This is part two of a three-part series about developing a cybersecurity governance lifecycle that provides coverage, balance, effectiveness, efficiency and assurance. Because clear boundaries between governance roles are so important, this series explores the cybersecurity governance lifecycle in the context of enterprise governance and strategy. This post explores the role of the senior leadership team in cybersecurity governance and discusses how cybersecurity leaders can support the success of the senior leadership team in governing cybersecurity. Next, we look at the role of the board.
Cybersecurity governance should go beyond managing cyber risk — it should clarify the outcomes expected from program activity and establish clear boundaries of responsibility among cybersecurity practitioners, senior leaders and board members. Senior leaders at many organizations have found themselves pulled into tactical cybersecurity matters recently, when their organizations actually experience cyber threats. These tactical distractions limit senior leaders’ ability to perform the strategic responsibilities of their designated roles. While this phenomenon is likely to continue, cybersecurity leaders can help reverse this blurring of roles by equipping senior leadership teams (SLTs) with questions and expectations that will help promote the SLT’s proper role in cyber governance.
Some SLTs are still defining their strategic roles in cybersecurity governance. When senior leaders don’t ask these top-level questions, cybersecurity leaders can volunteer the information anyway, to enhance communication and support clarification of the SLT role.
Is the right cybersecurity program operational?
The dialogue starts with the most foundational question the SLT might ask: does the organization have a proper cyber governance program? While many cybersecurity teams are likely to respond that they do have viable cyber governance programs, we have found that many governance programs are under-invested or leverage outdated approaches that are not in line with the needs of the organization. To affirm the operation of a robust cyber governance program to the SLT, cybersecurity leaders could indicate they’re operating a program that’s in line with the practices described in the first post of this series.
Does the cybersecurity program align with and support the organizational strategy?
The SLT will also want to confirm that the cybersecurity program demonstrates alignment with organizational strategy and that there is awareness of how the strategy will impact cyber risks for the organization. The program should understand and respond to the risks that are relevant to the business in question. This means clearly articulating how the cybersecurity program is adapting to address risks related to the strategy, but also clarifying for the SLT how achieving the strategy will impact the risk profile of the organization. Specifically, SLTs should be assured that the organization has a full understanding of its risks including business, geopolitical and regulatory risks. A clear and ongoing dialogue should exist with cybersecurity leaders about corporate culture and the organization’s risk tolerance. This dialogue should also include assuring a strong understanding of the organization’s risk profile and how the industry the organization is part of drives part of that risk profile. (The inherent risk profile of an organization that provides components of critical infrastructure, for example, will differ from those of a garment manufacturer. Both will have external and internal threats, but their prevalence and impacts could be different.)
Clear linkages between business-critical processes and supporting systems to risks associated with the organization’s strategy is an additional indicator of alignment to organizational strategy. An organization’s systems support, automate and create resilience around its key business processes. Prioritizing security for critical business processes and the systems that support them demonstrates the cybersecurity program’s alignment with business strategy. With a risk-based approach, the security of every system matter, but systems’ proximity to business-critical processes establishes their priority. (Systems that participate in revenue generation, for instance, or that house customer and client information, warrant a higher priority and potentially higher levels of protection for a risk-based cybersecurity program.)
Is the cybersecurity program effective?
After determining the right kind of cybersecurity program is operational and aligned with the organization’s strategy, SLT members will want to ask for information about these program elements to confirm the cybersecurity program is effective (alternatively, cybersecurity leaders can volunteer this information):
- Does the program make use of a reputable framework, like the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF)? Adherence to established and reputable frameworks, such as NIST CSF or one of the others outlined in this blog post, ensures cybersecurity leaders follow standard guidance to organize their programs and the controls that exist within them.
- Is the program mature? Assessments of program maturity demonstrate a program’s strength and its alignment to a known framework. SLTs learn to look for alignment to organizational strategy and assurance that controls are effective.
- Are key risk and performance indicators regularly produced and tracked? Some cybersecurity programs provide a summary of all available cybersecurity metrics to their SLTs. Metrics are more effective, however, when they tie tactical controls to the organization’s known risks. For example, one financial services organization had a known risk related to system availability. Security experts determined that patches to systems were not implemented timely and recognized that as the root cause of excessive system downtime. The tactical control metric tied to the known “system availability” risk, therefore, was mean time to patch. The SLT soon learned that timely patching led to improved system uptime. They gained an interest in tracking not only the system availability metric but also the mean time to patch metric as a way to ensure tactical controls kept system availability stable and improving.
- Are controls effective and sufficient? Control efficacy demonstrates that controls are in place; control coverage ensures they encompass all known risks. Assuring efficacy and coverage involves multiple lines of defense, starting with evaluation of the security program’s operations. Assurance also includes confirming that controls are aligned to regulations that are meaningful to the organization (such as Sarbanes-Oxley and Payment Card Industry standards), as well as conducting appropriate audits to test coverage and efficacy of controls. Reporting the results of audits and control testing and tying any control testing failures to risks will help the SLT better understand the importance of the controls as well as assure them that controls are operating.
While SLTs will continue to experience distractions related to tactical cybersecurity matters, cybersecurity leaders can help them perform well in their cyber governance roles. Even when SLT members don’t ask, cybersecurity leaders can guide development of clearly bounded roles by furnishing the cybersecurity program information that will help SLTs govern cybersecurity effectively.
Read the results of our new Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.