Cybersecurity Success: A Shared Responsibility Model Between Business And IT

0
119


Getty

It is an avowed mantra in cybersecurity that business has an essential role to play in protecting the proverbial crown jewels, in partnership with the IT division of a company. As the adage goes: Security is not a technology issue; it is a business issue.

This article will aim to describe a shared responsibility model for managing cybersecurity risk and include a summary of lessons learned after years of design and implementation at a leading Canadian financial institution.

In order to get traction, responsibilities must be clearly stated and cast into corporate policies supported by defined business processes and audited for compliance.

Own The Risk

It starts with an acknowledgment that business units (BU) own the risk. When a cyber breach affects an organization, the IT division plays a quarterback role in managing the technical part of the incident, but the main impact is on the business. Once the incident becomes public, the negative headlines fill the newspapers, and heads start rolling at all levels in the organization. The stock is hammered down, and shareholder value is diminished. Disappointed clients vote with their feet, while frustrated security professionals wave the “I told you so” flag, and talented staff start updating their resumes.

All of the above are business risks, not IT risks.

A business must also define its risk appetite. How much risk is acceptable will greatly influence decisions on how much protection is needed. Sizing the risk requires a model, and many organizations regard cyber risk as a combined effect of the impact of an undesired event and the likelihood that the event will occur.

Allocate Funding And Resources For Risk Treatment Plans

If a business owns the risk, it must also own the solution. Risk mitigation plans require funding for supplemental controls and resources to support control implementation. Do you need application code testing for security vulnerabilities or a system pen-test? Do you need a web application firewall for a new internet-facing application? Do you need to replace technically obsolete equipment that can no longer be patched?

If the answer is yes to any of these, your business must decide between investing in new systems and applications and securing the existing ones. Security is there to help develop the solution and present an appropriate recommendation.

Document Processes, Applications And Data Classification

IT people generally have a good understanding of the infrastructure that supports the business: what servers are involved, what the network architecture is, where the databases are and how information flows from one IT component to another.

But these are not business processes. This is not where the value is created and how clients are being served. That knowledge comes from business specialists who need to document what the business services are, how they are delivered and what applications contribute to creating client value.

Assign Asset And Data Owners

Business leaders must assign asset and data owners. The asset owner is a knowledge worker with a deep understanding of which applications and data are business-critical, how data is used, who has access to it, how it is maintained current and accurate over time, how well it needs to be protected, and when it needs to be sunset and replaced. The asset owners are responsible for the life cycle management of informational assets. It’s one of the more complex and resource-intensive programs but is much needed as a foundation to build upon.

Develop Business Continuity Planning And Define Recovery Objectives

And if disaster strikes, how soon should your business be able to recover and resume operations? This is called the recovery objective. Sometimes it is set by regulations, but most of the time it is a business decision. The recovery objective for each BU will determine the IT architecture, redundancy and security solutions, and operations continuity plans.

Participate In Training And Awareness Events

Study after study continues to confirm that people are the weakest link in the security chain. A spear-phishing email addressed to an employee with a big profile on LinkedIn and lots of personal data on Facebook is an easy way to pierce security defenses, jump over the proverbial firewall (not through it), and gain a foothold from which to mount a cyberattack from within the organization, not from the outside. All for the price of a click.

Business managers must strongly encourage their staff to take all security training and awareness courses offered by the information security office and convert them to act as the first line of defense.

Coordinate Planning And Budgeting With Information Security

In most organizations, planning for the next financial year starts early. Business leaders get together with CTOs and CISO and align their strategy and investment plans for the following year. Are current security solutions sufficient and effective? Are future security solutions going to be funded by one BU alone or by the enterprise?

It’s a win-win negotiation where risk appetite and compliance requirements tilt the balance one way or another. In any case, close coordination between business and security becomes a critical success factor.

Lessons From The Trenches

Getting your business to acknowledge its role and hold up its end in cybersecurity risk management is both a journey and a destination. Here is what we learned:

• Start with clearly defined roles and responsibilities documented in a corporate policy.

• Define targets and measurements for the success of the security program.

• Develop joint scorecards, and use them to influence stakeholders.

• Track and report compliance to the top of the house and to the board.

• Have an active awareness program that keeps staff interested and engaged.

• Build industry alliances, and leverage other organizations’ experience.

• Attract and retain the best security risk management talent you can afford.

Conclusion

Cybersecurity only exists to support the business, and as IT representatives, we should partner with business personnel to help them understand not just about their responsibilities, but also how they can leverage cybersecurity tools to take additional risks and penetrate various markets with cybersecurity solutions that they weren’t able to in the past.

Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives.
Do I qualify?

“>

It is an avowed mantra in cybersecurity that business has an essential role to play in protecting the proverbial crown jewels, in partnership with the IT division of a company. As the adage goes: Security is not a technology issue; it is a business issue.

This article will aim to describe a shared responsibility model for managing cybersecurity risk and include a summary of lessons learned after years of design and implementation at a leading Canadian financial institution.

In order to get traction, responsibilities must be clearly stated and cast into corporate policies supported by defined business processes and audited for compliance.

Own The Risk

It starts with an acknowledgment that business units (BU) own the risk. When a cyber breach affects an organization, the IT division plays a quarterback role in managing the technical part of the incident, but the main impact is on the business. Once the incident becomes public, the negative headlines fill the newspapers, and heads start rolling at all levels in the organization. The stock is hammered down, and shareholder value is diminished. Disappointed clients vote with their feet, while frustrated security professionals wave the “I told you so” flag, and talented staff start updating their resumes.

All of the above are business risks, not IT risks.

A business must also define its risk appetite. How much risk is acceptable will greatly influence decisions on how much protection is needed. Sizing the risk requires a model, and many organizations regard cyber risk as a combined effect of the impact of an undesired event and the likelihood that the event will occur.

Allocate Funding And Resources For Risk Treatment Plans

If a business owns the risk, it must also own the solution. Risk mitigation plans require funding for supplemental controls and resources to support control implementation. Do you need application code testing for security vulnerabilities or a system pen-test? Do you need a web application firewall for a new internet-facing application? Do you need to replace technically obsolete equipment that can no longer be patched?

If the answer is yes to any of these, your business must decide between investing in new systems and applications and securing the existing ones. Security is there to help develop the solution and present an appropriate recommendation.

Document Processes, Applications And Data Classification

IT people generally have a good understanding of the infrastructure that supports the business: what servers are involved, what the network architecture is, where the databases are and how information flows from one IT component to another.

But these are not business processes. This is not where the value is created and how clients are being served. That knowledge comes from business specialists who need to document what the business services are, how they are delivered and what applications contribute to creating client value.

Assign Asset And Data Owners

Business leaders must assign asset and data owners. The asset owner is a knowledge worker with a deep understanding of which applications and data are business-critical, how data is used, who has access to it, how it is maintained current and accurate over time, how well it needs to be protected, and when it needs to be sunset and replaced. The asset owners are responsible for the life cycle management of informational assets. It’s one of the more complex and resource-intensive programs but is much needed as a foundation to build upon.

Develop Business Continuity Planning And Define Recovery Objectives

And if disaster strikes, how soon should your business be able to recover and resume operations? This is called the recovery objective. Sometimes it is set by regulations, but most of the time it is a business decision. The recovery objective for each BU will determine the IT architecture, redundancy and security solutions, and operations continuity plans.

Participate In Training And Awareness Events

Study after study continues to confirm that people are the weakest link in the security chain. A spear-phishing email addressed to an employee with a big profile on LinkedIn and lots of personal data on Facebook is an easy way to pierce security defenses, jump over the proverbial firewall (not through it), and gain a foothold from which to mount a cyberattack from within the organization, not from the outside. All for the price of a click.

Business managers must strongly encourage their staff to take all security training and awareness courses offered by the information security office and convert them to act as the first line of defense.

Coordinate Planning And Budgeting With Information Security

In most organizations, planning for the next financial year starts early. Business leaders get together with CTOs and CISO and align their strategy and investment plans for the following year. Are current security solutions sufficient and effective? Are future security solutions going to be funded by one BU alone or by the enterprise?

It’s a win-win negotiation where risk appetite and compliance requirements tilt the balance one way or another. In any case, close coordination between business and security becomes a critical success factor.

Lessons From The Trenches

Getting your business to acknowledge its role and hold up its end in cybersecurity risk management is both a journey and a destination. Here is what we learned:

• Start with clearly defined roles and responsibilities documented in a corporate policy.

• Define targets and measurements for the success of the security program.

• Develop joint scorecards, and use them to influence stakeholders.

• Track and report compliance to the top of the house and to the board.

• Have an active awareness program that keeps staff interested and engaged.

• Build industry alliances, and leverage other organizations’ experience.

• Attract and retain the best security risk management talent you can afford.

Conclusion

Cybersecurity only exists to support the business, and as IT representatives, we should partner with business personnel to help them understand not just about their responsibilities, but also how they can leverage cybersecurity tools to take additional risks and penetrate various markets with cybersecurity solutions that they weren’t able to in the past.

Read More

LEAVE A REPLY

Please enter your comment!
Please enter your name here