[MCKinsey] A framework for improving cybersecurity discussions within organizations

Clear and frequent communication is essential but often lacking in companies’ cybersecurity programs. Here’s how security professionals can create tighter bonds with some critical stakeholders.Risultati immagini per securing enterprise

The entire world is going digital; virtually every type of cross-border business transaction now has a digital component. Companies’ use of digital technologies is opening them up to new relationships with customers and business partners, and new business opportunities. But, as recent headlines have made clear, the very act of connecting to the outside world increases organizations’ risks exponentially—of project failure, of data breach, or worse.

Cybersecurity trust gaps can exist on many levels across the corporate ecosystem.

Trust among business stakeholders is a necessary component of digitally resilient cultures; without it, organizations will have a difficult time successfully shielding the customer data that nowadays is so critical for achieving business goals. The board needs to trust that senior management has a long-term view of cybersecurity, with a strategic road map and plans in place to adequately protect information assets and IT systems, regardless of where and how new threats emerge. The business units, the IT organization, and the cybersecurity team need to trust one another enough to get to a mutual agreement about how security protocols can be integrated into daily business processes without creating operational challenges and frustrations. Companies need to have faith that external partners—for instance, cloud vendors—are willing and able to protect shared data and infrastructure. And finally, government agencies need to trust that companies are proactively reporting breaches and sharing information that could help them spot and thwart major cyberincidents, particularly those spanning multiple industries and countries or involving state-sponsored attacks.

Trust among these stakeholders is often missing for a number of reasons, including conflicts of interest and lack of insight into the complicated technologies and concepts associated with cybersecurity. If business and technology professionals don’t have a common understanding of cybersecurity issues, for instance, they may never properly execute security protocols, and their adoption of even the latest and greatest technologies may never yield the desired results.

Trust gap 1: The board and the C-suite

The dynamic between board directors and the senior management team can be fraught for any number of reasons, but first on the list is that cybersecurity is usually not a top item on many board-meeting agendas; often it is presented as part of a larger discussion of IT issues, if it is mentioned at all. Many board directors therefore tend to be less informed about cybersecurity technologies and issues than they may be about standard financial and operational issues—apart from what they read in newspapers about the latest corporate or government security breach. They come to the table with questions about the company’s cybersecurity programs. For instance, are the company’s most critical assets being adequately protected, and is there a robust response-and-recovery plan in place if a breach does happen? Who actually owns the cybersecurity agenda, and does that individual or team have the appropriate level of power and influence to mobilize the required resources?

A trust gap develops when senior management falls short in answering these questions. In some cases, the senior-management team may not be able to properly opine on governance issues because it has not clearly defined owners for particular cybersecurity issues and activities—for instance, who should manage safety training modules: the leaders in the business units, or in IT? The senior-management team may not have the right data in hand to properly quantify the current levels of risk the company faces and present a comprehensive mitigation plan to the board. Or the members of the C-suite simply may not communicate with the board often enough when it comes to cybersecurity issues: despite the fact that transparency is a new norm in most companies, our research suggests that only 25 percent of companies present IT security updates to the board more than once a year, and up to 35 percent of companies report this information only on demand.

Finding common ground

Members of the C-suite need to create more transparency and forge stronger communication with board directors. Senior leaders should formally assess the maturity of their cybersecurity programs regularly and present their findings to the board at least annually but preferably even more frequently. This exercise should involve a structured consideration, by members of the senior-leadership team and others in IT and the business units, of the severity and likelihood of attacks on major corporate assets. For instance, which internal and external threats are the biggest, and what is the business value at stake (Exhibit 2)?

Companies should continually monitor assets for the likelihood and potential severity of cyberattacks.

Through this process, the C-suite can develop a dashboard or regular reporting mechanism to inform the board about past and present levels of risk and the potential effects of risk on the company. Such dashboards and reports should use clear, simple language rather than the acronyms often favored in technology discussions. And they should always include impact statements: What are the financial, operational, and technological implications of emerging threats to the business? By establishing regular reports about cybersecurity, the C-suite can signal the importance of the topic to the board—and the need to set cybersecurity apart from the board’s review of general IT initiatives.

Trust gap 2: The business units and the IT organization

For their part, cybersecurity teams may get frustrated with business colleagues who complain about these perceived inconveniences and don’t recognize the important role they play in defending digital business assets. When cybersecurity teams grant data- and system-access rights to employees, they must trust that individuals will act appropriately. The IT group expects employees to be generally aware of how corporate systems work, how their actions online are traceable, and how to safeguard their credentials and information. But, in fact, company insiders can pose significant cybersecurity risks. One cybersecurity study noted that 60 percent of all cyberattacks in 2015 involved insiders, an increase of 5 percentage points from the previous year.1

Bulking up training efforts

To help close the trust gap between the IT and cybersecurity function and the business, the organization can provide comprehensive cybersecurity training to staffers at all levels. This might include dedicated town-hall meetings, workshops, and training modules focused on identifying varying types of cyberthreats and outlining appropriate responses when employees witness suspicious activity.

Such training can help business-unit employees understand the rationale for cybersecurity protocols and raise their awareness. Even more important, it can signal to the business units that cybersecurity is a shared responsibility. Anyone who has access to confidential data and systems, at whatever level, must play an active role in ensuring their safety.

Companies may also want to develop mechanisms by which IT and cybersecurity professionals can learn more about the implications of any security initiatives on business operations. For instance, some companies are deploying a talent-factory model that encourages cybersecurity professionals to work in other areas of the company in short rotations to broaden their perspectives. Their assignments may be focused on learning more about technology topics outside the security area—for instance, network management, core IT infrastructure, and application development. In an ideal world, cybersecurity team members would be embedded in business units to learn more about product management, public affairs and communications, or finance. The result is often more knowledge sharing and better communication among teams.

The cybersecurity and IT groups should use all available tools and technologies at their disposal to learn as much as they can about people and processes, thereby creating more transparency about security issues. They should establish clear policies outlining which employees at which levels can call up which categories of data, and when. Where permissible, they can back up these policies with a comprehensive identity-and-access management system—a rules-based platform that automatically monitors online activities, approves access rights, and issues alerts. Additionally, where permissible, they may use predictive analytics to identify risks before breaches can occur—for instance, using network information and log-in data to identify potentially malicious actors and activities inside the company.

Trust gap 3: The company and its vendors

The relationship between companies and their technology and supply-chain vendors has always been complex. Just as consumers rely on companies to keep their data safe and to use them only in ways that they have authorized, businesses must trust their IT and supply-chain vendors to hold competitive information close to the vest. Automakers, for instance, would need to be confident that their OEMs have enough cybersecurity controls in place to protect the intellectual property they are sharing.

This is especially true in an era in which more and more companies are outsourcing the management of their IT infrastructures or their cybersecurity operations. Businesses need to be assured that the access they provide to vendors and the offerings they get from vendors can be integrated with existing systems without opening up any security holes.

[to continue, click HERE]

Leave a Reply