Why Cyber Governance Should Be Your Top Priority

In today's increasingly complex digital landscape, where cyber-attacks are evolving faster than ever before, a new guiding principle is emerging − cyber governance.

This strategic approach transcends technical solutions, aiming to weave cybersecurity into the fabric of an organisation, aligning it with business needs and priorities.

There is a growing need for cyber governance as cybersecurity is now a major business issue, very much present on the boardroom agenda.

The financial and reputational costs of incidents like ransomware attacks and data breaches can be crippling, particularly for small businesses with limited resources. For example, IBM’s Cost of a Data Breach Report 2023 calculated the average global cost of a data breach to be $4.45m.

In addition, businesses are at risk of regulatory fines and class action lawsuits arising from cyber incidents following the emergence of cyber and data protection regulations, such as the EU’s General Data Protection Regulation (GDPR).

In a new trend, there is also potential for senior leadership to be made personally liable for security failings that lead to cyber incidents. In the US, the Securities and Exchange Commission (SEC) announced charges against SolarWinds and its CISO in October 2023 for allegedly downplaying cyber-risks while overstating the firm’s security practices ahead of the notorious supply chain attack in 2020.

Against this landscape, the concept of cyber governance has emerged. Cyber governance aims to develop a strategic approach to cybersecurity management across an organisation, in line with business needs.

This involves understanding the businesses’ risk appetite in order to prioritise security resources effectively and define cybersecurity roles and responsibilities throughout the organisation.

These principles are being pushed by governments, in particular the concept that business leaders should be heavily involved in developing their company’s cybersecurity strategy.

In 2023, the SEC issued new rules mandating that publicly listed companies detail the board’s oversight of cyber risks and their expertise in assessing and managing these material risks.

In January 2024, the UK government published a Cyber Governance Code of Practice, aiming to establish cybersecurity as a key focus for directors and other senior business leaders, on par with financial and legal risks.

Here are five essential approaches businesses need to build an effective cyber governance strategy:

1. Boost Boardroom Understanding of Cybersecurity

While there is more recognition of the importance of cybersecurity at boardroom level, many senior business leaders struggle to understand the drivers and impacts of cyber risks for their organisation. This in turn limits their ability to develop an appropriate cyber governance strategy.

There are a range of ways to boost the boardroom’s understanding of cybersecurity risks to the organisation. This includes regular meetings with the company’s CISO and external cybersecurity advisors, regular discussion of cybersecurity issues and the opportunity to ask questions.

Additionally, where possible, organisations should recruit at least one board member who has specific expert knowledge in cyber and information security to help educate the other members.

2. Cybersecurity Leaders Developing Business Expertise

Cybersecurity leaders, such as CISOs and heads of security, must develop a better understanding of business.

They need to be able to communicate security issues to the board appropriately, using style and terminology that will be understood by business leaders.

In addition, a greater awareness of business requirements and regular discussions with the board will help CISOs understand the systems and data most important to the organisation.

This will enable resources and efforts to be prioritized, keeping the organisation as secure as possible.

ADVERTISEMENT

3. Implement Best Practice Incident Response Measures

A major aspect of cyber governance is an organisation’s resiliency in the face of a successful cyber-attack. Any business can be hit by an attack, but the ability to respond effectively with minimal damage is dependent on the extent of preparations made.

An incident response strategy should clearly define the roles and responsibilities of personnel throughout the organisation when an incident strikes.

This goes beyond the security team to departments like legal, HR and communications. Regulators are making clear that these efforts should be coordinated from the very top of the business, with board members themselves assigned specific duties during incidents.

Regular tabletop exercises should be conducted to practice these processes across the entire business.

Part of the incident response planning should involve hardening and segmenting the most essential systems and data, ensuring the business is able to continue with minimal disruption during a breach.

Clear and regular communication should be made with regulators and relevant stakeholders, including clients and customers, about any potential data theft that has occurred.

4. Keep the Cyber Governance Strategy Updated

Businesses must regularly evaluate the biggest cyber-risks to them and adapt their governance strategy accordingly.

It is also important for organisations to consider the risks posed by new technologies and products being used internally, such as generative AI tools like ChatGPT.

New regulatory requirements also must be incorporated into a cyber governance strategy. In 2024, several new cybersecurity laws are set to be passed or come into force, including the EU’s NIS2 directive.

5. Cybersecurity is a Business Need – Treat it as Such

With many businesses experiencing financial difficulties during the current macro-economic environment, cybersecurity teams could be vulnerable to significant budget cuts.

ISC2’s 2023 Cybersecurity Workforce Study found that nearly half of cybersecurity professionals had experienced cyber-related cutbacks in 2023. Of these, 22% were impacted by layoffs, both first and second-hand.

Reducing security budgets and staff could result in higher financial costs in the long term, due to the business being more vulnerable to costly cyber incidents.

Businesses should resist any temptations of reducing spending in cybersecurity despite the difficult economic environment. Less staff and capabilities are likely to impact their ability to protect essential systems in the event of an incident, and make them more likely to fall foul of regulators and litigation.

Enjoyed this article? Make sure to share it!

Looking for something else?