In an increasingly challenging threat landscape, many organizations struggle with implementing and enforcing effective cybersecurity governance.
The “Managing Cybersecurity Risk: A Crisis of Confidence” infographic by the CMMI Institute and ISACA states that, “While enterprise leaders recognize that mature cybersecurity is essential to thriving in today’s digital economy, they often lack the insights and data to have peace of mind that their organizations are efficiently and effectively managing cyber risk.” It also shows that cybercrime damages are projected to cost the world $6 trillion annually by 2021, up from $3 trillion in 2015, according to Cybersecurity Ventures, while 87% of C-suite professionals and board members lack confidence in their company’s cybersecurity capabilities.
How, then, can board leaders have confidence in this uncertain COVID-19 landscape that their organizations are prepared? The first order of business for most organizations is to enable a strong cybersecurity governance program.
Understanding cybersecurity governance
Cybersecurity governance refers to the component of an organization’s governance that addresses their dependence on cyberspace in the presence of adversaries. The ISO/IEC 27001 standard, from the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), defines cybersecurity governance as, “The system by which an organization directs and controls security governance, specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks.”
Traditionally, cybersecurity is viewed through the lens of a technical or operational issue to be handled in the technology space. Cybersecurity needs to transition from a back office operational function and move into its own area aligned with law, privacy and enterprise risk. The chief information security officer (CISO) should have a seat at the table alongside the CIO, COO, CFO and the CEO. This transition will enable the strongest component of any cybersecurity governance program — the “tone at the top.”
This will help the C-suite understand cybersecurity as an enterprise-wide risk management issue — along with the legal implications of cyber risks — and not solely a technology issue. Successively, the C-suite can then set the appropriate tone for the organization, which is the cornerstone of any good governance program. Establishing the right tone at the top is much more than a compliance exercise. It ensures that everyone is working according to plan, as a team, to deliver business activities and ensure the protection of assets within the context of a risk management and security strategy.
Historically, cybersecurity was managed by implementing a solution to solve a problem or mitigate a risk. Many cybersecurity departments have technical security safeguards, such as firewalls or intrusion detection, but often lack basic cybersecurity governance policies and processes. Where they do exist, policies or processes are often outdated or ignored.
Additionally, many cybersecurity departments have poor or inadequate cybersecurity enterprise training and awareness programs that fail to address all levels of an organization. As we have learned from many recent breaches, organizations have inadequate hardening and patching programs. Poor access-control practices, such as uncontrolled group passwords, shared accounts, proliferated admin privileges, shared root access and the absence of an authorization process (except at a low operational level) also are problematic.
Six steps organizations should follow for their cybersecurity governance program
Here are six steps that can help an organization grow and sharpen their cybersecurity governance program:
- Establish the current state.
- Complete a cyber-risk assessment to understand the gaps and create a road map to close those gaps.
- Complete a maturity assessment.
- Create/review/update all cybersecurity policies, standards and processes.
- Many describe this as “low-hanging fruit,” and it is, but it is a heavy lift. Take the time needed to establish the structure and expectations of cybersecurity governance.
- Approach cybersecurity from an enterprise lens.
- Understand what data needs to be protected.
- How are the cyber risks aligned with enterprise risk management?
- What is the relative priority of cybersecurity investment as compared with other types of investments?
- Increase cybersecurity awareness and training.
- Understand that with COVID-19, we are no longer just training our employees. With so many people working from home and many children attending school online, it is critical that the entire family understands good cyber hygiene.
- Cyber risk analytics: How are threats modeled and risks contextualized and assessed?
- When creating the risk model, consider all the risks to your organization — external, internal and third party.
- Monitor, measure, analyze, report and improve.
- This is not a one-and-done exercise. Establish regular assessments intervals, measure what matters and analyze the data and create an improvement plan.
- Report to the board on cyber maturity and the cyber-risk posture across the organization.
Finally, leadership matters: Set the tone at the top that makes cybersecurity, and cybersecurity governance, a priority. However, leadership is not everything. Policies, standards and processes align cybersecurity governance with cybersecurity priorities so that the focus does not change as employees change.
Cybersecurity governance crosses organizational boundaries
Cybersecurity cannot work in a vacuum. The distributed nature of cyber risks requires that mitigation efforts connect across the entire organization. Engage everyone.
About the author
Pamela Nigro, CISA, CRISC, CGEIT, CRMA, is an ISACA board director and vice president of information technology and security officer at Home Access Health Corporation. Nigro is experienced in governance, risk, compliance and cybersecurity focusing on the healthcare and insurance industries. She is a recognized subject matter expert in HIPAA, HITRUST, SOC 1, SOC 2, Sarbanes-Oxley (NAIC-MAR) and IT/cybersecurity controls and risk assessments. Nigro is also an adjunct professor at Lewis University, where she teaches graduate-level courses on information security, ethics, risk, IT governance and compliance and management of information systems in the MSIS and MBA programs.