Poor practices for cybersecurity can put an entire organization at risk, and the rise of ransomware has made this even more apparent. Prior to ransomware, businesses might have suffered a breach of customer data that resulted in bad publicity, regulatory fines, lawsuits and costs for identity monitoring for the affected customers. But with ransomware, the repercussions go beyond these issues; it has the potential to completely shut down operations for an enterprise. Ransomware is a game-changer.
As a result, boards of directors, or owners of businesses that are not publicly traded, and senior management are more expected to take an active role in the oversight and management of cybersecurity and cyberrisk. In the United States, changes to the US Federal Trade Commission (FTC) Safeguards require financial institutions to name a qualified individual for implementing and enforcing their cybersecurity program. The qualified individual is required to provide an annual written report to the governing body, such as the board of directors or owner, on the effectiveness of the program and any significant gaps. Also in the United States, the US Securities and Exchange Commission (SEC) is proposing that publicly traded enterprises be required to add information about cybersecurity to their annual reports for stockholders and list the cybersecurity qualifications of members of their board of directors.
Both the reality of cyberthreats (e.g., ransomware or loss of critical intellectual property) and regulatory changes should make it clear to boards, owners and management that there is a need for better management of cybersecurity. Enterprise risk management (ERM) is a tool that management and the board can use to help manage risk across the enterprise, including cyberrisk. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM framework and International Organization for Standardization (ISO) 31000 are two prominent frameworks for ERM. Both frameworks emphasize that for effective ERM, an organization needs to have oversight from senior management, organizational structure to support ERM and qualified staff. These and other capabilities that are needed to support ERM are also necessary to support cybersecurity and manage cyberrisk; therefore, the contents of both frameworks are easily and aptly applied to cybersecurity.
Organization can learn about the consequences of ineffective enterprise management of cybersecurity from many examples around the world including the 2021 ransomware attack on Ireland’s Health Services Executive (HSE). Examples such as HSE point out organizational needs for cybersecurity such as having board oversight, staffing essential management positions (e.g., a chief information security officer [CISO]) and hiring sufficient staff. Based on experience, many organizations still take the limited view that cybersecurity is primarily a technical matter.
But what past attacks show is that effective technical support for cybersecurity cannot be achieved without the necessary management structure and management support. That is, if an organization’s leadership is ignoring cybersecurity, it is very difficult to have effective people, process or technology to support.
Editor’s note: For further insights on this topic, read the authors’ recent Journal article, “Managing Cybersecurity Risk as Enterprise Risk,” ISACA Journal, volume 5 2022.
ISACA Journal turns 50 this year! Celebrate with us—and do not forget you can still receive the print copy by visiting your MyISACA dashboard and opting in!
