A fundamental shift in thinking is underway within the risk management and cybersecurity fields. A convergence is happening in that cybersecurity cannot be relegated to the IT department. Instead, cybersecurity must be thought of as a component of risk. The same level of diligence (at a minimum) that organizations focus towards business continuity, insurance risk, workplace safety, loss prevention, and disaster recovery must be offered to cybersecurity.
Adding Cybersecurity To The Risk Management Equation
From a risk management perspective, let’s look at insurance as an example for understanding cybersecurity’s role within the organization. Each year, organizations renew or review their property, general liability, and workers compensation insurance policies with their brokers or directly with insurance carriers. As cybersecurity insurance has become popular, risk managers need to follow the same process for their cybersecurity insurance policies.
When reviewing traditional insurance policies, risk managers use industry-accepted methods. For example, when preparing updates to property policies, risk managers will receive and review reports of company vehicles, property locations, square footages, building contents, safety upgrades, and many other items. When preparing updates to workers compensation policies, risk managers will have access to complete lists of personnel and biographical data.
When risk managers prepare for the first time or review their existing cybersecurity insurance policies, do they have inventories of their computer systems? Do they understand the location of their critical data? Do they know if data moving into and out of the network is encrypted? Do they understand what it would take to recover in the event of a breach?
The answer is simply no. Risk managers do not know the answers to these questions because historically cybersecurity has been an IT issue, and the thinking has been “that’s an IT function, let them handle it.” Businesses need to change this thinking, and the different players need to come together to make sure they are properly protected against advanced threats and the risks that come with them.
Bringing Together Cybersecurity And Other Key Players
Those in charge of cybersecurity for an organization are responsible for 1) defending and deterring the network against attacks; 2) continuously monitoring and ensuring the safety of data in motion and at rest; 3) responding to events that may indicate malicious activity on the network or involving company data; and 4) plan and prepare for future potential cyberthreats.
While the mechanisms in which cybersecurity personnel perform their duties are heavily within the IT realm, their oversight should be outside of the IT silo. In order to defend, monitor, respond, and prepare, other groups within businesses have an obvious stake in the success or failure of their cybersecurity. For example, HR data is heavily regulated (e.g., PII and HIPAA), and so is financial data (e.g., SOX and GLBA). Just as with the risk management of property and workers compensation, HR and finance leadership must be listed as prime stakeholders on the cybersecurity risk management board.
Giving Cybersecurity A New Home And A Seat At The Table
To solve the current disconnect, there are two options. The cybersecurity team can be moved out of IT and placed under risk management. This does not mean that cybersecurity should be taken out of the hands of CISOs and the well-versed teams under them, but rather that CROs and CISOs need to become peers in discussing risks associated with cyber infrastructures.
Alternatively, the second option is to place cybersecurity parallel to risk management, but not within the IT chain. It’s important that cybersecurity should have a leader that is equal to or higher in the management chain than the Director of IT Operations, so they can have a seat at the table with other key decision makers. If cybersecurity is not within risk management, then an equal weight dotted-line of peer relationship should exist between a) cybersecurity and IT; and b) cybersecurity and risk management.
Removing Audit And Assessment Bias
The benefits of treating cybersecurity not as a function of IT can be seen in the use of audits and assessments. Cybersecurity should have cordial and collaborative relationships with all IT teams by virtue of their need to respond quickly during breach response or in preparation for a potential threat. However, when performing an audit or assessment of an IT area, cybersecurity should not have the conflict of interest of being within the same organization in which it is assessing.
For example, budgetary requirements could taint recommended actions included in an assessment. The cybersecurity team may need $10K for a new edge security device. If the team prepares an assessment recommending that a piece of software is vulnerable and should be upgraded immediately, their $10K request could be denied and given to the team managing the vulnerable software.
Ultimately, the person in charge of making decisions for the areas that cybersecurity assesses should not have decision-making responsibility for the cybersecurity team’s budget. This obvious conflict of interest can be addressed by moving cybersecurity out of IT.
Solidifying Cybersecurity As A Board-Level Issue
Lastly, there is a significant benefit to boards of directors pulling cybersecurity out of IT. In today’s cyberage, cybersecurity should be given dedicated line items on BOD agendas -- independent from IT. However, this is currently at the discretion of IT leadership, which is juggling many other areas and may not see cybersecurity as a priority. Cybersecurity would be more guaranteed its needed seat at the table if it was separate from IT.
CISOs Are Here, But There is Still A Ways To Go
For the past 20 years, leaders within the cybersecurity field, including myself, have pushed and clawed the business world to understand that as we become more cyber-connected, the role of a CISO is paramount to business success. We succeeded.
Many organizations now have a CISO role, and that role is tied in some way to the IT organization. Unfortunately, our perspective of the CISO role as being directly tied to IT was not implemented perfectly. The role of a CISO is to establish and maintain adequate protection of information. However, information is not necessarily controlled by the IT department. The IT department obviously controls the infrastructure on which information resides, but groups such as HR, risk management, finance, and business operation departments may control the collection, movement, and organization of information. In essence, non-IT departments will understand the requirements around information. While it is necessary that IT and non-IT departments work together, the protection of information requires collaboration and coordination -- this is the role of the CISO’s office.
The protection of information is a core tenet of cybersecurity, and so CISOs play the largest role in maintaining a sound cybersecurity program. We have to convince business leadership and boards of directors to modify, however small, their thinking of the placement of cybersecurity within their organizations.