Cybersecurity presents an expanding source of risk for every enterprise. McKinsey estimates the cost of cybercrime is increasing at 15% annually1. This is a very rapid expansion of an issue that threatens the viability of each of our organizations. And yet, is our governance prepared – do we even know what we need to know to properly attack this threatening trend? And even more basic of a question – who cares?
Well, it turns out, there are many who care. In fact:
- The Board cares
- Regulators care
- The CFO cares
- In-house Counsel / Corporate Legal cares
- The Cybersecurity Team cares
- Risk Management cares
- Investment Analysts care
- IT cares
- Internal Audit cares
- And as we know from litigation, Shareholders care
So, we might well ask “Who doesn’t care?”. This starts to sound like a pretty big topic that should be getting a lot of attention from the enterprise. But how do we apply governance to this area?
Naturally, the average public-company board has quite a bit of expertise. Typically, this includes one or more board members with legal, finance, HR, operations, and public accounting backgrounds. But where is the specialized knowledge represented? And it is very specialized knowledge in cybersecurity. Who is it in our primary source of governance – the Board – that brings the cybersecurity knowledge for this vital set of risks that threaten the enterprise daily?
Due in part to this gap, practical implementation of governance practices found in other areas are difficult to gain in the territory of cybersecurity. Worse yet, there is a widespread tendency to treat cybersecurity as a technology issue, when it has been clearly established that cybersecurity is first and foremost a business issue2.
“There is a widespread tendency to treat cybersecurity as a technology issue when it has been clearly established that cybersecurity is first and foremost a business issue2.”
Key governance questions include: “What is our tolerance for Cybersecurity risk?”; “How much should we be spending on Cybersecurity protection?”; What would we stand to lose from a major cyber-attack?”; and “How can we be sure we have the right protections in place?”. These are all business questions, not technology issues.
An overall Cybersecurity strategy, guided under corporate strategy and governance, is one that aligns people, processes, and technology with the goals and objectives of the business. Most Cybersecurity functions in today’s environment have the technology. In fact, the discipline of Cybersecurity possesses among the most sophisticated technologies in any area. The Cybersecurity software industry works tirelessly applying artificial intelligence, forensics, blockchain, behavioral analysis, and many other advanced techniques to the problem.
In terms of process, Cybersecurity functions under regulatory standards, professional frameworks, and professional certification standards that proscribe processes, functions, and procedures. Further, these processes are tuned to the specific industry of the organization. It’s not uncommon in areas like Health Care and Financial Services, to find compliance to five, six, or more standards from international, federal, and state compliance standards and frameworks. So where are we lacking?
The biggest gap is people in most organizations. Unlike technology, no one can go to a vendor to simply get the key people needed. And no regulatory authority can enforce the requirement to have enough people with the right backgrounds. Cybersecurity staffing, and the inability of most organizations to fill these roles, is the primary barrier to effective Cybersecurity and effective Cybersecurity governance.
In the US labor market today, some 500,000 open positions go chronically un-fillable since virtually all the available cybersecurity professionals in the market are already hired and spoken for. Recruiters are tapped out, and many new entrants to the field do not have the real-world skill sets to go to work and make a difference in this complex profession.
But there’s hope on the horizon. Employers are recognizing the true importance of properly skilled cybersecurity practitioners and are turning to more targeted sources to fill these key roles. CyberNow Labs, a National Cyber Group company, is an expanding provider of highly qualified cybersecurity professionals. Through real cyberattacks in a typical corporate cybersecurity operations center (“CSOC”), graduates learn the actual operational environment of today’s corporate cybersecurity function. Through partnerships with top cybersecurity vendors like CrowdStrike, Splunk and others, graduates come out of the program not only with knowledge and hands-on skills across these technologies but also the understanding of how they integrate and are managed to achieve real and meaningful protection against these growing threats.
Ultimately, getting the people part of the cybersecurity puzzle turns out to be the main variable that sound governance can focus on and solve. Time and again, operating without a full team due to chronically open and unfilled positions harms the cybersecurity team and erodes governance. Most cybersecurity professionals report that they are caught in a reactive cycle of responding to threats as they emerge, and are rarely able to get ahead enough to establish sound governance practices like architecture, a roadmap ahead and the timeline and budget that supports it, etc. Security Magazine’s Aviram Jenik explains, “With limited staff, companies can't fully address every single vulnerability the moment it's discovered”3. This today, is the most glaring constraint to real cybersecurity governance.
To get serious about applying governance, the time is now. Time to get the people, get ahead of the reactive mode, align with the business and its strategies, and get to a better place while there’s still time.
1 https://www.mckinsey.com/business-functions/risk-and-resilience/our-insights/cybersecurity/cybersecurity-trends-looking-over-the-horizon
3 https://www.securitymagazine.com/articles/95955-whack-a-mole-is-not-remediation
