A key initiative that enterprises should not overlook is the need for IT teams to bridge the gap between the chief information security officers (CISOs) and their organization’s board of directors (BoD).
It is my view that cyberrisk is neither IT nor technology-centric; it is much more encompassing. It is actually a business risk that could determine the survival of an enterprise. Enterprise executives are accountable to shareholders, and the BoD has the fiduciary duty to ensure that internal controls are in place to protect against cyberrisk and thwart any cyberthreats to protect the enterprise as a whole.
Often, enterprises have difficulty measuring how secure their assets are, the degree of security they should have and how much risk they are willing to tolerate. A CISO with a technical background may rely too heavily on cyberstandards and try to cover every aspect of risk from small to large. Achieving complete cyberthreat immunity is not possible, and even if it is attempted, it may not be worth the cost.
I have witnessed a number of cybersecurity and IT professionals lose their compass. It has been reported in various surveys—and I attest to it—that many enterprises lack convincing, structural approaches to make effective decisions around cybersecurity.
Because of the technical background of cyberprofessionals, there often is a tendency to put too much emphasis on the technology solution to manage cyberrisk, overlooking the people and processes.
Explanations and understandings of risk have disparate meanings to BoDs and cyberprofessionals. It is the job of the CISO to bridge cybertechnology, as a sub-servant, to the enterprise business requirements. This can be done effectively by developing a cyberrisk model.
When developing a cyberrisk model, consider the following:
- Align cybergovernance to the enterprise priority.
- Focus on the cyberrisk, threats and essential key controls for various assets.
- Focus the investments on economics, resources and process improvements.
- Remove complexity and confusion by clarifying a cyberstrategy.
- Provide clear communication with various stakeholders, executive team members, senior management and technical staff.
- Enable effective monitoring and meaningful cyberreporting.
- Revisit and recalibrate enterprise posture when assets, threats and technology change.
- Build an effective cyberorganization with clear job requirements and responsibilities.
- Transition the organization from a cybersecurity culture to a cyberresiliency culture.
- Improve cyberprocesses, policies and procedures.
Editor’s note: For further insights on this topic, read Robert Putrus’s recent Journal article, “Effective Reporting to the BoD on Critical Assets, Cyberthreats and Key Controls: The Qualitative and Quantitative Model,” ISACA Journal, volume 1, 2021.
Don't forget—Members can earn free CPE from ISACA Journal quizzes!