Home > Risk > Cybersecurity: A Shared Responsibility

Cybersecurity: A Shared Responsibility

November 26, 2021 Leave a comment Go to comments

That is the title of an article ISACA published this month.

It is a high-level, non-technical piece that makes a lot of sense. I like it and you may as well.

To put it in context, I was reading earlier in the week (sorry, I can’t find the article to share) that investments in cyber were flat and not being given a priority by management.

Clearly, there is a growing disconnect between the levels of risk seen by practitioners responsible for cyber and their more senior management.

This article won’t solve that, but it does have some sensible things to say.

Everything starts from the top: C-suite executives and the board. They are responsible for every business decision, so why do they often try and wash their hands of anything cyber?

In my experience, the answer is fear and uncertainty. Executives, either due to lack of technical understanding or complexities in technological solutions, feel overwhelmed or maybe incapable of addressing cybersecurity issues. However, without management’s buy-in, cybersecurity experts have a tough road ahead of them to protect the organization from threats.

As CISOs and other security leaders, our first task is to simplify the cybersecurity language into something most people understand, including the C-suite and the board.

In Making Business Sense of Technology Risk, where cyber is the primary focus, I emphasize the need to talk about the possible harms from a breach in terms that make sense to management: how a breach could affect the achievement of their objectives. I don’t think translating the effects of a breach into either dollars or (and this is meaningless to business leaders) the “effect on information assets” is convincing or effective in communicating the level of risk.

Rather than executive “fear and uncertainty”, I believe the CISOs have not made the business case for additional investment, especially when scarce resources are needed elsewhere.

They need to have a better appreciation of how a breach may, or may not, affect the likelihood of achieving their objectives.

This requires a business impact analysis to understand the business risk, not reliance on consultants, surveys, or news headlines.

As the article says:

When a cybersecurity program is based on risk, everyone from top management to operational teams can relate it to their daily job duties and incorporate the requirements within their processes.

Utilizing a risk-based approach allows the organization to focus on what is critical and most important (not everything!). This allows the top management to prioritize programs and activities appropriately.

All frameworks inherently rely on risk identification, analysis, and mitigation for building a cybersecurity program, whether ISO, NIST or others. Even regulations such as the General Data Protection Regulation (GDPR) and the Health Insurance Portability and Accountability Act (HIPAA) emphasize a risk-based approach for privacy and security by design.

I am a strong believer that organizations should invest in cyber commensurate with the risk to their success (usually measured in terms of achieving the objectives set by management and the board for the period).

I like the discussion of metrics to measure effectiveness of awareness, and the author’s closing:

Cybersecurity success is reliant on contributions big and small from everyone in the organization. To summarize:

  1. Cybersecurity is a shared responsibility for everyone and starts from the top.

  2. Get top management buy-in to ensure everyone is onboarded on the requirements.

  3. Success of any program and shared responsibility depends on good communication and awareness.

  4. Measure the programs as a whole and each step of the program.

I welcome your thoughts.

  1. John Fraser
    November 26, 2021 at 7:43 AM

    So what do you do when the Audit Committee shows no interest despite explanations and high risk ratings and management has been happily patching every SIX MONTHS??? Just asking.

    • Norman Marks
      November 26, 2021 at 7:57 AM

      John, I would consider whether they have the information they need to assess the situation properly. If all they have been given is a report that says the risk is high, but no explanation of what that means to the business and its objectives, I would work with management to help them talk in business terms. However, if they have the information they need and have still decided that there are higher priorities, I would accept that.

  1. November 26, 2021 at 7:46 AM
  2. November 28, 2021 at 9:32 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: