Pro Tech

Cybersecurity Governance – the four cores to know

In past articles, we have looked at the four cores of managing cybersecurity – securing your people, your communications, your data, and your technology.

This is achieved through awareness training, best-practice policies and procedures, and selective technologies. These are the foundational components that every business is expected to implement for security. Oversight of these policies and procedures however, falls to the Board, and C-Suite executives.

According to the New Zealand National Cyber Security Center, “Boards and executives are ultimately responsible for the outcomes of any cyber incident, including the impact on stakeholder and customer confidence.” This therefore demands that these business leaders have a clear understanding of what is required to create an optimally secure business.

To this point, Gartner predicts that at least 50% of C-level executives will have performance requirements related to cybersecurity risk built into their employment contracts by 2026. In order to meet these demands, a sound knowledge of the four cores of cybersecurity is a must. In this instance the four cores relate to the governance, legal, financial, and insurance practices of the business. The NZ Privacy Act of 2020 stated that an organisation must now report any breach to the Privacy Commissioner, along with their clients, stakeholders, and interested parties. To add insult to injury, all breaches are accompanied by a financial penalty.

This is effective governmental leverage for implementing best-practice cybersecurity assurance in industries across New Zealand. Legislation is also currently being written that will hold Board and C-Suite members more directly accountable for the cybersecurity posture of any organisation they manage as it is in other countries. Simply approving or cutting a cybersecurity budget is no longer enough.

As the saying goes, if you think compliance is expensive, try non-compliance. Restoring a ransomware breach and achieving the correct cybersecurity management structure is far more costly than putting the right controls in place from the start. here is no Return On Investment when it comes to cybersecurity implementations. Its purpose is to protect the ROI on the products and services that make you profitable and keep you in business.

Cybersecurity insurance packages come in different configurations based on multiple factors for each case. Picking the suitable suite depends on knowing the protections and gaps in your business. Knowledge at the Board level of what is in the Risk Assessment and Treatment plan is a requirement for purchasing cyber risk insurance. Each of these areas is relational to the knowledge that the Board and C-Suite have of the organisations cybersecurity posture – its governance.

It’s no longer enough to blindly approve policies and budgets without knowing what’s in them, and more pressure and accountabilities will be emphasised at the C-Suite level to get it right. Discount it at your peril. We understand that most business leaders “don’t know what they don’t know” when it comes to cybersecurity governance. We therefore always recommend (and offer) that a professional cybersecurity audit is the best place to start.

An assurance audit conducted by an independent professional outside your IT department or service provider will offer a fact-based objective report of your current cybersecurity governance and management posture. This gap analysis helps determine where resources need to be directed and, in some cases, might help recommend an international certification such as ISO 27001.

Cybersecurity is the right balance of governance and management; one depends on the other. Commitment at the Board and C-Suite levels demonstrates leadership and sets the tone for staff to follow.