Embedding cyber security into your structure and objectives

The role of cyber security is to enable the organization's objectives and, increasingly, enable competitive advantage. It should be adding value to your organization rather than hindering progress. This requires a positive cyber security culture and appropriate investment and management of cyber security. 

There's two reasons why this is so important.

Firstly, cyber security impacts on every aspect of your organization. Therefore to manage it properly it must be integrated into organizational risk management and decision making. For example:

• Operational risk will likely be underpinned by cyber security because of the reliance on the security of digital services that you use (email services, bespoke software, etc.)

• Some legal risk will be tied in with cyber security risk  (such as contractual requirements to protect data or partnerships, regulatory requirements to handle data in particular ways)

• Financial risk is impacted by cyber security (such as money lost through fraud enabled by cyber, revenue lost when services are taken offline by cyber attack)

• Good cyber security will also allow you to take some risk in using new technology to innovate. An overly cautious approach to risk can lead to missed business opportunities or additional (and unnecessary) costs.

Secondly, cyber security needs to be integrated for it to be successful. Good cyber security isn't just about having good technology, it's about people having a good relationship with security, and having the right processes in place across the organization to manage it.

For example, in order to protect against an attacker accessing sensitive data (whilst ensuring that only those with a current and valid requirement can see it), you will need:

• a good technical solution to storing the data

• appropriate training for staff handling the data

• a process around managing the movement of staff, aligned with access management

Don't leave it to one person; Cyber security is the responsibility of the entire Board.

A cyber security incident will affect the whole organization - not just the IT department. For example, it may impact on online sales, impact on contractual relationships or result in legal or regulatory action. There should be sufficient expertise within the Board in order to provide direction on cyber security strategy and hold decisions to account. However every member of the Board needs enough expertise to understand how it impacts specifically upon their area of focus, and to understand the broad implications for the organization as a whole.

Consider whether your reporting structure enables the Board to have the engagement with cyber security that it needs. If the CISO reports to an intermediary to the Board who has a focus on only one aspect - be that finance or legal or technology - this can potentially hinder the ability for the Board to see cyber security's wider implications. In the majority of organizations the CISO now reports directly to the Board.

A good place to start on improving cyber security in your organization is to consider the communication between experts and members of the Board. Getting the structure right can help, but we also often see a reluctance from both parties to engage, because:

• technical staff think that the Board won't understand them

• the Board think that the technical staff are unable to explain the issues in the context of the strategic aims of the organization

Improving the communication between these two groups requires effort from both sides:

• Boards need a good enough understanding of cyber security that they can understand how cyber security supports their overall organization objectives.

• Technical staff need to appreciate that communication of cyber risk is a core component of their job, and ensure they understand their role in contributing to the organization's objectives.
   

The following questions can be used to generate productive discussions with your technical team. The aim is to identify what constitutes 'good' cyber security in terms of embedding cyber security into your structure and objectives.

You might want to consider

• Does every Board member have enough expertise to understand the potential impact and value of cyber security?

• Is there someone responsible for delivering the organization's cyber security?

• Who is responsible for oversight of cyber security?

• Have we been clear about what information both the Board and our wider stakeholders need?

This could be a person or a function, e.g. an audit committee. You might want to consider:

• How they engage with the board - do they report directly to the Board or do they fit into another reporting process? Does this encourage the Board to actively participate in discussions on cyber security?

• What their objectives are and who sets them - do these objectives drive cyber security to be an enabler for the organization?

• Do they have access to all the people they need to ensure effective cyber security - this could be just in terms of the resource required to meet your cyber security objectives, but could also be the teams that they need to be linked in with e.g. HR, policy, finance

You might want assurance that

• The organization is employing an appropriate suite of technical assurance activities and the output of this is conveyed in a meaningful way to the Board. 

• Threat assessments and defensive priorities are regularly reviewed and defensive measures updated accordingly.

• The focus of your cyber security measures is aligned with the risks you have identified and prioritized.

An example of this would be where a risk from one part of the organization has been balanced against another. For example, an organization may assess that introducing a Bring Your Own Device (BYOD) policy brings substantial benefit to the organization in terms of flexible working. As part of the case for change, including assessing the business risk of not implementing a BYOD model, you would also want to:

• Assess the increase in risk associated with the increased number of devices connected to your network.

• Assess the risk associated with not owning, and therefore not being in control of, devices connected to your network.

• Consciously balance the business risks and benefits with the technical risks and benefits of BYOD.

• Consider other models, such as Corporate Owned, Personally Enabled (COPE) and compare the risks and benefits.

• Assess the suitability of planned security measures to ensure that they support rather than constrain the aims of flexible working.

In this example, the cyber risk of introducing the new service (BYOD) has been integrated into the business risk. Those who are accountable for a service should be receiving the best possible advice, so that they can clearly balance cyber risks with other risks (and benefits) in their decision making.