CEO Today Magazine May 2019 Edition

35 www.ceotodaymagazine.com Governance, Accountability and Ownership of Cybersecurity is the NCSC’s 10 steps to cybersecurity. But a word of warning. The EU directive on the security of Network and Information Systems, brought into UK law in May 2018, takes aim at organisations responsible for critical national infrastructure that fail to manage risk. It’s just a matter of time before similar measures, including hefty fines and remediation orders, cascade down the line to those in the national infrastructure supply chain. The rules have been changed and the trajectory has been set. It may be worth reviewing your policies and boardroom processes now. Leadership and ownership Leadership isn’t about controlling everything. It’s about: • creating and communicating a strategic vision • translating that vision into reality through culture change, and • trusting skilled managers to deliver the vision This brings us to the heart of the question of how CEOs determine who owns cyber resilience. In my opinion, you can only own what you can control. A key role of the CEO in this respect is to allocate appropriate ownership to relevant managers and to ensure those managers have the skills, support and space they need to do their job. That turf war between the CFO and directors of HR, information security and IT might well mean that ownership has been misallocated or misunderstood or that the boundaries for each specialism haven’t been clearly set. The CEO is the link between the board and management. Their leadership role includes communicating the strategy, defining operational priorities and ensuring that the plans developed by each manager achieve their objectives. This is how the cybersecurity culture initiated at board level is shared and becomes embedded. Helpful principles for cybersecurity leadership are available in the calls to action laid out in ESI ThoughtLab’s Cybersecurity Imperative summary. Management, responsibility and ownership Management is about: • taking responsibility for specific areas of delivery • communicating and delegating tasks • planning and problem solving, and • ensuring delivery The precise division of responsibility will differ depending on the size of the organisation and the experience and skills of staff. With their insight into overall business objectives, the CEO may be best placed to coordinate action and lead the response to the breach, including communicating the impacts to the regulator and the board. However, cyber resilience is a team sport. I strongly believe that one of the most proactive and effective things a CEO can do is to give the right people the right tools for the job and let them get on with it. The CIO and CISO should own the part of the process that deals with presenting facts, reports and data about the impact of a breach and lessons learnt. The ownership of systems and fixes will come down to the IT lead. HR will ensure staff are adequately trained. They will also handle action through one-to-ones, further training or disciplinary action, where reports from data classification systems and phishing penetration tools identify those who persistently succumb to scams or attempt to take confidential data out of the business. There are also clear roles for the legal team in ensuring compliance with the law, procurement in maintaining data integrity throughout the supply chain, and the communications team in shaping internal and external messaging. The tools managers use to achieve their objectives will largely be determined by the organisation’s resources, risk profile and risk appetite. There’s technology that acts like CCTV for your computer network, software that flags up the fact that someone has attempted to download sensitive data, phishing training tools, virtual burglar alarms, mobile phone apps that enable you to make secure phone calls in the event of a hack and tracking and monitoring tools that tell you if your data is up for sale on the dark web. Whatever your budget, everyone can afford checks and balances. Organisations that aren’t well resourced will need to be more creative. Those that can’t afford the services of short-term consultants might be able to find advisors or board members who specialise in cybersecurity. Pooling resources or collaborating with others in the same sector can also fill gaps. Lots of free advice comes in the form of readily available downloads or guidance from organisations like the Information Commissioner’s Office, CyberAware and the NCSC. Ownership and culture Most organisations handle sensitive information on a daily basis. It’s the CEO’s duty to ensure that no-one in their organisation ever forgets how precious it is. Leadership and action that embeds the norms and values that make information security second nature are, in a nutshell, what it means to develop a cybersecurity culture. The seeds for that culture should be sewn at board level. It should be writ large in the organisation’s cybersecurity vision and policies, procedures and practices. And no area of individual responsibility should ever sink into a silo. Engaging the wider organisation is vital: the most technologically advanced system in the world is pretty porous if staff don’t understand it or don’t really care. In pursuit of cybersecurity culture, CEOs should: 1. Ensure staff are trained and use frequent testing to identify weaknesses. 2. Rehearse incident responses on a regular basis 3. Include cyber monitoring and reporting as a standing item on the board agenda 4. Make it easy to report a breach 5. Learn from your mistakes… 6. …and learn from the mistakes of others At the end of the day, a solid cybersecurity culture can do more than protect your reputation and keep the regulator from your door, it will help you thrive in this increasingly digital world. PeterMatthewsisCEOofMetro Communications, a provider of IT, telecommunications and cybersecurity solutions to businesses.