What Is Cyber Governance, And Why Is It A Key Security Ingredient?
Ask anyone in the corporate world what matters most when it comes to cyber security, the answers will most likely vary between investment, expertise, penetration testing, and security tools, but there is one often ignored main ingredient, that of governance.
Effective project managers will tell you that without governance, any new or ongoing initiative is doomed to failure, or at best, mediocre success. But let’s face it, when it comes to protecting an organisation from the theft of IP, money, or its ability to operate, mediocrity is not acceptable.
Even the smallest failure can cost millions in loss of revenue. According to IBM Research , the average cost of a data breach is now £2.7m; enough to fatally wound the financials of any SME. It may be the financial cost of business interruption and fines which garners the most concern by senior board members, but the reputational impact should be taken more seriously. Millennials, who are now overtaking baby boomers as the dominant consumers, take their data privacy seriously , and are concerned companies are not doing enough to protect it. This, in turn, helps determine where they spend their hard-earned money. As such, cyber-security is no longer just about managing risk, but it is now a critical determinant of business strategy and even a potential competitive differentiator.
Traditional corporate governance is about direction and control, focusing on the essential dimensions of finance, strategy, performance, and risk management. While cyber security may be on the agenda of board meetings, particularly due to the rising risk of specific cyber breaches, it may not be discussed consistently, with expertise in attendance, and in the context of strategy and the financial investment needed. Thankfully, times are changing; cyber security is now gaining the attention and focus it deserves, leading to more businesses implementing a dedicated governance structure.
The UK Government’s FTSE 350 Cyber Governance Health Check 2018 report confirms that cyber threats are increasingly seen as a ‘very high risk’, and the board level of understanding of the critical assets at risk is improving; “just over half (54%) of businesses in 2018 rated the board’s understanding of critical information, data assets and systems as comprehensive. This compares to 43% of boards in 2017 and 32% in 2015/16 stating they had a clear understanding”.
What is governance in the context of cyber security?
Cyber security governance is a sub-function of overall corporate governance, which helps determine information security strategies, ensures high-level cyber business risks are assessed and ensures appropriate resources are funded and made available. It would be impractical for the board to be responsible for this function in isolation; they generally lack the time capacity and expertise to do so. As such, they rely on an organisational cyber security governance framework (across all functions, geographies, and levels of hierarchy), which ensures that the necessary systems, processes, and training are in place, and information is fed back to the top for decision making. Without a systematic consideration of cyber security needs in all departments and at all levels, there remains the potential for risks to go unmitigated. It should also be understood that there is no one-size cyber security governance framework. Every business is unique, and hence so are the structures and processes required to mitigate cyber risks.
A framework for organisational cyber security
The National Cyber Security Centre (NCSC ) provides a considerable amount of resources for company boards who are grappling with the challenge of ensuring cyber protection. They recommend that any framework should include the following controls:
- how cyber / information risks are escalated
- the threshold is for Board involvement in a risk decision
- how to convey the confidence in a particular risk assessment
- how often risks are reviewed
- who owns individual risks
- who is responsible for the framework itself and for ensuring it is fit for purpose
Frameworks for cyber / information security do not need to be developed from the ground up. Existing, well-proven, and established frameworks already exist, including ISO/IEC 27002 – The code of practice for information security controls, and the NCSC’s Cyber Assessment Framework (CAF) 3.0 . By leveraging existing frameworks, organisations can rapidly implement what are considered to be cyber security best practices across their organisation. The ISO/IEC 27002 , for example, covers a wide range of points including information security policies, operational security, asset management, physical and environmental security, human resources security, compliance, communications security, incident management, and supplier relationships.
From a resource perspective, some organisations have a dedicated cyber security team, with the resources and responsibility necessary to implement and monitor systems, people, and processes across their organisation. It is this specialist team who then reports to the executive board of directors, to provide updates, education, make recommendations, seek permission, and help steer strategy. Larger firms sometimes employ a chief information security officer (CISO) , whose role it is to safeguard a firm’s systems, communications, and other essential assets, from internal and external cyber threats.
The commercial world has moved light-years beyond seeing cyber security solely as a matter for information technology specialists. Effective cyber security management is also about people, culture, and processes. Everyone is responsible for ensuring cyber and information security, regardless of position, location, and role; but it is the senior management and board that set the tone and direction. Board members are accountable for cyber breaches, and, therefore, have a vested interest in ensuring that their organisation’s cyber governance is as mature as possible and conforms to the latest best practice. Investing the time and money to protect your own interests, and those of the business, your clients, and other stakeholders will prove invaluable in the decades ahead.