Cybersecurity Governance: Best Practices for European Companies

What is cybersecurity governance?

Cybersecurity governance is all about company directors’ empowerment to make decisions around cybersecurity policy.

Definition of cybersecurity governance

Different international standards like COBIT and ISACA offer differing definitions of cybersecurity governance. In the larger family of ISO 27000 standards, ISO/IEC 27001 defines the principles of implementing an ISMS (Information Security Management system), while governance of the security of information has its own norm, ISO/IEC 27014-2020. In turn, the ISO (International Standards Organization) and IEC (International Electrotechnic Commission) define IT governance as “concepts, objectives, and processes [...] by which organisations can evaluate, direct, monitor, and communicate the information security-related processes”.

‍

Cybersecurity governance forms a large part of conversations in business, as the stakes now come under the responsibility of the highest levels of an organization. While IT security once fell under the remit of technical and operational teams, nowadays, higher levels of management are getting involved, with key players like CSIOs, CIOs and CROs bringing the subject to senior and general management.

To summarize, cybersecurity governance represents all the decisions that an organization must make in order to secure its IT and information systems.

‍

What is the use of information security governance?

Cybersecurity governance should, before anything else, focus on managing cyber risks – anticipating potential cybersecurity threats to estimate and limit future financial loss. This loss depends largely on a given company’s tolerance to risk; the undesirable outcomes – or financial losses – it is willing to suffer.

‍

At C-Risk, we recommend analyzing risk based on quantifiable and mathematical criteria, such as those laid out by the FAIR™ (Factor Analysis of Information Risk) standard. The resulting actions to be taken in order to manage a cyber risk can be divided into four categories: dealing with it, avoiding it, reducing it, or transferring it.

‍

Who should be involved in IT governance?

As explained above, and as the name suggests, cybersecurity governance falls, first and foremost, under the remit of senior management. Executive committees and boards of directors are the central figureheads in decision-making. Although CIOs are no longer the central players when it comes to cybersecurity governance, they still play a key role in creating awareness and offering support to company directors.

In terms of businesses, none really escape the necessity to define their information security governance – since its aim is to anticipate and regulate cyber risks, this governance affects companies of all sizes.

Let us not forget that cyberattacks have sharply risen since 2020, and in 2018, CESIN research further showed that 92% of businesses had experienced at least one cyberattack. Furthermore, the significance for small businesses cannot be overstated as they are the structures that are the least likely to be well protected, therefore making them easy targets for hackers and other cybercriminals.

‍