Today’s Cybersecurity is not just a problem for your technical team, it is everyone’s business.

Corporate Governance

In recent years, organizations are finally starting to understand that cybersecurity is not a problem that can be solely allocated to IT or information security teams, but that there are implications for every member of an organization, especially the senior management and the board. This must come with realization that cyber risk management is more than the security across the network, but also the day-to-day business activities conducted almost exclusively on digital devices. The best way to tackle this head-on is to recognize that it is a corporate governance issue and bring IT security, legal, governance teams together with senior level management and board to create a cyber strategy.

Building your cyber strategy

There are many components of a building a strong cyber strategy. Often the most difficult step is determining which controls and policies to implement. This is where technologists, the ones that have the deeper knowledge and experience with understanding cyber threats, must coordinate with compliance and legal teams. Earlier this year, SEC Commissioner Robert Jackson referenced, “One recent survey noted that 70% of executives at the S&P 500 named their IT department as a primary owner for cyber risk management-compared to just 37% who identified the C-suite or the board. The same survey noted that, especially at large and growing companies, responsibility for these issues is often scatter throughout the organization, creating the risk that key information might now make its way to the decision makers who need it most.”

This must be addresses well before a threat is suspected.

Corporate Governance: A Framework

To make establishing a complex cybersecurity strategy a reality, there are number of government lead frameworks aimed to reduce the headache of determine the best controls to implement. These can serve as models or references for implementing all stages of a cyber plan, including disclosure, breach response and policies and controls. The majority of these carry the risk of fines or legal action if organizations do not comply. There are more than the few listed here, but these are compiled to give a brief introduction and overview of each.

NIST Cybersecurity Framework: Quickly becoming a flagship resource for managing cybersecurity-related risk. With frequent updates, the voluntary NIST Cybersecurity Framework helps organizations focus their efforts and priorities to build the baseline.

SEC Guidelines: Focused on preparing disclosure that would results due to a cybersecurity incident.

In addition, there are number of laws covering how data and technology must be managed. These go well beyond cybersecurity teams and require often a legal advocate.

508 Compliance: The law covers that federal government websites must be safe and accessible for people with disabilities.

HIPAA: The Health Insurance Portability and Accountability Act requires data privacy and security for safeguarding certain health/medical information.

GDPR: The General Data Protection Regulation passed in the Spring of 2018 are sweeping reforms in the EI for data protection and privacy for anyone within the EU.

CCPA: The California Consumer Privacy Act followed quickly on the heels of GDPR. This guideline gives California residents the right to demand to see any information a company has stored on them, paving a way for lawsuits if guidelines are violated.

Commissioner Jackson also said that the “most pressing issue in corporate governance today: [is] is the rising cyber threat.” If your organization is not seriously considering or working to bring together the right people, then it is exposing the organization to cyber risk and lack of confidence in your environment.

Summary

Cybersecurity goes well beyond one or two departments.  To be truly successful you need to bring together the right team to build out a solid framework and build accountability for the risk management implementation in your environment.

Luckily, BAP developed the solution to align system controls to the regulations automatically, at a reduced costs and in less time. BAP has the largest compilation of all regulation controls, which implement immediately to give unparalleled real-time policy-to-event intelligence to your environment.

Get a demo today.