It's an organizational risk, not an IT risk.
Cybersecurity is often viewed as an IT risk.
If I could sing from the rooftops, I would announce that cybersecurity is not an IT risk, but an organizational risk.
The traditional thinking is that executives tell IT to “make everything work,” and if the process fails, it's IT's fault.
The old IT metaphor is, “Everything is working fine, so what are we paying for?” “What are we paying you if nothing is going well?” This is a zero-sum mentality that puts IT in a position with little power and great responsibility.
leadership issues
The root cause of security issues is always a senior leadership issue. It could be an issue with the org chart. Perhaps the information security officer reports directly to the chief information officer, and security efforts take a backseat to standard IT.
The security department should report directly to the board or CEO and have its own budget. This won't eat into your IT department's budget.
Leaders may believe that remediating vulnerabilities is a one-and-done problem, when in fact it is a permanent process of cyber hygiene. It's like lifting weights or brushing your teeth. Stop demonizing staff for real-life vulnerabilities you see in the news.
Business continuity and crisis management are the responsibility of senior management. The IT/cyber industry should have a seat at the table, but not by throwing it at their feet.
In some cases, it may be a training or job-related issue. Unfortunately, in many small businesses, IT personnel may have traditional IT skills, but there's nothing in their job description about resilience, alerting, or monitoring.
The bottom line is that IT risk is only one part of an organization's risk landscape.
board questions
Many frameworks require boards to be informed and involved in cybersecurity decision-making.
Evidence and artifacts that examiners and auditors may consider include minutes of meetings that address security concerns.
Here are some examples of questions the board might ask the chief information security officer or representative.
- What are the potential cyber threats to your organization?
- Who is responsible for assessing and managing the risks posed by changes in business strategy or technology?
- Are responsible individuals authorized to carry out these responsibilities?
- How often do you perform cybersecurity risk assessments?
- What are the areas where the institution has the highest inherent risk?
- What third parties does the institution rely on to support critical activities?
With boards asking these questions, there may be an issue of insufficient cybersecurity expertise at the board level. Corporate boards may need to adjust their composition to provide sufficient oversight and lead meaningful discussions about both cyber and enterprise risks.
The central issue here is not that it is impossible or counterproductive for boards to demand 100% security.
Security teams should not be pushed to the side, and everyone involved should have open and honest conversations about the state of their organization's security posture.
The security team should be able to provide recommendations on how to strengthen the security strategy, and leaders should work together to outline security-related goals that align with company goals.
If your security team doesn't feel comfortable giving up such information, you need to reassure them. Gone are the days when people could sit in their basements and tweak firewall rules. The details may be arcane, but the results are not.
Brandon Blankenship is the Chief Information Security Officer at ProCircular, a cybersecurity evangelist, and a board member of SecMidwest, a community advocacy and cybersecurity education group. Comment: bblankenship@procircular.com
