Data and systems breaches happen. It’s not a question of if, but when. Examples of violations abound, just remember the episodes that affected Sony Pictures or Anthem Medical. All sectors are vulnerable to cyber-attacks. Overall, the effect is devastating legal liabilities, brand reputation, lack of trust from customers and partners, and ultimately revenue.

As data usage increases, companies are faced with the challenge of creating the right strategies, structures, and policies to keep sensitive data and systems secure. At the same time, criminals are developing new and sophisticated tactics to access valuable data and systems.

Safety is—and should be—a concern for every employee in a company. However, leadership must be responsible for establishing and maintaining a corporate governance structure. Cyber security governance is defined as a subset of corporate governance that provides strategic direction, ensures that objectives are met, manages risk, and monitors the success or failure of the corporate security program.

Whether the board of directors, executive management or a steering committee, or all of them, cyber security governance requires strategic planning and decision-making.

Despite the threats of cyber-attacks and data breaches, companies can take proactive steps to adopt an effective governance policy. Below are five strategic good practices for cyber security governance.

1. Take a comprehensive approach

The security strategy is closely linked to business and IT objectives. A comprehensive approach ensures that leadership has more levels of control and visibility.

2. Raise awareness and training

Although developed by the leadership, cyber security governance involves all employees of the organization and requires ongoing awareness. Governance creates policies and assigns responsibilities, but each member is responsible for following security standards.

Ongoing training and education on good security practices is critical. The cyber threat landscape is rapidly changing and employees, in addition to company training, must keep up to date. That way, if new threats arise, the company will be prepared.

3. Monitor and evaluate

Cyber security governance should never take a “set and forget” approach. Assessments must be ongoing. Monitoring ensures the achievement of objectives and proper management of resources. What security governance policies are working? Which ones aren’t?
Conduct fictional system/data breach scenarios to test the effectiveness of corporate teams and company incident response plans. Test results can reveal strengths and weaknesses, as well as where the business needs to focus, and which security governance policies work well under pressure.

4. Encourage transparent communication

Stakeholders must feel that they can communicate transparently and directly with leadership, even if it is to share bad news. Transparent communication promotes trust and provides a greater level of visibility across the organization.

Involvement is critical. Consider creating a steering committee comprised of executive management and key team leaders (IT, marketing, finance, PR, legal, operational, etc.) to review and assess current security risks.

5. Agility and adaptability

The days of centralized governance are behind us. Organizations need to adapt quickly to deal with the ever-changing landscape of different types of threats. IT/Cyber Security management, which typically deals with tactical decision-making to mitigate security risks, may have some practical experience and insights into the effectiveness of a particular security policy, but these recommendations stop there without the support of top executives. Leadership must quickly determine how to implement the suggested changes across the organization. If a governance policy is ineffective, leadership needs to be willing to review it.

In general, to be successful, a cyber security governance policy involves an ongoing process of learning, reviewing and adapting. Organizations need to be proactive and strategic about security. Threats and incidents are unavoidable but making cyber security governance a strategic and priority issue in the organization can help minimize cyber risk.

Clients and Partners