). In this sense, COBIT could be used to understand the way through which a particular cybersecurity service or product play part toward managing cyber-risks and to determine whether they are suitable for the business. On the other hand, ITIL, which is a range of IT best practices has been designed to streamline IT operations and services by providing smooth and maximum resource efficiency. Therefore, the ITIL aids business in defining basic security requirements for which aids in application management. Furthermore, ISO/IEC 27002 standard is an IT security guideline that offers organizational information about IT security controls. ISO/IEC 27002 standard offers similar recommendations to ITIL, but every business is required to perform its risk evaluation to identify its specific needs prior to deciding on the IT services or products. For instance, ISO/IEC 27002 is primarily recommended for physical protection of the business for monitoring accessibility to secure region with entry control that is reviewed every year.
IT governance structures are significant to the business in various ways. To begin with structured framework models provides an excellent structure that can be followed by a business. On the same note, a structured framework aids to ensure that all people in the organization stay on the same page since they are in a better position to view what is expected. Similarly, through following IT standards it allow for knowledge sharing. It is possible for employees to share ideas in organizations (Antonucci, 2017). In addition COBIT is an IT governance structure as well as a supporting tool that enable managers to bridge the gap between technical issues, business risks and control requirements (Evans, 2016). On the same note, COBIT allows for clear policy establishment and good practices for IT control across the company, which aids to increase the value achieved from IT.
Summary
The cybersecurity sector is of big benefit to the society since it works to safeguard all user’s data and personal information from landing into the hands of malicious people. In the process, cybersecurity helps to save users from falling victims of losing money, data and their private information. Nevertheless, the cybersecurity sectors is far much away from offering full security to its customers. It has been found that cybersecurity contractors are in continuous attempt to stay ahead of intruders so that to minimize the countless potential operational risks (Janakiraman, & Narayanan, 2019). The ever expanding operational risks have even resulted in the emergence of novel need services and products like cyber coverage. In addition to that, the cybersecurity lacks product liability and standardizations which is likely to create a challenging business setting. Cybersecurity business that do not suffer from product liability cannot be held responsible in case the service being offered does not deliver the promised services or products. Despite the fact that companies world over are striving to implement product liability standards for cybersecurity products and services, consumers will inevitably keep on suffering from the same problem (Smith, 2016).
In conclusion, making use of IT governance frameworks by companies will aid them in managing cyber-risks by their selves. The cybersecurity sector is still progressing and it will keep on evolving hence cyber-risks will also keep growing with new technology implementation.
References
Evans, L. (2016). Protecting information assets using ISO/IEC security standards. Information Management, 50(6), 28.
Janakiraman, V., & Narayanan, A. (2019). Ensuring Site Reliability through Security Controls.
Peltier, T. R. (2016). Information Security Policies, Procedures, and Standards: guidelines for effective information security management. Auerbach Publications.
Trautman, L. J. (2015). E-Commerce, cyber, and electronic payment system risks: lessons from PayPal. UC Davis Bus. LJ, 16, 261.
Cebula, J. J., & Young, L. R. (2010). A Taxonomy of Operational Cyber Security Risks. Software Engineering Institue, 1-47. doi:10.21236/ada609863
Kohgadai, A. (2017, December 14). Top Cyber Security Companies and Vendors. Retrieved July 15, 2018, from https://www.skyhighnetworks.com/cloud-security-blog/top-cyber-security-companies-and-vendors/
Lindros, K. (2017, July 31). What is IT governance? A formal way to align IT & business strategy. Retrieved July 15, 2018, from https://www.cio.com/article/2438931/governance/governanceit-governance-definition-and-solutions.html
Liscouski, B. (2014, April 01). Measuring the Role of Risk Transfer in Cybersecurity Management. Retrieved July 15, 2018, from https://www.securitymagazine.com/articles/85371-measuring-the-role-of-risk-transfer-in-cybersecurity-management
Martyn, P. (2015, June 25). Risky Business: Cybersecurity and Supply Chain Management. Retrieved July 15, 2018, from https://www.forbes.com/sites/paulmartyn/2015/06/23/risky-business-cyber-security-and-supply-chain-management/#7cc96b5f5554
Park, M. (2018, April 18). 2018 Cybersecurity Market Report. Retrieved July 15, 2018, from https://cybersecurityventures.com/cybersecurity-market-report/
Smith, J. (2016, January 15). Businesses desperate for clarity on reasonable level of security. Retrieved July 15, 2018, from https://www.infosecurity-magazine.com/opinions/liability-change-attitudes/
Antonucci, D. (2017). The Cyber Risk Handbook: Creating and Measuring Effective Cybersecurity Capabilities. John Wiley & Sons.
Von Solms, R., & Van Niekerk, J. (2013). From information security to cyber security. Computers & security, 38, 97-102.
Chou, T. S. (2013). Security threats on cloud computing vulnerabilities. International Journal of Computer Science & Information Technology, 5(3), 79.
