The Financial Conduct Authority (FCA) has made clear what they expect from financial firms in terms of cybersecurity. From the largest banks and insurers to the smallest advisors, the regulator wants to see a “security culture”.
As Nausica Delfaas, member of the FCA’s executive committee explained in a recent speech: “We are looking for firms to have good governance around cybersecurity in their firms – by this, I mean senior management engagement, responsibility – and effective challenge at the Board.”
In other words, a security culture is about leadership and good governance. So what does this mean in practice?
Good cybersecurity governance is built on people, processes, culture and technology. This article will look at each of these points and what they mean for businesses and leaders looking to build a culture of good governance.
A working definition of ‘cybersecurity governance’
If you’re wondering what good cybersecurity governance means, you’ll be disappointed to hear there’s no simple answer. Cybersecurity governance includes a wide range of tasks and duties, all beginning at the top levels of a business.
Many cybersecurity governance strategies adhere to an outdated ‘weakest link’ strategy focused on mitigating specific, discrete risks. It’s not that this strategy is wrong; it just doesn’t go far enough. The reality is that organisations have to contend with dozens of constantly evolving weak links.
That’s where good governance comes in: a cohesive, adaptable approach to cybersecurity focused on people, process, technology and compliance.
Organisational culture and cybersecurity
Before we go any further, it’s worth reflecting on the ‘culture’ part of ‘culture of security’.
Management consultant Peter Drucker once quipped that “culture eats strategy for breakfast”. By that, Drucker meant that preexisting business culture is a stubborn thing, and can stymie attempts to enforce a strategy incompatible with that culture. Looked at through a cybersecurity lens, Drucker’s words retain critical importance.
It’s easy to pay lip service to cybersecurity governance, by doing a phishing test and moving on to the next business problem. But given how common cyber attacks are these days — four in ten businesses have been attacked — it’s likely only a matter of time until yours is, too.
One way to kickstart cultural change is through hiring. It’s hard to change an institutional culture from within. But someone new at the top – say a new Operations Director – can provide new impetus for your security efforts, shoring up persistent weaknesses.
Roles and responsibilities in cybersecurity governance
Cybersecurity leadership has two halves. There’s the day-to-day, action-oriented side run by senior managers. Then there’s board-level activity, which is more strategic and built on supervision and oversight.
Let’s take a look at both strands of cybersecurity governance.
- Cybersecurity governance by senior managers
GDPR, Europe-wide regulations designed to protect the personal information of individuals, puts cybersecurity centre stage.
The risks of breaching GDPR are substantial, with administrative fines of up to 4% of annual global turnover or €20 million (whichever is greater) – not to mention the loss of trust suffered by offending businesses. And for larger firms, there are specific rules for GDPR regarding staff. If you’ve got more than 250 employees, for example, you must employ a data protection officer.
Unless you belong to an enterprise-size organisation, it’s unlikely you’ll have one person dedicated to cybersecurity governance. Someone must have cyber governance in their remit, however – regardless of how small your business is.
ThreatAware recommends one director allocates two hours a week to cybersecurity governance to protect any business. In that two-hour time slot, there’s plenty you can achieve. Start here:
- Look at the Government’s excellent Cyber Essentials resources. Cyber Essentials lists best practices, processes and procedures for businesses. Study them and ensure they’re happening in your firm.
- Organise a pen (‘penetration’) test – a simulated cyber attack conducted by a third-party provider. Pen tests assess how vulnerable your business systems are to attack and which, if any, of your defences can be breached.
- Stay on top of GDPR. Are third-party contractors being risk-assessed? Is customer data handled and transferred securely?
- Where are passwords being held and is there 2-factor authentication in place?
Cybersecurity isn’t a set-and-forget activity. It needs constant maintenance, and at least 2 hours of management, plus time spent implementing changes (which may not be done by directors themselves).
- Cybersecurity governance by board members
The board’s role in cybersecurity is similar to the board’s role in every aspect of the company: to offer scrutiny and due diligence. Cybersecurity is no longer the concern of just the IT department or directors. It’s everyone’s business — including the board’s.
To be effective in this role, boards must learn a new vocabulary and ask the right questions. This requires training. If corporate boards are not sufficiently prepared to deal with cybersecurity, it will be impossible for them to judge the effectiveness of current and proposed cybersecurity strategies.
The processes of good cybersecurity governance
Processes are important because they set out best practice for the entire business and make it easier for everyone to follow it. The question then, is what processes need to be put in place for cybersecurity governance purposes?
An excellent place to start is what’s already been mapped out in FCA and GDPR compliance. These guidelines and laws provide a bare minimum target.
Over and above what’s required by law, there are plenty of steps to follow. As mentioned earlier, the government-backed Cyber Essentials scheme offers practical guidance that’s easy to follow, as well as an excellent questionnaire for determining your cybersecurity readiness.
ISO/IEC 27001:2005 is another good framework for bringing information security under management control. There are specific steps to follow and the standard takes a lot of guesswork out of the procedure.
Your business also needs to be clear on what to do in the event of a breach. If you’ve been breached, for example, or if an employee sent secure details to the wrong email, you’ve got 72 hours to report the incident to the ICO.
But reacting to breaches shouldn’t only be reactive. If someone’s in your system right now, your business must have an emergency response plan. A tool like ThreatAware can tell you when that happens, so that you can take action immediately – not after the fact.
The role of technology
Implementing cybersecurity software is the fastest way to improve your defences. Here’s where to start:
- Invest in a good anti-virus. We recommend Webroot.
- Implement and enforce web-browsing security. We recommend Umbrella.
- Get a patching tool to ensure software is automatically updated. We recommend AutoMox.
- Use a dashboard like ThreatAware to monitor and take control of your cybersecurity.
Good governance, from the top down
Good cybersecurity governance requires strong leadership. It’s not only a concern for the IT department; it is everyone’s business.
Every employee is a potential weakness. One mistake is all it takes for a damaging breach to take place. Consider the JPMorgan hack of 2014, caused by a single employee’s details being stolen. One slip led to the data of 86 million accounts being compromised.
Hackers and criminals are constantly on the hunt. And staying safe requires constant vigilance and a company-wide culture of security. That means the right training, people and technology.
Your business depends on it.
Having the right tech is central to cybersecurity governance. ThreatAware can help: click here to request a demo.