What does it mean for Directors?
In an era where cybersecurity is a top concern for businesses, many still fail to implement essential security measures. The proposed Cyber Governance Code of Practice aims to change this, providing a framework for directors to manage cyber risks effectively.
Background
Few companies today could operate for long, if at all, without the IT on which they depend. Even without such a doomsday scenario, there is reputational damage should sensitive customer data be leaked, which can have long-lasting effects on a company’s financial results. Therefore, it is little surprise that most organisations rank CyberSecurity among their top five risks and expect their cyber risk management budgets to increase.
Despite this recognition, fewer than half of medium-sized UK companies have implemented the security controls the National Cyber Security Centre recommends to guard against the most common and basic cyber threats.
However, knowing that cyber risk is important and knowing what to do about it are two entirely different things. Boards are hampered by complex digital estates combined with a lack of organisational cybersecurity knowledge and difficulty quantifying the return on cyber risk investments.
Introducing the Cyber Governance Code of Practice
“A cyber governance Code of Practice would formalise government’s expectations of directors for governing cyber risk as they would with any other material or principal business risk.”
Bodies like the NCSC have published guidance aimed at boards of directors before; however, take-up has been limited. The Code of Practice brings together the governance areas that directors need to take ownership of in one place. While it would initially be a voluntary tool, it will likely become embedded within other regulatory frameworks, such as GDPR and NIS, in the future. Thus, it is something Directors will need to take seriously.
The contents will be no surprise to anyone with any familiarity with CyberSecurity governance, but I’ll briefly summarise as follows:
- A: Risk Management:
Know what you are trying to protect and assess the cyber security risks that apply to them. Consciously choose the acceptable risk level and manage these risks, including those of your suppliers. - B: Cyber strategy:
Develop a strategy with allocated budgets, projects and people to achieve an acceptable level of risk. - C: People:
Ensure security is part of the company culture, backed by policies and training. - D: Incident planning and response:
Know what you would do to recover from an incident, and test it to give confidence it would work. - E: Assurance and oversight:
Have sufficient assurance processes to ensure the above actually happens.
Where to start?
Anyone following the CyberSecurity news will quickly discover that new vulnerabilities are regularly found in commonly used products. Thus, the answer to whether a company has any vulnerability is ultimately “Yes”. The real question is just how easy these are to find and exploit and how much time, effort, and money attackers will likely invest in exploiting your organisation.
Therefore, these days, we like to talk about CyberSecurity “Resilience”. Recognising that complete prevention is impossible, cyber security is about managing those risks and responding appropriately if they occur to minimise the impact.
Good security governance is thus about thinking consciously about these risks: Understand the data you are trying to protect, the impact an incident could have and then what reasonable steps to take to reduce the likelihood it occurs or the pain if it does. Managing these risks necessarily requires an understanding of the threat landscape and detailed technical security controls. However, for organisations with minimal IT, frameworks like Cyber Essentials can help by defining “reasonable steps” to mitigate the threats that all organisations will face.
For more complex organisations, those in regulated industries or developing their applications, a more rigorous approach to risk assessment, identification and management is undoubtedly necessary. Though guidance from the relevant regulator should undoubtedly form part of that thinking.
Conclusion
I’m hopeful that a Code of Practice will give boards a common language and framework when discussing cybersecurity risk governance. Aligning guidance and regulatory frameworks around the code will help make it easier to decide what actions to take and what good practice looks like. Directors should also note it marks a line in the sand as to what is expected of boards, and thus will no doubt be considered by bodies such as the ICO when breaches occur.
We’re always happy to talk if you’d like help or advice, so feel free to Contact Us.
Further Reading: