In an increasingly challenging threat landscape, many organizations struggle with developing and implementing effective cybersecurity governance.
The "Managing Cybersecurity Risk: A Crisis of Confidence" infographic by the CMMI Institute and ISACA stated: "While enterprise leaders recognize that mature cybersecurity is essential to thriving in today's digital economy, they often lack the insights and data to have peace of mind that their organizations are efficiently and effectively managing cyber risk."
Indeed, damages from cybercrime are projected to cost the world $7 trillion in 2022, according to the "Boardroom Cybersecurity 2022 Report" from Cybersecurity Ventures. As a result, "board members and chief executives are more interested in cybersecurity now than ever before," the report stated, adding that the time is ripe for turning awareness into action.
How, then, can board leaders have confidence that their organizations are prepared against cyber attacks? The first order of business for most organizations is to enable a strong cybersecurity governance program.
This article is part of
What does cybersecurity governance mean and why is it important?
Cybersecurity governance refers to the component of governance that addresses an organization's dependence on cyberspace in the presence of adversaries. The ISO/IEC 27001 standard defines cybersecurity governance as the following:
The system by which an organization directs and controls security governance, specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks.
Traditionally, cybersecurity is viewed through the lens of a technical or operational issue to be handled in the technology space. Cybersecurity planning needs to fully transition from a back-office operational function to its own area aligned with law, privacy and enterprise risk. The CISO should have a seat at the table alongside the CIO, COO, CFO and CEO. This helps the C-suite understand cybersecurity as an enterprise-wide risk management issue -- along with the legal implications of cyber-risks -- and not solely a technology issue.
The C-suite can then set the appropriate tone for the organization, which is the cornerstone of any good governance program. Establishing the right tone at the top is much more than a compliance exercise. It ensures everyone is working according to plan, as a team, to deliver business activities and ensure the protection of assets within the context of a risk management program and security strategy.
Historically, cybersecurity was managed by implementing a solution to solve a problem or mitigate a risk. Many cybersecurity departments have technical security safeguards, such as firewalls or intrusion detection, but often lack basic cybersecurity governance policies, best practices and processes. Where they do exist, policies or processes are often outdated or ignored.
Many cybersecurity departments also have poor or inadequate cybersecurity awareness training programs that fail to address all levels of an organization. As we have learned from recent breaches, many organizations have inadequate hardening and patching programs. Poor access control practices, such as uncontrolled group passwords, shared accounts, proliferated admin privileges, shared root access and the absence of an authorization process except at a low operational level, also are problematic.
6 steps organizations should follow for their cybersecurity governance program
Here are six steps that can help an organization grow and sharpen its cybersecurity governance program:
- Establish the current state.
- Complete a cyber-risk assessment to understand the gaps, and create a roadmap to close those gaps.
- Complete a maturity assessment.
- Create, review and update all cybersecurity standards, policies and processes.
- Many describe this as low-hanging fruit -- and it is -- but it is a heavy lift. Take the time needed to establish the structure and expectations of cybersecurity governance.
- Approach cybersecurity from an enterprise lens.
- Understand what data needs to be protected.
- How are the cyber-risks aligned with enterprise risk management?
- What is the relative priority of cybersecurity investment as compared with other types of investments?
- Increase cybersecurity awareness and training.
- With the rise in remote work driven by COVID-19 and the ongoing adoption of hybrid work models, we are no longer just training our internal employees. With so many people working from home and many children attending school online, it is critical that the entire family understands good cyber hygiene.
- Cyber-risk analytics: How are threats modeled and risks contextualized and assessed?
- When creating the risk model, consider all the risks to your organization -- external, internal and third party.
- Monitor, measure, analyze, report and improve.
- This is not a one-and-done exercise. Establish regular assessment intervals, measure what matters, analyze the data and create an improvement plan.
- Report to the board on cyber maturity and the cyber-risk posture across the organization.
Security roles and responsibilities cross organizational boundaries
Leadership matters: Set the tone at the top that makes cybersecurity -- and cybersecurity governance -- a priority. But remember that leadership is not everything. Policies, standards and processes align cybersecurity governance with cybersecurity priorities so that cyber safeguards remain strong when leaders and employees change.
Finally, cybersecurity cannot work in a vacuum. The distributed nature of cyber-risks requires that mitigation efforts connect across the entire organization. Engage everyone.
About the author
Pamela (Pam) Nigro, CRMA, CISA, CGEIT, CRISC, CDPSE currently serves as the board chair for ISACA. Presently, Nigro is vice president of security and security officer at Medecision, where she is responsible for all cybersecurity efforts that secure and protect information important to Medecision and its customers, while ensuring the overall cyber resiliency of the company. She is an experienced board member, recognized thought leader and subject matter expert. Nigro is also an adjunct professor at Lewis University in Illinois, where she teaches graduate-level courses on health information security, healthcare data security, privacy, confidentiality, healthcare informatics, ethics, risk, IT governance and compliance, and management of information systems in the MSIS and MBA programs. She has more than 25 years of experience in the healthcare industry and the IT industry and holds numerous IT certifications. Nigro achieved her MBA from Illinois Institute of Technology. She also achieved her "Distinguished Toastmaster" from Toastmasters International. She is an industry and keynote speaker and contributor to industry articles and journals, as well as industry certification review manuals and training materials.