Cybersecurity by Committee
Last week, I discussed exercising board-level oversight of your cybersecurity program by bridging the gap between tactical operations and organizational strategy. As a reminder, COSO has 5 guiding principles, we are in the first guiding principle of governance and culture which has five points:
Exercise Board Risk Oversight
Establish Operating Structures
Define Desired Culture
Demonstrate Commitment to Core Values
Attract, Develop and Retain Capable Individuals
This week, we are going to discuss how cybersecurity applies to that second point: Establish Operating Structures.
What does this mean for YOU? For cybersecurity risk to be treated as an enterprise risk rather than an IT risk, cybersecurity teams cannot operate in a vacuum. Establishing a cybersecurity steering committee is NON-NEGOTIABLE. Do whatever you can to fight for it!
This fight actually happened to me. In a prior role, I was strongly discouraged from creating such a committee. I was new in my job and I didn’t think I had enough political capital to win. To this day I regret that as one of my biggest career failures because of the negative snowball effect that it had during my tenure.
Please. Learn from my mistake and FIGHT…Tactfully, of course!
The cybersecurity steering committee should consist of a representative from each business unit that includes, but is not limited to, executive leadership, IT, finance, legal, HR, accounting, sales, marketing, operations and any other business unit appropriate for your organization. The committee should be chaired by the CISO (or equivalent) to provide a forum for two-way communication between the various business units and cybersecurity.
This allows the cybersecurity team to:
Gain an understanding of the critical data or processes that must be protected for each business unit,
Solicit input from the business when proposing new security controls, and
Review new and existing risks and their treatments along with the risk owners.
Implementing and enforcing security controls is much more effective when cybersecurity is done with and not to the business.
A vital benefit of the steering committee is bringing diversity of thought to various security issues. Through this steering committee, the cybersecurity team can be a business enabler instead of posing as a roadblock.
Here is an example.
The sales team might state they cannot get easy access to customer records and notes, while on the road, in the organization’s customer relationship management (CRM) system. IT may then propose moving to a SaaS solution or to enabling a mobile solution via mobile application management (MAM). The cybersecurity team can discuss what investments will be required to secure the proposed solutions consistent with the corporate risk appetite; AND, executive leadership can be made aware of the investment required to implement a complete solution.
Here are four things you can do right way.
1. Be sure to establish the charter, mandate, and scope of your committee.
Ensure that the committee has a mission, that the scope and responsibilities are clearly defined
Establish an executive champion (someone on the executive leadership team other than the CISO),
Identify and define who is the committee chair (the CISO or equivalent)
Clearly identify the committee members
2. Establish a meeting cadence and stick to it.
I find that cybersecurity steering committees are most effective if they meet monthly, but I have encountered anything from bi-weekly to quarterly meetings.
Do what is best for your organization, but at a minimum, cybersecurity steering committee meetings should happen before board meetings so that the committee can jointly prepare a brief that may be presented to the board.
3. Spread knowledge throughout the steering committee.
If the CISO leaves, you don’t want all of the knowledge regarding the cybersecurity program going out the door with that person. Develop a succession plan and manage continuity. This will also help ensure that other committee members are engaged.
4. Communicate, communicate and communicate.
Develop a strategy for sharing the non-sensitive outputs of the steering committee to the rest of the company. For instance, you wouldn’t want to disclose a critical cyber-risk to the entire organization, but you do want to broadcast when a new policy is approved and published.
In the next video, I’ll discuss the 3rd COSO point under governance and culture – Define Desired Culture.
As always, I love your comments, and if you want to have a direct conversation, please shoot me a message and we’ll set something up.