1. How can we embrace the two opposing but interrelated concepts of transparency in governance and cyber security? How can we balance both?
I think unrestricted dissemination and sharing of product benchmarks and real-world experiences are critical to a safer digital world. Vendors must incorporate openness, communication, and accountability into their business operations. And I would like to say that transparency is one great equaliser and should be embraced by all.
2. Why is cybersecurity vital for governance?
Cybersecurity during governance determines how organisations prevent, detect, and respond to cyber threats and cyberattacks. That is why it is critical for proper risk and security management. Effective cybersecurity governance focuses on risk management and security awareness to reduce the size of the risk landscape.
3. Is it possible to develop and implement exemplarily effective cybersecurity and transparency protocols in governance? Could you pinpoint a few examples?
Yes, it is possible. Let me explain that with the help of a few (high-level) steps.
Step 1: Identify the existing situation
Carry out a cyber-risk assessment to identify the gaps, develop a plan to fill them, and finish the maturity evaluation.
Step 2: Develop, review, and update all procedures, policies, and standards related to cybersecurity:
While it is true that this is low-hanging fruit, many people consider it a hefty lift. Invest the time necessary to define the framework and standards for cybersecurity governance.
Step 3: Approach cybersecurity through the perspective of the enterprise:
Discover the information that must be kept secure on a perpetual basis
Step 4: Evaluate how enterprise risk management relates to cyber risks:
Increase training and awareness of cybersecurity. We are no longer merely educating our internal staff due to the increase in remote work caused by COVID-19 and the growing implementation of hybrid work models. The entire family needs to be aware of good internet hygiene because so many individuals work from home, and many kids take their classes online.
4. Cyber-risk analytics: How are threats modelled and risks contextualised and assessed?
When creating the risk model, consider all the risks to your organisation — external, internal, and third-party; don’t fail to monitor, measure, analyse, report, and improve all the connected aspects. This is not a one-and-done exercise. Establish regular assessment intervals, measure what matters, analyse the data and create an improvement plan. Report to the board on cyber maturity and the cyber-risk posture across the organisation.
5. How are cyber-risks aligned with enterprise risk management? Why should an organisation grow and sharpen its cybersecurity governance program?
Well, it is essential to know that cybersecurity is a problem that will never be solved, but rather, a risk to be managed. By looking at threats from a business perspective, executives can make the right decisions with protection and operational success. Including the relevant business context in cyber risk analysis, one can prioritise risks and take the next steps more effectively. As organisations increasingly rely on technology for their day-to-day operations, cybersecurity has become essential to comprehensive enterprise risk management.
The best practices to sharpen a cybersecurity governance program are to develop a Cyber Governance Committee/ Team consisting of business leaders, key stakeholders, and business representatives (i.e., CEO, CLO, CMO, HR, etc.). And develop a charter including critical cyber risk management strategies, KPIs, and the ability to enforce these strategies and initiatives. Establishing business-level reporting on upcoming business activities, market initiatives, and product/service development plans will be better.
I think enhancing the role of the CISO by working with business leaders to translate cyber risk’s technical and tactical components into standard business terms and aligning these to business strategies and initiatives can also help sharpen a cybersecurity governance program. CIO/ CEO empowers the CISO to develop the principles and initiatives for managing enterprise cyber risk across the organisation, including mitigation strategies and guidelines.
I want to add some more to it. For example, developing executive and board of director reporting formats and content to align business initiatives, cyber risk management strategies, and necessities are important. Apart from this, including executive oversight in cyber risk strategy and budget planning to ensure cyber risk investments are aligned to and enable the business to pursue market initiatives is equally important.
6. What is the relative priority of cybersecurity investments compared to other investments?
I consider that the primary goal of investing in cybersecurity is to protect customer data. In a business-to-consumer (B2C) operation, there will be the business to business (B2B) operation with suppliers and vendors where sensitive information is exchanged. A business’s confidential data is stored on other servers hoping they are secure. This makes it more important to invest in cybersecurity than diverse types of investments.