People, Process, Technology: A Three-Pronged Approach To Cyber Risk Governance

In an increasingly complex and chaotic environment, it is necessary to establish a more robust framework for managing cybersecurity risk. A guide.

Navigating today’s cybersecurity landscape is a daunting task. While organizations are investing in digital innovation, leveraging data and relying on global supply chains for growth, cyber threat actors are looking for and finding creative ways to disrupt digital systems and access information. Indirect entry points through the Internet of Things (IoT), connected devices and weaknesses in third parties along the supply chain lead cyber risk teams to look beyond their organizations’ four walls in their efforts to build, implement and maintain an effective cybersecurity strategy.

While many organizations are struggling to deal effectively and sustainably with ever-evolving cybersecurity threats, a group of organizations are emerging as leaders in managing cyber risk. According to Accenture’s Third Annual State of Cyber Resilience report, these organizations are better and faster at stopping attacks, finding and fixing breaches and mitigating the impact of those breaches. Their success appears to be a result of their ability to collaborate with other organizations in defending against attacks, investing in tools that improve the speed of detection, response and recover, and more effectively implementing the basics of cybersecurity—including training and education.

Strategy rests in large part with an organization’s cybersecurity and information technology teams. A strong cyber risk governance framework is essential. In addition, boards have cybersecurity oversight responsibilities. It is important for boards to be sufficiently attuned to the risks in order to navigate the cybersecurity landscape and respond appropriately when a breach occurs. In 2018, guidance issued by the SEC clearly showed that accountability extends to the board. The SEC observed that “disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility.”

Defense Mechanisms

In this increasingly complex and chaotic environment, it is necessary to establish a more robust framework for managing risk. Best practice organizations focus on three key elements: people, process and technology.

At the board level, the people part of the equation is all about establishing a cultural framework that focuses on security. This requires communication up and down the organization, as well as ongoing education and training. Yet, it also requires an understanding of how the board, senior level executives and others use, manage and exchange documents and data.

Process is all about rules, regulations and oversight. The board has a responsibility to help ensure that an enterprise focuses on appropriate risks—since organizations’ cybersecurity costs have reached unsustainable levels. It is important to recognize how different groups work and give them the autonomy and flexibility to get work done while addressing cyber risk.

Technology involves putting the right systems in place to automate processes and make them smarter and more effective. It is the mechanism for enforcing rules and procedures, as well as detecting threats.

Strategy Is Key

A lack of attention to any of these three factors will inevitably lead to gaps, glitches and breakdowns. Just as a three-legged stool will wobble if the legs are uneven lengths, a cyber risk strategy will wobble—and perhaps collapse.

When organizations effectively balance people, process and technology, it is possible to establish a synergistic framework that fully supports cybersecurity. It becomes easier to match risk objectives with tools, workflows and cultural components that lead to a best practice approach to cyber risk governance.

10 Board-Level Cyber Risk Best Practices

1. At least one or two board members should have a solid understanding of cyber risk and cybersecurity. All directors should possess a basic understanding of the issues and leverage educational opportunities to stay current on evolving threats and tools.

2. Build a robust communication channel between the board, CEO and key senior executives, such as the CIO, CISO and CSO.

3. Ensure that an efficient framework is in place to inform the board immediately upon the discovery of any new cyber risks or an actual breach.

4. Use dashboards to communicate cybersecurity performance and to evaluate the extent to which strategy and cyber spending are aligned with risks.

5. Make cybersecurity a regular agenda item, allocating sufficient time to questions and debate on cyber risk topics. Invite internal and external experts to present to and advise the board.

6. Identify best practices among the leaders who are successfully implementing and executing sustainable strategies to stop, find, fix and mitigate cyber threats.

7. Seek independent assessments of the current cybersecurity framework to identify and address weaknesses.

8. Establish high-level metrics to evaluate the organization’s cyber risk and cybersecurity protocols and strategy.

9. Establish a board committee dedicated to cyber risk oversight.

10. Organizations and their CISOs should regularly engage with law enforcement, industry peer groups and government.