Governance, Accountability and Ownership of Cybersecurity
In businesses, large and small, cyber anxiety is reaching epidemic levels. With crippling breaches, damaging fines, internal and external threats and careers on the line, CEOs need to champion effective cyber leadership. But what exactly does that look like?
The short answer is that cyber leadership looks like teamwork and feels like a culture of awareness and shared responsibility that travels right to the end of the organisational chart and back again. But short answers tend to disguise layers of knotty complexity.
Questions about who ‘owns’ cybersecurity are alive and kicking. We know the issue needs to be owned by the CEO and board of directors because they’re most likely to be sacked or fined if their company’s acts or omissions lead to a costly cyber incident. IT directors need to own it because they are responsible for procuring clever bits of tech. And given the role of employees in accidental or deliberate data leakage, HR must own their bit of the cybersecurity jigsaw too.
If that’s not complicated enough, we blur terms such as leadership, ownership, responsibility and accountability. And power-play between IT directors, data security managers, heads of HR and others leads to a fight for budget and a flight from responsibility that potentially constitutes a cyber risk in itself. So how can CEOs determine the best way forward?
Governance, accountability and ownership
Effective cyber governance is about:
- strategy and vision
- policies, procedures, structures and systems
- culture
- allocation of resources, and
- monitoring and managing risk
This process often starts with an audit of sensitive information: where it’s stored and how it can be protected, who has access and how that access is controlled, what third parties share the data and how it travels from A to B.
What’s often overlooked is the CEO’s role in supporting the board to take ownership of cyber resilience. This is absolutely essential in order to create an innate, positive and consistent data security culture. A board toolkit, published by the UK’s National Cyber Security Centre (NCSC), helps company directors to prioritise, resource, manage and review risks. Another excellent resource is the NCSC’s 10 steps to cybersecurity.
But a word of warning. The EU directive on the security of Network and Information Systems, brought into UK law in May 2018, takes aim at organisations responsible for critical national infrastructure that fail to manage risk. It’s just a matter of time before similar measures, including hefty fines and remediation orders, cascade down the line to those in the national infrastructure supply chain. The rules have been changed and the trajectory has been set. It may be worth reviewing your policies and boardroom processes now.
Leadership and ownership
Leadership isn’t about controlling everything. It’s about:
- creating and communicating a strategic vision
- translating that vision into reality through culture change, and
- trusting skilled managers to deliver the vision
This brings us to the heart of the question of how CEOs determine who owns cyber resilience.
In my opinion, you can only own what you can control.
A key role of the CEO in this respect is to allocate appropriate ownership to relevant managers and to ensure those managers have the skills, support and space they need to do their job. That turf war between the CFO and directors of HR, information security and IT might well mean that ownership has been misallocated or misunderstood or that the boundaries for each specialism haven’t been clearly set.
The CEO is the link between the board and management. Their leadership role includes communicating the strategy, defining operational priorities and ensuring that the plans developed by each manager achieve their objectives. This is how the cybersecurity culture initiated at board level is shared and becomes embedded.
Helpful principles for cybersecurity leadership are available in the calls to action laid out in ESI ThoughtLab’s Cybersecurity Imperative summary.
Management, responsibility and ownership
Management is about:
- taking responsibility for specific areas of delivery
- communicating and delegating tasks
- planning and problem solving, and
- ensuring delivery
The precise division of responsibility will differ depending on the size of the organisation and the experience and skills of staff.
With their insight into overall business objectives, the CEO may be best placed to coordinate action and lead the response to the breach, including communicating the impacts to the regulator and the board. However, cyber resilience is a team sport. I strongly believe that one of the most proactive and effective things a CEO can do is to give the right people the right tools for the job and let them get on with it.
The CIO and CISO should own the part of the process that deals with presenting facts, reports and data about the impact of a breach and lessons learnt. The ownership of systems and fixes will come down to the IT lead. HR will ensure staff are adequately trained. They will also handle action through one-to-ones, further training or disciplinary action, where reports from data classification systems and phishing penetration tools identify those who persistently succumb to scams or attempt to take confidential data out of the business.
There are also clear roles for the legal team in ensuring compliance with the law, procurement in maintaining data integrity throughout the supply chain, and the communications team in shaping internal and external messaging.
The tools managers use to achieve their objectives will largely be determined by the organisation’s resources, risk profile and risk appetite. There’s technology that acts like CCTV for your computer network, software that flags up the fact that someone has attempted to download sensitive data, phishing training tools, virtual burglar alarms, mobile phone apps that enable you to make secure phone calls in the event of a hack and tracking and monitoring tools that tell you if your data is up for sale on the dark web. Whatever your budget, everyone can afford checks and balances.
Organisations that aren’t well resourced will need to be more creative. Those that can’t afford the services of short-term consultants might be able to find advisors or board members who specialise in cybersecurity. Pooling resources or collaborating with others in the same sector can also fill gaps. Lots of free advice comes in the form of readily available downloads or from organisations like the Information Commissioner’s Office, CyberAware and the NCSC.
Ownership and culture
Most organisations handle sensitive information on a daily basis. It’s the CEO’s duty to ensure that no-one in their organisation ever forgets how precious it is.
Leadership and action that embeds the norms and values that make information security second nature are, in a nutshell, what it means to develop a cybersecurity culture. The seeds for that culture should be sewn at board level. It should be writ large in the organisation’s cybersecurity vision and policies, procedures and practices. And no area of individual responsibility should ever sink into a silo. Engaging the wider organisation is vital: the most technologically advanced system in the world is pretty porous if staff don’t understand it or don’t really care.
In pursuit of cybersecurity culture, CEOs should:
- Ensure staff are trained, using penetration testing to identify weaknesses
- Test incident responses on a regular basis
- Include cyber monitoring and reporting as a standing item on the board agenda
- Make it easy to report a breach
- Learn from your mistakes…
- …and learn from the mistakes of others
At the end of the day, a solid cybersecurity culture can do more than protect your reputation and keep the regulator from your door, it will help you thrive in this increasingly digital world.
Peter Matthews is CEO of Metro Communications, a provider of IT, telecommunications and cybersecurity solutions to businesses.
