The board’s purpose is to successfully direct the company’s affairs and meet the needs of shareholders and stakeholders. We believe getting the following seven things right helps to establish effective cyber governance and are the foundation for a good security culture.
Countless articles, white papers, and conference presentations opine that ‘cyber security is a board-level issue.’ That’s true. Company governance is the responsibility of its board of directors. The financial impact, regulatory penalty and reputational damage for those who don’t demonstrate good governance can be significant.
Just saying it’s a board-level issue isn’t helpful
Though the statement alone is unhelpful. The board doesn’t need to understand the nuances of Endpoint Detection and Response vs Security Operations Centre, nor the inner workings of MITRE ATT&CK framework (and as a board member, you don’t either), but they do need to know are the right things being done to best protect shareholder interests?
Analysis of 28 major cyber breaches has shown that these companies underperformed by 1.65% compared to the market. We propose this is symptomatic of poor governance generally across these organisations. Following a breach and the inevitable ‘shake-up’ of organisational scrutiny, those companies go on to outperform the market by 0.48% in the following six months.
The lesson is simple: don’t defer taking an active approach to cyber governance. It is a crucial part of running a healthy, resilient business.
Security reporting is often inwardly focussed
While this lesson is simple, acting on it can be challenging. Especially when magnified across a portfolio - be it the result of a regional or federated business model, or when managing an investment portfolio. Getting a standardised view can be extremely difficult.
Often a maturity assessment is used to demonstrate security posture, and improvement, to the board. This may be accompanied with operational data on vulnerabilities, patch status and incident volumes. These are all useful data points within the security team. They lose their meaning when used for other purposes because the audience lacks context.
This draws the conversation down from strategic oversight to day-to-day operational level. The bigger picture is lost.
A better way, then, is to think of this as how effective is our cyber governance?
To do that we need to elevate our interest and properly look at governance, rather than capability maturity, or number of incidents, being a proxy.
By improving the way we govern, we’re also setting the right culture and demonstrating the right behaviours that will cascade down throughout the organisation. This builds resilience into our business, not just within today’s context and capabilities, but in the ability to take appropriate decisions into the future.
For organisations seeking to transform their business, this means their security posture will stand a much better chance of remaining in step. Be that sustaining current value (where traditional security practices focus), but also improving and enabling future value generation.
This is why, when engaging in transactions to buy or sell a company, we believe the effectiveness of cyber governance is by far the most important thing to understand.
Creating the right culture
Effective governance means creating an environment where the correct challenge is applied and decisions are being made. That doesn’t mean double-checking or scrutinising every decision. Far from it.
Taking an active interest and adopting these principles promotes a positive approach to security that eschews fear, uncertainty and doubt, and self-destructive behaviour.
Use a common language First and foremost, whilst you don’t need to understand the inner-workings, you do need to be able to talk about it. It’s foundational to understanding, and therefore making, informed decisions. If you find yourself using, or hearing, terms like threat or vulnerability or risk interchangeably, chances are you’re not using a common language. You’ll have reduced your effectiveness by not doing the right things at the right time. You may have existing methods for managing other aspects of business risk. Ask yourself, and the team, how do we understand each other?
Trust and reward decision making Because you cannot understand all the inner workings it is important to build trust between the board and security leadership (and onwards through management and operational teams.) Security paranoia creates bottlenecks, exacerbates resource constraints and can lead to ‘analysis paralysis.’ You will never be able to eliminate risk (whose partner is reward, after all!) Ask yourself who is taking responsibility?
Challenge assumption “Assumption is the parent of vulnerability” is a saying we use regularly at Cydea. Assumptions largely occur in the absence of a common language. Things go unsaid. They are rarely what every party involved intended. Remember it is OK to ask ‘what are we defending?’
Focus on the outcome It is easy to get sucked into the details and that requires a greater understanding of the specifics. Keep attention on the outcomes. Control implementations will likely need tuning. Set baselines and track performance. Ask how effectively is risk being managed?
Keep pace Cyber security issues evolve rapidly and the fidelity of your awareness and quality of decision will be set by your frequency. Look at the frequency of other business governance throughout the organisation. Finance likely produces monthly accounts. Programme management may have a cadence of daily, weekly and monthly governance. Seek to understand the cross-functional links and match it. Ask when is frequent enough to review our risk?
Prioritise and optimise It’s unlikely that you will have more resources than you need and so it is important to prioritise their use. Over time the trust instilled from principle two should begin removing bottlenecks (and avoid your governance becoming one!) Seek out the most costly activities (in financial or time terms) and then ask where are our resources allocated to, and where are our greatest areas of risk and concern?
Promote incremental improvement Large programmes often take a disproportionate amount of time over the incremental improvements that sustain, or even improve, the value being generated by the business. Incremental improvements help you to improve your posture and achieve ‘more for less.’ Of course, risks will still become issues (or incidents.) Get to the bottom of repeat occurrences and reconsider how you have prioritised. Ask why is this issue happening regularly?
Adopting these seven principles encourages the right oversight and is crucial in demonstrating to shareholders and regulators that appropriate action is being taken.
Better than that by instilling the right culture at the top level of governance you’ll promote the security culture, and demonstrate the risk tolerance, you want throughout the organisation.
Has this helped you consider your own cyber governance arrangements? Do you think we can apply some incremental improvements to these principles themselves? Can we help you to reinvigorate your own approach? Drop us a line and let us know.