Describing Cyber Security as a risk is a language oddity that keeps appearing at an alarming rate. We have already highlighted this in an earlier article in March published on Computing.co.uk.
It is a dangerous and simplistic shortcut, typical of the shallow nature of the debate taking place around these issues on social media.
Cyber Security is not a “risk”. Cyber Security results from the proper application of proportionate Controls to protect an organisation from the Cyber Threats it faces. Cyber Risk results from the absence or inefficiency of such Controls.
With 79% of large organisations (>$5B Market Caps) struggling to demonstrate any kind of Cyber Security maturity (source: ‘Risk and Responsibility in a Hyper-connected World’ – World Economic Forum, in collaboration with McKinsey & Company – January 2014), the time has come for Boards to approach the problem from the right Management angle and take real action.
The Boards of large organisations must focus on ensuring that the necessary Controls are properly implemented across the true geographic perimeter of the enterprise, taking into account without complacency the role of external partners and suppliers.
Boards must focus on ensuring that accountabilities and responsibilities are properly in place to make sure the enterprise remains adequately protected from Cyber Threats. Cyber Security cannot be the responsibility of “everybody”. In most cases, it should fall in the portfolio of the CIO or the COO, and be cascaded down to a CISO who has the management experience, personal gravitas and political acumen to drive change.
Lasting change in that space will be complex and take time. Boards must ensure that a long-term Cyber Security roadmap is in place supported by a Governance Framework that distributes accountabilities and responsibilities from the Board down across the entire enterprise, including IT, HR, Business Units & Geographies.
Time has come for Boards to stop treating “Cyber Security as a Risk” and take genuine Management action to drive the implementation of protective Controls against the genuine Cyber Threats they face. This is not a matter of budget or resources but a very simple matter of priorities.
Contact Corix Partners to find out more about developing a successful Information Security Practice for your business. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.
Over May and June, we will be posting a series of 8 articles in which we explore the Governance and Leadership dynamics around Information Security and deconstruct eight commonly held views on the topic that CIOs would have encountered. Find out more on our blog from 6th May 2015.