CYBER SUNDAY: Set the tone at the top for cybersecurity
It’s an organizational risk, not an IT risk
Cybersecurity is often seen as an IT risk.
If I could sing it from the rooftops, I’d announce that cybersecurity is an organizational risk, not an IT risk.
A legacy mindset might be that the C-Suite tells IT to “make everything work,” and if a process fails, then IT is at fault.
The old IT trope is that “Everything works, so what are we paying you for?” and “Nothing works, so what are we paying you for?” It’s a zero-sum mindset that puts IT into a position with very little authority, and massive accountability.
Leadership issues
The root causes of security issues are always senior leadership issues. It could be an org chart issue. Perhaps the information security officer reports to the chief information officer, and security initiatives take a back seat to standard IT.
Security should report directly to the board or CEO and have its own budget, which is not perceived as cutting into IT’s budget.
Sometimes leadership believes that fixing vulnerabilities is a one-and-done issue when it’s really a permanent process of cyber hygiene. Like lifting weights or brushing your teeth. Let’s not demonize staff for vulnerabilities in the wild that we saw on the news.
Business continuity and crisis management are C-suite responsibilities. IT/Cyber should have a seat at the table, but that’s not something to throw at their feet.
Sometimes it’s a training or job duties issue. Unfortunately, in many small businesses, the IT person might have some traditional IT skills, but nothing in their job description addresses resiliency or alerting and monitoring.
The bottom line is that IT risk is just a component in the organizational risk landscape.
Board questions
Many frameworks require that the board of directors is informed and involved in cybersecurity decision-making.
The evidence and artifacts that an examiner or auditor might be looking at would be meeting minutes referencing security concerns.
Here are sample questions a board might ask its chief information security officer or delegate:
- What are the potential cyber threats to the institution?
- Who is accountable for assessing and managing the risks posed by changes to the business strategy or technology?
- Are the accountable individuals empowered with the authority to carry out these responsibilities?
- How often do we conduct cybersecurity risk assessments?
- What are the institution’s areas of highest inherent risk?
- What third parties does the institution rely on to support critical activities?
Now that your board is asking these questions, you might have the issue of insufficient cybersecurity expertise at the board level. Corporate boards might need to adjust their composition to have sufficient oversight and to lead meaningful discussions on both cyber and enterprise risk.
The central issue here is not that the board demands 100 percent security because that’s impossible and counterproductive.
Your security team should not be relegated to the corner, but rather all concerned should have an open, honest conversation about the state of your organization’s security posture.
The security team should be able to provide recommendations on how to enhance security strategies, and leadership should work together to outline security-related goals that align with the company’s goals.
If the security team is uncomfortable presenting such information, then its needs to get comfortable. Gone are the days where folks can sit in the basement tweaking firewall rules. The minutiae might be esoteric, but the results are not.
Brandon Blankenship is the chief information security officer at ProCircular, a cybersecurity evangelist and a board member of SecMidwest, a community outreach and cybersecurity education group. Comments: bblankenship@procircular.com