The stakes on getting cybersecurity right have never been higher for businesses. With threats multiplying, the frequency of attacks accelerating and the average cost per breach increasing, the incentive for organisations of all types and sizes to get their cybersecurity protocols right couldn’t be clearer.
Yet there is still a feeling that, when it comes to oversight, accountability and strategic alignment with broader business objectives, governance of cybersecurity outside the IT department is still not up to scratch. Not when the combined value of direct losses arising from a breach, including possible GDPR fines, can easily run into tens of millions of pounds at any rate, not to mention the indirect damage caused to corporate reputation and so on.
There are various reasons put forward to explain why this is the case – a lack of sufficient understanding about cybersecurity in the boardroom, for example, confused lines of responsibility and/or reporting, low-quality profiling of a company’s risk profile leading to inadequate metrics, or on the flipside of this, too much focus on metrics and not enough concern with what cybersecurity actually means to the business.
So what constitutes effective governance of cybersecurity operations in the modern high-risk digital landscape? Here are four key principles.
Asking the right questions
The surest way C-level executives can demonstrate they have a strong grasp of how important cybersecurity has become is by asking the right questions of security teams. Too often, cybersecurity oversight is reduced to metrics like how many threats have we blocked in the last quarter?
The problem with taking a purely quantitative approach to judging the success of cybersecurity operations is that it only takes one breach to cause massive financial damage. Strong governance should focus on the what-ifs? as much as what has actually happened – what is our risk profile, how is it changing, what do we have in place at each risk point, are these the most robust and/or best value solutions, who is responsible for each?
Good governance should also reflect a culture of support for cybersecurity that implicitly recognises its importance to the wider business. This can also be demonstrated in the types of questions asked, e.g. what do you need from us to improve? How can we support you more?
Clear definition of strategy and goals
Businesses are spending significant sums on cybersecurity – as much as 10% of their overall IT budget, according to one recent study. From the perspective of robust financial governance, that should prompt detailed questions about how the money is being spent, whether the spending represents good value, and so on. And to be able to judge that, organisations need clear strategies and goals to guide their cybersecurity activities.
Strategic planning of cybersecurity activity includes things like identifying vulnerabilities, prioritising risks, assessing the effectiveness countermeasures (e.g. will preventative or responsive measures work best?) and evaluating the resources available to combat threats. From there, businesses can come up with a clear plan of how and where cybersecurity activity can have the optimum impact, and define objectives and targets accordingly.
According to a recent report from Gartner, the culture surrounding cybersecurity governance has long been defined by the tendency of boards to ask for quarterly reports from the InfoSec teams and then, assuming the data looks in order, leave them to it for another three months.
Cybersecurity is an incredibly dynamic and fast-moving field. In those three months, your organisation could easily suffer a massive breach from a previously overlooked threat and be exposed to heavy financial and reputational losses. Good governance must reflect the operational realities of cybersecurity – it must be up-to-date and responsive to an ever-changing environment.
This is key both to non-technical executives improving their understanding of cybersecurity and to ensuring businesses are getting best value from their considerable investments.
Focusing on what cybersecurity can add to the business
Finally, one of the reasons Gartner believes boards are now breaking out of the quarterly reporting model and looking to engage cybersecurity professionals in more of a continuous conversation is the growing recognition of the core value cybersecurity has for the modern business.
Indeed, instead of thinking of cybersecurity from the purely insurance-like mindsight of offering protection against risks and weaknesses, best practice examples of governance are increasingly shifting focus to ask how cybersecurity can add value to a business, bringing strengths and opportunities into the equation too.
The rationale is straightforward – lowering the risk of system outages and deteriorating performance caused by malware, hacking, DDoS, and so on translates into more uptime, more efficient operations, better user/customer experience. These are positive goals with intrinsic value to any business, and underline why effective governance of cybersecurity should treat it as a core business asset.