Effective governance is key to cyber security

Responsibility for cyber security starts with the CEO, but requires the full participation of all managers to mitigate risk effectively.

American football players on field

Every player in an American football team has a role and responsibility. Success is only possible through teamwork, when everyone does their job. It is the same in many ways with cyber security: an effective strategy relies on a framework that gives all staff a part to play in protecting critical data and networks.

When malware attacks are successful, it is often because of the negligence and mistakes of employees. According to a report from IBM and the Ponemon Institute, human error was responsible for nearly a quarter of all data breaches between July 2018 and April 2019. The best way to mitigate that risk is with a holistic strategy that addresses technology, people, practices and procedures.

Importance of strong leadership

Ensuring those practices and procedures are properly maintained relies on an efficient governance model, such as the one outlined in ISO/IEC 27014. This standard defines cyber security governance as the “system by which an organization’s information security systems are directed and controlled”. It requires strong leadership from the top of the organization. Ultimately, though, it is the job of all managers to implement the relevant policies and principles in their departments. Unfortunately, senior executives in some organizations continue to believe that cyber security is a problem for the IT Department, rather than a leadership issue.

An organization’s CEO plays an important role in defining the values of an organization. He or she has the power and influence to make cyber security an important part of the organizational culture. According to Carrick and Dunaway, “employee engagement arises out of culture and not the other way around”. No matter how good the strategy, it will not work unless personnel buy into it. “Culture eats strategy for breakfast” is a saying often attributed to the management guru, Peter Drucker.

In 2017, the consumer credit reporting giant, Equifax, disclosed that cyber criminals had accessed sensitive information about 145 million people, including social security numbers, birth dates and private addresses. The CEO’s response was to attempt to deflect blame onto a software provider and when that did not work, he pointed the finger at a lowly IT technician for allegedly failing to apply a security patch. Equifax’s handling of the data breach is often cited as an example of a weak cyber security culture, where leaders do not assume their responsibilities.

Building awareness

Lack of awareness about risk issues is another sign of a weak cyber security culture. It can be easily remedied with training and capacity building activities, which should start at the new employee induction stage. For example, some organizations give every new employee an information pack including short texts, video content and interactive quizzes about cyber security etiquette. An effective induction process also provides an opportunity for assessing an employee’s existing knowledge and risk assessment skills.  

Many of these organizations also provide continuous training programmes that not only reinforce a set of desired values and behaviours, but also help employees to increase their knowledge and skills in this area. All staff usually take part, including managers, and the best courses are flexible enough to meet individual needs. In most organizations there are very different levels of skills and knowledge. Online learning is a technique that is often used as it offers the flexibility to provide beginner, intermediate and advanced options to staff with different levels of knowledge.

Online courses are a good way of providing general users with security awareness training that explains and reinforces the organization’s security policy, including such topics as best practices (e.g. file sharing), software security and incident reporting (emphasising the importance of transparency). Other possible modules might include physical device security, mobile security, especially for those on business trips or working from home, and case studies to make it real. Technical users are given access to more in-depth, role-based training modules based on the functions and processes of the organization. Again, the best programmes reinforce the importance of transparency, include case studies, and explain reporting and escalation procedures.

International standards

ISO/IEC 27014 recommends training and awareness programmes to establish a positive information security culture. The standard recommends roles and responsibilities for executive management and boards of directors in all types and sizes of organizations. The objectives of the standard are to “align security program and business objectives and strategies, deliver value to stakeholders and the board, and ensure information risks are adequately managed”. The standard defines six overarching governance principles, which are defined as “accepted rules for governance action or conduct that act as a guide for the implementation of governance”:

  1. establish organization-wide information security
  2. adopt a risk-based approach
  3. set the direction of investment decisions
  4. ensure conformance with internal and external requirements
  5. foster a security-positive environment
  6. review performance in relation to business outcomes

It also defines five governance processes, which are “a series of tasks enabling the governance of information security and their interrelationships”: evaluate, direct, monitor, communicate and assure. Together, these principles and processes form the governance of information security.

Many IEC International Standards and all the IEC Conformity Assessment Systems contribute to the United Nations Sustainable Development Goal 16, which promotes peaceful and inclusive societies. The cyber security standards in the ISO/IEC 27000 family contribute by protecting key data and systems, while others, such as IEC 62443 help make critical infrastructure more resilient.