The Broken State of Cybersecurity Governance
“Leadership is about making the tough calls, not just the easy ones. It's about recognizing when something isn't working and being willing to pivot, even if it means admitting failure and starting over.”
—Ben Horowitz, co-founder of Andreessen Horowitz and Opsware
Despite the increase in cybersecurity and technology investments, organizations still object that they don’t feel any safer. We realize that firms of all shapes and sizes are taking steps to protect their data and systems, yet they mostly remain vulnerable to attackers. The “blast radius” of an incident is still large and unwieldy. This chapter will explore the reasons why the traditional approach – viewing cybersecurity as primarily an isolated “IT issue” and making compliance the goal – is inadequate in defending against the growing threat of cyberattacks. By recognizing cybersecurity as a business risk on par with other enterprise risks, such as supply chain and capital structure, organizations can adopt a more comprehensive strategy that encompasses all aspects of the enterprise.
Two Dangerous Mindsets That Thwart Cybersecurity Progress
Mistake 1: Having Only a Compliance-Focused Program
A compliance-focused security program is a paradigm where organizations focus primarily on meeting regulations and standards, such as PCI DSS, HIPAA, and ISO 27001. While compliance is an important aspect of cybersecurity and must be satisfied, it only partially protects organizations from cyber threats. An additional danger is that compliance can deliver the board false comfort that cybersecurity governance is being satisfied. Compliance-focused security programs are piecemeal, reactive and defensive in nature. They only address known risks and vulnerabilities. In today's rapidly changing threat landscape, this approach is insufficient as cybercriminals are constantly finding new ways to attack organizations. Also, while the attacks are executed systematically, the compliance programs are implemented in fragments.
Phil Venables, the highly regarded Chief Information Security Officer for Google Cloud and formerly Goldman Sachs, writes, “Compliance is a necessary but insufficient condition for security. Many compliance regimes do, in fact, represent a baseline level of security that is useful and necessary, but sustaining compliance does not equate to the security you might need in your context.” Simply put, as cyberattacks become more advanced, coordinated, and sophisticated, companies will need an equally well-coordinated and systemic approach to cybersecurity to have a better chance of successfully defending against those threats. Compliance-first approaches do not take into account the constantly evolving nature of cyber threats. Organizations must be proactive in their defense and stay ahead of the curve by implementing comprehensive security strategies that take into account the changing nature of cyber threats.
It is important to note that compliance with regulations should not be ignored. However, this should not be the sole focus of an organization's cybersecurity governance. Organizations need to take a comprehensive approach that integrates regulatory requirements into a larger, more comprehensive security strategy and addresses the changing nature of cyber threats.
Mistake 2: Security as an IT Problem
Treating cybersecurity as an IT problem only perpetuates the notion that cybersecurity is an isolated technical issue and not a business risk deserving of board oversight. It is both! This narrow approach fails to consider the full spectrum of cyber threats and the impact they can have on an organization. In the event of a breach, the company could face significant financial losses, reputational damage, and a loss of trust among its customers and shareholders. This can have long-term consequences that far outweigh any investments required to prevent such events. While IT professionals are critical to defending against cyber threats, they cannot do so effectively in isolation. Cybersecurity requires a cross-functional, integrated systems approach and corporate culture change that involves the entire organization, including a board of “digital savvy” directors (see MIT study).
When cybersecurity is viewed as an IT problem, it is often siloed and treated as a low priority compared to other business initiatives. This can lead to inadequate and suboptimal allocation of investment in cybersecurity and a lack of accountability at the highest levels of an organization. Furthermore, this approach can create a false sense of security as the focus on IT-specific solutions may overlook the importance of non-technical factors such as employee training, incident response planning, and third-party risk management.
These two dangerous mindsets highlight the need for organizations to adopt a more comprehensive and systemic approach to cybersecurity. By viewing cybersecurity as a business problem and an enterprise risk, organizations can develop a more strategic approach that involves all aspects of the corporation, including employees, processes, and technology.
Humans are still the Weakest link.
One of the primary reasons the above approaches fail is the lack of attention to the human factor.
No matter how secure a company's technology is, the weakest link in the security chain is often the employees. A company may have the latest firewalls and endpoint protection, but if its employees are not trained in basic cybersecurity best practices, such as identifying phishing emails, the organization remains vulnerable to attack.
According to Deloitte, a staggering 91 percent of successful cyberattacks began with a phishing email, highlighting the critical role of addressing the human factor in cybersecurity governance. It is our belief that implementing intelligent security measures that are user-friendly and don't create significant obstacles will encourage employees to comply with cybersecurity protocols. For instance, a 90-day password change policy can be cumbersome and less effective than requiring longer passphrases that don't expire as frequently and have demonstrated greater effectiveness in the real world.
Lack of Board Involvement
The lack of involvement from boards of directors is the final major factor contributing to the broken state of cybersecurity governance.
Board members are often not knowledgeable about cybersecurity risks and may not understand the importance of having a robust cybersecurity strategy in place. This can result in a lack of support for cybersecurity initiatives and a lack of resources allocated toward the development of a comprehensive security program. While some companies are adopting and adding digital savvy directors, many are still operating in the old way, where technology and system risk are not considered at the board level. The following chapters outline a new approach to cybersecurity that brings the board of directors closer to this area of enterprise risk and will aid in improving the relationship and coordination between the board and security and technology executives. With the right conversations and investments in key areas, organizations can make meaningful progress in their journey toward a more secure future.