banner

WHY IS CYBER SECURITY GOVERNANCE FAILING?

Written by

WHY IS CYBER SECURITY GOVERNANCE FAILING?

Organizations that place a premium on good practices are now giving more importance to ‘cyber security governance programs’ than ever before. They have enunciated elaborate programs to grapple with increasing threats of breaches. Yet, most organizations only struggle to implement cyber security governance in spite of the presence of clearly defined policies. Is there something inherently wrong with the governance program? Or, is there some weakness on the managing side? The fault lines are hazy and unclear.

Governance v/s Management
That brings us to the basic enquiry about the difference in governance and management. Most professionals erroneously believe that ‘governance’ is just another word for ‘management.’ A direct consequence of this is that professionals assigned to formulate governance policies and managers responsible for implementing them are unable to define their different responsibilities and roles clearly. The misconception leads to grey areas where responsibilities and functions overlap creating chaos.

The environment that results from this situation is never suitable for work and organizations suffer and end up being a liability.
Contrary to the popular concept, ‘governance is all about strategy, setting of goals, framing of policies and defining accountability mechanisms. In contrast, ‘management’ relates to practical implementation of those goals. In other words, ‘governance’ answers to the query beginning with ‘what?’ For instance, ‘What is the goal of the organization?’ or ‘What should the organization become in future?’ ‘Management’ answers the query that begins with ‘how?’ Like, ‘How should the policies be implemented?’ and ‘How should the organization attain its goals.’ The trouble starts when professionals do not have a clear concept about the roles each of these has to assume.

Colossal Losses
Although corporate leaders accept the fact that today’s digital economy demands a great deal of maturity in cyber security. Mature cyber security has become an essential element for success. In spite of that realization, most leaders in the top order lack the insight and the will to take steps that might ensure confidence in employees all across the organization.

This state of affairs has meant colossal losses all around the world just because something is lacking on the governance and management side. Until 2015, cyber crime incurred annual losses approaching $3 trillion. That figure has doubled in size to $6 trillion. And there are no signs of abating. Add to it the ‘crisis of confidence’ that is witnessed all over the place, and the scenario develops into a grim profile. According to a recent survey, more than 87% of C-suite professionals and board members believe that their enterprise’s capability with respect to cyber security is inadequate.

That raises a question of how leaders and managers can restore confidence and bring peace of mind at the workplace. The challenge is to make sure that every employee is aware of and understands mitigation efforts for cyber risks. Only board leaders

The environment that results from this situation is never suitable for work and organizations suffer and end up being a liability.
Contrary to the popular concept, ‘governance is all about strategy, setting of goals, framing of policies and defining accountability mechanisms. In contrast, ‘management’ relates to practical implementation of those goals. In other words, ‘governance’ answers to the query beginning with ‘what?’ For instance, ‘What is the goal of the organization?’ or ‘What should the organization become in future?’ ‘Management’ answers the query that begins with ‘how?’ Like, ‘How should the policies be implemented?’ and ‘How should the organization attain its goals.’ The trouble starts when professionals do not have a clear concept about the roles each of these has to assume.

Colossal Losses
Although corporate leaders accept the fact that today’s digital economy demands a great deal of maturity in cyber security. Mature cyber security has become an essential element for success. In spite of that realization, most leaders in the top order lack the insight and the will to take steps that might ensure confidence in employees all across the organization.

This state of affairs has meant colossal losses all around the world just because something is lacking on the governance and management side. Until 2015, cyber crime incurred annual losses approaching $3 trillion. That figure has doubled in size to $6 trillion. And there are no signs of abating. Add to it the ‘crisis of confidence’ that is witnessed all over the place, and the scenario develops into a grim profile. According to a recent survey, more than 87% of C-suite professionals and board members believe that their enterprise’s capability with respect to cyber security is inadequate.

That raises a question of how leaders and managers can restore confidence and bring peace of mind at the workplace. The challenge is to make sure that every employee is aware of and understands mitigation efforts for cyber risks. Only board leaders

A Glance at CS Evolution
Cyber security largely depends on technology, processes and people. Each one of these aspects in isolation is not sufficient to mitigate threats. For instance, technical measures like passwords, firewalls and biometrics alone can hardly ensure a safe environment. Processes including user registration and de-registration too are not sufficient. Neither are people aspects which may include compliance, training and leadership. A suitable mix of all three aspects is required to make sure of adequate cyber security.

Cyber security has undergone evolutionary phases of development. Today it is people-centric and governance oriented.

In the beginning, we may call it the first phase, the reliance was on technological means providing security. But time and exposure taught that management is also vital. Furthermore, the involvement and interest of top managers—the board members particularly—is also an absolute must. This realization led to the second phase when cyber security was integrated into organizational structure. The two modes of focus have remained constant ever since cyber security has existed as a separate entity of organiztions.

But the evolution of CS did not end at the second phase. More experience and more knowledge gathering led to another conclusion that there were other factors that needed attention. The human element emerged as the primary risk to cyber security. Therefore, in the third phase, a conscious attempt was made to incorporate cyber security practices—from the trivial to the essential—in everyday office routine. These tasks related to cyber security practices would eventually transform into an employee’s way of life. So that the practices would become a part of innate behavior and no conscious effort would be required to perform them. In essence, a sort of culture was infused

and encouraged to pave the way for a more dynamic role of cyber security.

Later on, the role of executives and top leaders of organizations came into focus. It was realized that executives are the ones who possess the authority to not only provide guidelines but also implement rules to cultivate a culture where cyber security is given the importance it deserves. This constitutes governance which represents the manner of enacting cyber security practices to reduce threats of attacks.

Price Waterhouse Coopers conducted a survey recently, focusing on cyber attacks. The survey revealed that technology was found to be in order in contrast to human error which was the main cause of breaches. Human interaction along with technical controls can mean serious threats of fraud and PwC suggests creation of a culture where security practices are an integral part of organizational routine. The survey leads to the final conclusion that good cyber security governance is imperative to mitigate risks in organizations.

Understanding Governance
Cyber security governance is all about a set of rules designed to control the creation, management, storage and disposition of information within an organization. Everything from paper files, phone records, and voicemails to emails, spreadsheets word processing documents presentation files, databases and electronically stored information fall into the domain of CS governance.

In so far as definition is concerned, this description seems appealing. It sets out the goals and roles but doesn’t say anything about how to get them. The key thing to note, however, is that governance has become ineffective and it is falling short of the desired goal.

Experts believe that instead of working with cyber security governance as a single entity, it is better to

create a framework that provides a holistic view of all the factors influencing the entire exercise in creating and managing data assets. These may relate to compliance, risks, legislation, regulation and general business.

Addressing Governance Issues
After recognizing the fact that governance is failing, board members and top leaders of organizations are forced to find ways that may address the problem. Researchers have identified several best practices that can alter the status quo and bring about a positive change in cyber security governance. Here are significant seven:

1. Creating a Cross Functional Team.

Creating a Cross Functional Team. Cyber security governance must encompass all areas of organizations, including compliance, risk management, data privacy, HR and other business units. The involvement and active participation of all these departments are essential at the time of planning to determine a strategy that translates into a successful cyber governance program. Something that is ultimately responsible for growth and success of organizations.

2. Conducting Audit, Building Inventory.
Before setting up a cyber security framework, organizational teams must take stock of the data an organization possesses. After having a holistic view of the data, the time is ripe to build data inventory. This is the most vital component for success of any governance program.

3. Assessing Requirements for Data Retention.

Organizations have a huge database. Some of that must be retained for extended period of time while the rest is needless and should be safely deleted. This process is helpful in reducing threats to consumer data breaches.

4. Assessing Requirements for Data Retention.

Organizations have a huge database. Some of that must be retained for extended period of time while the rest is needless and should be safely deleted. This process is helpful in reducing threats to consumer data breaches.

5. Training Employees.
While board members and top executives define the cyber governance policies and implementation principles, true success of organizations depend on employees—from the top tier and down to the lowest rank of workers. If the principles and rules of governance are not imbibed in each of the employees, the ship is rudderless and directionless. Employees should have true knowledge of their scope of work, how the processes function and the critical tasks that ensure success. They should fully understand the governance frameworks and make them a part of their daily routine. And they should be conversant with the technology that will help them perform their duties in an efficient manner.

6. Necessary Follow-up.
Writing down governance policies, setting priorities and training employees to stick to the principles isn’t just enough. These measures rarely if ever elicit 100% compliance. Random checks and corrective steps including periodic audits of employee compliance have to be done. At times, a carrot and stick strategy may also be adopted to enforce the principles decided in the ‘cyber security governance’ document.

7. Measuring Results.
Before implementing.CS governance principles, every organization must define the metrics which should agree with the large amount of data stored in the systems together with organizational objective. These metrics will be a great help in quantifying individual performances can be measured and through this information an organization can

Article Categories:
Governance

Leave a Reply

Your email address will not be published. Required fields are marked *

Go Back