Cyber Risk Governance recently emerged as a distinct discipline. How can we take a 21st century approach to implementing controls that enable boards to actively engage in overseeing cyber risk?
A rash of highly publicized fraud in the late 1990s revealed how poor financial reporting can create massive risk to shareholders. Before that, corporations had reported on their financial condition to boards of directors, but it became evident that more rigorous standardized reporting might prevent similar events from occurring. The Sarbanes-Oxley Act was passed in 2002 to mandate change, and a thriving multi-billion dollar market in financial control systems and services has evolved since then.
In a recent post, we observed that the analagous discipline of cyber risk governance (CRG) has emerged within the past two years, driven by realizations that:
- cybersecurity is not just a technical problem; it’s a governance problem that needs attention across the entire enterprise;
- corporate directors face increasing risk from cyberattacks, including personal liability for breaches; and
- data about internal defenses is critical in organizing efforts to combat cyberterrorism and cybercrime.
If cyber risk governance is a 21st century discipline, then meeting best practice standards for cybergovernance requires a 21st century approach. Yet today, most organizations are using more expensive, less effective, and less comprehensive 20th century solutions. Consultants, spreadsheets, and limited monitoring tools lack the advantages that an automated cyber risk governance platform can provide.
To meet their statutory “duty of care” in mitigating all forms of risk, corporate directors need information. Managing cyber risk effectively requires constantly monitoring progress, updating action plans, evaluating improvements in resilience, and summarizing it all for the board. An initial risk assessment is only the beginning; a full-blown internal control system is needed. Just as financial control systems help organizations manage financial risk, an internal control system for cyber risk governance enables the board and management to actively engage in risk mitigation.
Implementing cyber risk governance begins with assessing an organization’s cyber maturity. Leading standards provide the basis for assessment, and the Cyber Security Framework (CSF) from NIST is widely accepted as the de facto standard. Using CSF as the foundation, an internal control system delivers a comprehensive solution to managing enterprise-wide cyber risk.
The table below contrasts three methods currently used to assess and manage cyber risk:
|Manual Assessment||Online Surveys||Cyber Risk Control System|
|Method||Multiple spreadsheets||Links to key individuals who answer online survey||Individual questions assigned to and managed by owners|
|Participants||Internal/external consultants interview many employees||Initially distributed, then redistributed as needed based on responses||Questions pass electronically until most knowledgeable respondent reached|
|Workflow||Single or multiple interviewer(s) fan out across the organization||Survey manually reassigned to additional respondents to fill gaps||Owners of domains forward questions to the most qualified respondent (unlimited handoffs)|
|Effort and Accuracy||Multiple spreadsheets must be reconciled||Multiple surveys must be reconciled||Each question answered once by most knowledgeable respondent|
|Tracking and Reporting||Manual tracking; manual reporting||Manual tracking; manual reporting||Each answer immediately updates board level dashboard|
|Ongoing Progress||Repeat the process||Repeat the process||Automated guidance prioritizes next actions based on standard|
|Collaboration||Manual||Manual||Workgroups automatically defined to address related actions|
|Distributed Management||Multiple sets of interviewers||Survey links to multiple distributed groups||Automated rollup of multiple instances|
|Adding a Framework||Create customized spreadsheets||Create customized online survey||Map to existing controls; create new dashboard|
Of course, implementing any form of cyber risk assessment is essential, but only capturing cyber status at one point in time falls short of motivating better cyber hygiene. Embedded cyber risk control systems are superior. They enhance operational excellence by continually monitoring critical systems and providing ongoing guidance based on national standards. In contrast to more manual methods, an internal control system for managing cyber risk is a platform for shared communication and collaborating to implement needed controls that reduce risk and build cyber resilience into the enterprise.