Cybersecurity governance refers to the component of an organization's governance that addresses their dependence on cyberspace in the presence of adversaries. The ISO/IEC 27001 standard, from the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), defines cybersecurity governance as, "The system by which an organization directs and controls security governance, specifies the accountability framework and provides oversight to ensure that risks are adequately mitigated, while management ensures that controls are implemented to mitigate risks."
Traditionally, cybersecurity is viewed through the lens of a technical or operational issue to be handled in the technology space. Cybersecurity needs to transition from a back office operational function and move into its own area aligned with law, privacy and enterprise risk. The chief information security officer (CISO) should have a seat at the table alongside the CIO, COO, CFO and the CEO. This transition will enable the strongest component of any cybersecurity governance program -- the "tone at the top."
This will help the C-suite understand cybersecurity as an enterprise-wide risk management issue -- along with the legal implications of cyber risks -- and not solely a technology issue. Successively, the C-suite can then set the appropriate tone for the organization, which is the cornerstone of any good governance program. Establishing the right tone at the top is much more than a compliance exercise. It ensures that everyone is working according to plan, as a team, to deliver business activities and ensure the protection of assets within the context of a risk management and security strategy.
Historically, cybersecurity was managed by implementing a solution to solve a problem or mitigate a risk. Many cybersecurity departments have technical security safeguards, such as firewalls or intrusion detection, but often lack basic cybersecurity governance policies and processes. Where they do exist, policies or processes are often outdated or ignored.
Additionally, many cybersecurity departments have poor or inadequate cybersecurity enterprise training and awareness programs that fail to address all levels of an organization. As we have learned from many recent breaches, organizations have inadequate hardening and patching programs. Poor access-control practices, such as uncontrolled group passwords, shared accounts, proliferated admin privileges, shared root access and the absence of an authorization process (except at a low operational level) also are problematic.
Read more at Woods LLP