A Universal Model for Assessing Cyber Risk Part 3: Obstacles to Effective Regulation
Part 1 examined how the increasing incidence of cyber breaches is bringing significant pressure on corporate directors to assume more oversight of cyber risk In part 2 we contrasted the rise of cybergovernance (cybersecurity governance) with the history of financial governance following the passage of the Sarbanes-Oxley Act.
Part 3 we explains how technology alone is inadequate to address the cybersecurity challenges we face.
The widely held view that cybersecurity is the exclusive domain of technologists ignores the vast majority of failure points that exist within the greater workforce. Applying available robust technology is important, but a mature security program must be built of more than just technology. Until broader communication about and responsibility for cyber risk results in a security-focused culture, significant improvement in this area will be constrained.
Managing cyber risk is a business problem rooted in organizational structure, and thus requires attention to the interactions between those structures. Examples of these interactions are manifold:
- Does Risk Management collaborate with IT to understand the type of information assets that the organization relies upon?
- Has Procurement been involved in creating processes that ensure new assets will accounted for?
- When vendors gain access to the organization’s assets, who monitors this access?
- Amid all of this, does Human Resources provide cybersecurity training to relevant roles, and ensure that the training is effective?
- Are these tasks being managed by counsel so that the information and communications are protected from disclosure by the attorney-client communication privilege in prospective litigation?
While none of these questions stands alone as a flashing indicator of vulnerability, each of them serves as a gauge of the organization’s overall “cybersecurity maturity.” Taken together, a holistic assessment of security maturity can yield valuable insights about where an attack is likely to originate – and enable managers to take action to mitigate against those weak areas.
The Second Machine Age examines the impact of technology on businesses, and finds that for every dollar invested in technology hardware, nine more dollars must be invested in software, training, and business process redesign in order for the investment to realize its intended gains. Investments in cybersecurity technology are critically important as a cornerstone of any resilient security program, but in order to be effective, those investments must be integrated with the business through training, protocols, management, and continuous monitoring.
Before widespread improvement in the current set of circumstances can occur, three obstacles must be addressed:
- Non-technical directors lack a common frame of reference with management, security organizations, and other stakeholders, e.g. regulators. They are challenged in their efforts to improve the company’s overall posture as long as individual decision-making contexts used by directors, management, and security staff are not aligned.
- Cybersecurity organizations struggle to communicate effectively with the rest of the organization. Because most management teams treat cyber risk as an IT problem, the information available for a broader risk discussion often comprises reports of the technology measures taken and is too detailed for non-technical board members to comprehend. According to Ken Daly, CEO of the National Association of Corporate Directors, “It’s critical that we start to demystify cybersecurity for the director community. Directors don’t need to be technology experts, but they must play an effective role in cyber-risk oversight.”
- Existing cybersecurity standards differ in how they are interpreted and used across organizations, making comparisons difficult. Without agreement on one standard for cybergovernance, regulators will encounter difficulty in differentiating effective organizations from ineffective ones, much less comparing one company to its peer group.
These obstacles make it clear that we need a common context that a widely used cybergovernance model would provide.