Are You Taking the C-suite and Board with You?
By Ian Harragan, Director at i-confidential
Many organisations think cyber security is an IT problem but this is only partly true. It is actually a much larger, business-wide risk that needs to be managed as such.
Most company boards recognise the crucial role that cyber security plays in ensuring success. However, board members must also accept that ‘total security’ cannot be guaranteed. They need to understand that the organisation’s security risk position is aligned to the level of investment they approve – often the result of difficult decision-making.
Taking the C-suite and board on the cyber security ‘journey’ should be a key part of any organisation’s strategy, given their vital roles in both risk management and investment decisions. They are also responsible for setting the right tone that the rest of the organisation will follow.
Despite the benefits, this more engaged approach is not always straightforward. There are many challenges that organisations face but must endeavour to overcome. The senior leadership needs to have the appropriate understanding of and influence on:
1. Having a clear strategic direction with a roadmap to track progress.
2. Identifying the organisation’s key assets and processes so that decision making and investment can be applied proportionately.
3. Managing third-party risks for those suppliers holding the organisation’s data or accessing its systems.
4. Establishing a risk appetite agenda with business buy-in, together with a costed improvement programme.
5. Receiving and responding to a robust set of metrics on an ongoing basis to keep apprised of the current security status.
6. Ensuring communications use the right risk terminology and are business friendly.
7. Creating the right security education and awareness culture across the business, including content suitably tailored for different audiences.
8. Engaging in preparing for incidents, including testing, to ensure the organisation is ready to respond if required.
With the appropriate involvement, the C-suite and board can see that all of the above are in place and will have confidence that the organisation’s cyber security is being managed effectively.
These points merely summarise a number of areas that are worthy of further focus and exploration. Look out for more thoughts over the coming weeks as we examine some of these vital security challenges in more detail.