5. The Approach to Cybersecurity: Cyber Risk Management 97 Computer Emergency Readiness Team (US-CERT). US-CERT was created in 2003 “to protect the Nation’s Internet infrastructure by coordinating defense against and response to cyber attacks.”5 They host a website with resources for implementing cybersecurity, they have a national cyber emergency alert system, and they coordinate responses to major cyber incidents. All business leaders need to be aware of these cybersecurity resources. Responsible organizations operate not only in accordance with the letter of the law but also according to best practices and an ethical code of conduct (more on this in Chapter 10). A leadership’s ignorance of best practices, laws, rights, and ethics is not an acceptable defense in a court of law, and could be evidence of gross negligence. Gross negligence is the willful disregard and failure to comply with best practices. In the case of gross negligence, the organization carries a high risk of cyber incidents followed by litigation that could put them out of business or even land their leadership in jail. Leaders of an organization and others responsible for cybersecurity can defend themselves from civil and criminal lawsuits by demonstrating that they performed their due diligence. Due diligence is a threshold based on what a “prudent man” would do to safeguard an organization. This can be demonstrated by showing the results of an audit or pentest and by producing documentation proving that cybersecurity policies were in place and being followed. Policies are written guidance that define how actions are to be performed. These documents create a standard and define a repeatable process. They should be thoughtfully created with cybersecurity (and other concerns) in mind. Template policies addressing common business functions are widely available for free online and can be customized to suit the purposes of a particular organization. To show they performed due diligence, leaders can also provide evidence of employee cybersecurity training and raising awareness. Raising awareness for cybersecurity is small actions taken to regularly expose employees to cybersecurity threats and best practices. An example of raising awareness is periodic announcements highlighting social engineering tactics. Additionally, organizations should regularly remind employees of expectations of ethical behavior. One way to do this is by posting ethical codes of conduct in conspicuous places around the organization. 5.2 Security Tradeoffs “There’s no such thing as a free lunch.” - Popular saying One of the most well-known axioms in cybersecurity is that there is no such thing as 100% security. This is literally true because there is no limit to the amount of protection resources that could be allocated to cybersecurity. But more importantly, the axiom highlights the difficulty of cybersecurity. The only way for organizations to achieve perfect cybersecurity would be by eliminating all of their dependencies on cyberspace. This is 5 cisa.gov website. US-CERT - Info Sheet. Retrieved June 2025.
RkJQdWJsaXNoZXIy MTM4ODY=