Gouvernance de la cybersécurité

Cybersecurity governance best practices for European companies

Cybersecurity governance is all about company directors’ empowerment to make decisions around cybersecurity policy.

C-RiskC-Risk
Published on 13 April 2022 (Updated on 13 April 2022)

According to the latest research by CESIN (French Information and Digital Security Experts Club), a majority of executive committees are now willing to put cybersecurity at the forefront of their governance strategy. It goes without saying that the stakes for companies around cybersecurity were exacerbated in 2021 as cyberattacks became ever more sophisticated and their financial impact apparent. Despite this significance, coming to agreements about the approach to adopt, the people to involve, and the barriers to overcome in developing cybersecurity governance can prove challenging.

What is cybersecurity governance?


Cybersecurity governance is all about company directors’ empowerment to make decisions around cybersecurity policy.

Definition of cybersecurity governance

Different international standards like COBIT and ISACA offer differing definitions of cybersecurity governance. In the larger family of ISO 27xx standards, ISO/IEC 27001 defines the principles of implementing an ISMS (Information Security Management system), while governance of the security of information has its own norm, ISO/IEC 27014-2020. In turn, the ISO (International Standards Organization) and IEC (International Electrotechnic Commission) define IT governance as “concepts, objectives, and processes [...] by which organisations can evaluate, direct, monitor, and communicate the information security-related processes”.

Cybersecurity governance forms a large part of conversations in business, as the stakes now come under the responsibility of the highest levels of an organisation. While IT security once fell under the remit of technical and operational teams, nowadays, higher levels of management are getting involved, with key players like CSIOs, CIOs and CROs bringing the subject to senior and general management.

To summarise, cybersecurity governance represents all the decisions that an organisation must make in order to secure its IT and information systems.

What is the use of information security governance?

Cybersecurity governance should, before anything else, focus on managing cyber risks – anticipating potential cybersecurity threats to estimate and limit future financial loss. This loss depends largely on a given company’s tolerance to risk; the undesirable outcomes – or financial losses – it is willing to suffer.

At C-Risk, we recommend analysing risk based on quantifiable and mathematical criteria, such as those laid out by the FAIR™ (Factor Analysis of Information Risk) standard. The resulting actions to be taken in order to manage a cyber risk can be divided into four categories: dealing with it, avoiding it, reducing it, or transferring it. [1]

Who should be involved in IT governance?

As explained above, and as the name suggests, cybersecurity governance falls, first and foremost, under the remit of senior management. Executive committees and boards of directors are the central figureheads in decision-making. Although CIOs are no longer the central players when it comes to cybersecurity governance, they still play a key role in creating awareness and offering support to company directors.

In terms of businesses, none really escape the necessity to define their information security governance – since its aim is to anticipate and regulate cyber risks, this governance affects companies of all sizes.

Let us not forget that cyberattacks have sharply risen since 2020, and in 2018, CESIN research further showed that 92% of businesses had experienced at least one cyberattack. Furthermore, the significance for small businesses cannot be overstated as they are the structures that are the least likely to be well protected, therefore making them easy targets for hackers and other cybercriminals.

Cybersecurity falls under the jurisdiction of general management

Why implement cybersecurity governance?


CESIN’s research published in February 2021 demonstrates that the most important challenge identified by businesses in 2020 is around integrating effective cybersecurity into governance. So much so that 60% of participants in the study said it was the most important factor, while 72% expressed that they were more confident with high level management taking charge of the topic.

Indeed, implementing cybersecurity governance places IT at the heart of company strategy, thereby making it more logical to invest in other related areas:

  • employee awareness around cyber risk and how human vulnerabilities contribute;
  • allocating sufficient resources to cybersecurity;
  • increasing dedicated staff;
  • acquiring software that better protects the company from cyberattacks (this was cited as desirable by 85% of CESIN participants).

That being said, developing effective cybersecurity governance brings with it its own network of challenges, such as:

  • the fear that a cybersecurity policy will slow down company digitalisation;
  • the constant updating and renewing of regulations, forcing regular updates to IT security governance;
  • a lack of experts in cybersecurity jobs;
  • a delay in uptake due to COVID-19 lockdowns and restrictions;
  • the fact that CISO budgets and resources are in bad shape, and CIOs’ teams are under-staffed;
  • the under-funding of departments dedicated to IT security;
  • analysis methods being too subjective and therefore biased.
Cybersecurity governance requires collaboration between several partners

Implementing cybersecurity governance


The risk management method that C-Risk uses relies on companies’ willingness to distance themselves from subjective and therefore imprecise approaches to managing risk. Applying the method to cyber governance therefore allows for IT policy decision-making to be guided by the quantifiable probabilities of cyber risk-related financial loss.

This method breaks up the responsibility for cybersecurity governance into three “lines of defence”:

1) The first line of defence consists of defining the limits of operational responsibility of cyber risk. Generally, this revolves around those responsible for business processes and technical monitoring of the IT system. This line of defence deals with day-to-day incident detection and avoidance, and also sometimes covers company risk and vulnerability analysis, and monitoring of the tools put in place by the first line of defence. It is also a point of contact between the first and second lines of defence.

2) The second line of defence covers managerial roles involved in internal cyber risk management, as well as questions around legal compliance. It is responsible for defining the policies, processes, and standards used. It is also at the centre of checking and monitoring the actions of the first line of defence. Generally speaking, the second line of defence covers the roles and responsibilities of the CISO and DPO (data protection officer).

3) Internal and external auditing make up the third line of defence against cyber risk. In reality, this is an independent validation of the first and second lines of defence, and is carried about mostly by high-level management every six months or every year.

These three categories of partners interact with each other to define solid IT security governance – policies and procedures capable of detecting, preventing, and responding to cyber incidents, in order to limit any damaging consequences.

C-Risk’s vision of cybersecurity governance lines of defence

FAQ

Cybersecurity governance is governance dedicated to IT security and protection from cyberattacks. We talk about ‘governance’ because cyber risk is a major challenge in 2022 which concerns businesses of all types and sizes, therefore requiring an overarching policy.

Cyber risk has become very strategic for businesses. It is no longer about individual company departments, so it is necessary to adopt IT security policies that are capable of covering both legal and financial stakes.

GRC (Governance, Risk, Compliance) is a global approach to risk, overlapping with its implications in terms of company strategy and regulatory compliance. This makes it a perfectly adapted approach for managing cyber risk.