Choosing the right standards to follow is important. Establishing a cyber risk platform that enables communication among all key stakeholders. But most important is placing ownership where it belongs.
In a recent LinkedIn post, the president of the Open Compliance & Ethics Group (OCEG), challenges us to think about where ownership of cybersecurity should reside in an organization. It’s a trick question, of course – everyone’s responsible.
Carole Switzer’s insightful article highlights how the constantly changing face of cyber attacks challenges organizations to keep up. She highlights several new ways that the bad guys invade an organization, and she suggests that using a standard like “OCEG’s GRC Capability Model for defining the risks and establishing protections against them is helpful.” From her description, the model provides a guide for identifying key factors, ranking them, developing an initial approach to improvements, and putting in place a way to continuously monitor key controls.
The NIST Cybersecurity Infrastructure Framework has become the de facto “gold standard” in the U.S. for evaluating the efficacy of cyber risk mitigation:
- Objectives are stated in comprehensive and comprehensible business terms.
- It assesses not only prevention of external threats, but internal improvements in culture and advances in managing external supply chain risk as well.
- It is non-prescriptive, allowing management to manage the details, like selecting the technologies to implement, while keeping everyone informed of the organization’s risk mitigation status.
While the NIST Framework is the most widely accepted, other cyber risk models are based on a common broad set of controls. Each standard derives its value from how it uniquely organizes the controls into a useful framework. The NIST Framework, C2M2 from the Department of Energy, ISO 27001, and the cyber directives of HIPAA, FINRA, PCI and other industry-specific frameworks share a common “DNA.”
Once industry-appropriate standard(s) are chosen, it is critical to create a shared cybergovernance platform and track desired business outcomes based on these standards. A shared platform enables stakeholders – directors, management, security staff, and vendor partners – to operate effectively within a well-understood decision-making framework. A common platform:
- Incorporates existing standards – NIST, DoE, FINRA, HIPAA, FERPA, ISO (and perhaps the OCEG model) – to provide a comprehensive assessment and monitoring system;
- Relieves directors from having to become technology experts and fosters business-level discussions of cybersecurity between relevant stakeholders, including directors, management, and vendors;
- Removes the threat of personal liability by empowering directors to exercise effective oversight while their actions are recorded as a potential defense; and
- Is specific enough to allow tracking of progress between board meetings.
For years, responsibility for cybersecurity has fallen solely upon those in charge of information technology. Executive management has expected the CIO and IT staff to make sure the organization’s networks were safe. While the threat of a breach was established, the risk has been perceived as relatively manageable.
Cybersecurity is not exclusively an IT problem. A breach can represent a significant threat to valuation, so the ultimate responsibility for improving organizational cyberattack readiness has been elevated to the board of directors. Statements and actions by the SEC and the FTC are pressuring corporate directors to assume a larger role in urging their companies to attain greater cybersecurity maturity.
Who owns cybersecurity in an organization? The answer is everyone – but the ultimate responsibility for maintaining an appropriate focus on cyber risk mitigation is the board of directors.