Continuously monitoring and enhancing the cybersecurity infrastructure that supports online services will improve operational excellence.
“Cyber risk governance is ‘a framework adopted within an organization to deal with the new and evolving risks relating to cyber space both within the organization and as the organization interfaces with the outside world… Cyber risk governance begins with the board…'”
Andrea Bonime-Blanc, JD, PhD
“Emerging Practices In Cyber Risk Governance”
The Conference Board, October 2015
Given the reality of Mark Andreessen’s oft-quoted observation that “more and more businesses and industries are being run on software and delivered as online services,” it should be clear that continuously improving the infrastructure underlying those online services will have a strong positive impact on operations. We believe that cybersecurity improvements are a key part of that process.
“The Allianz 2016 Risk Barometer reports that cyber incidents are considered as the top emerging business risk for the long-term future (+10 years), far exceeding the risk of business interruption or terrorism…[Yet] the latest 2016 survey from Osterman Research and Bay Dynamics discloses that only 39% of [IT and security executives] feel like they are getting the support they need from the board to address [cyber] threats.”
The Conference Board Governance Center Blog
June 16, 2016
How can board oversight of cybersecurity improve business operations? The Institute for Operational Excellence has recommended several steps to achieve operational excellence through continuous improvements. Adapting these steps to cyber risk governance suggests three objectives:
- Establish a system where everyone, from the board of directors and executives through operational employees, understands their role in cyber risk mitigation.
- Make implementation of the system so visual that anyone, including an outsider, can see the cyber risk status of the organization.
- Create a standard methodology for addressing cyber risk shortcomings without requiring management intervention.
Cybernance helps corporate directors protect themselves from personal liability for breaches by enabling them to oversee cyber risk. As we searched in the early days for a platform to support that process, we discovered that strong compliance frameworks existed in various areas, but a definitive model suitable for driving oversight of cyber risk compliance didn’t exist. We needed a comprehensive model enabling directors, executives, and security professionals to communicate clearly about cyber risk, so we created the Cybergovernance Maturity Oversight Model to fill the gap by integrating existing standards.
How can a system based upon a comprehensive model address the three cyber risk governance objectives identified above?
Establish a system where everyone from the board of directors and executives down through operational employees understands their role in cyber risk mitigation.
Use a model based upon existing standards to preclude any doubt about its validity. Implement an assessment and monitoring system around the model and use the model’s established processes to drive continuous improvements.
Make implementation of the system so visual that anyone, including an outsider, can see the cyber risk status of the organization.
Employ a system dashboard to display an overall measurement plus views across multiple dimensions and domains. Done effectively, board members are able to ask intelligent questions about cyber risk status and suggest improvements, without having to become technical experts.
Create a standard methodology for addressing cyber risk shortcomings without requiring management intervention.
Ensure that the system manages communication between employees across the organization. Managers must be able to monitor progress and offer help as needed, but the system should provide guidance by providing prioritized actions that guide employees to achieve results without management intervention.
Cyber risk governance, properly pursued, has a significant impact on achieving operational excellence. Using a system founded upon the three principles enables continual monitoring and assessment of hundreds of controls that support online services. As a result, continual improvements guide the organization to higher levels of operational excellence.
“What’s measured improves.”