Contributed ArticleShared responsibility for cybersecurity and its impacts will come about when CIOs and CISOs equip the business to actively participate in decision making.
The past two years have seen a drastic uptick in major cybersecurity events, from Colonial Pipeline and SolarWinds to the JBS meat production company. Given the high cost and high frequency of cyberbreaches, 88% of boards of directors now acknowledge that cybersecurity is a business risk and not just an IT problem — up from 58% just five years ago.
Organisations have not changed the culture of accountability to reflect updated views
Yet organisations have not changed the culture of accountability to reflect these updated views. The CIO or CISO still carry primary responsibility for cybersecurity in 85% of organisations that responded to the Gartner View From the Board of Directors Survey 2022.
CIOs must rebalance accountability for cybersecurity so that it is shared with business and enterprise leaders. They are thought of as the ultimate decision maker and authority for protecting the enterprise’s security, but really, business leaders make decisions every day that impact the organisation’s security. They should share accountability.
The CIO or CISO still carry primary responsibility for cybersecurity in 85% organisations
To facilitate the shift toward a shared responsibility model for cybersecurity, be proactive and work with your board to establish governance models that share responsibility, and with business leaders to create a program of controls that balances protection with business needs. Begin with a short-term exercise of assessing the current state of cybersecurity as a business issue, followed by a longer-term set of actions to define a new shared-accountability governance model.
Here are five questions to assess the current state of cybersecurity as a business issue. These questions can give you an initial sense of how prepared the business is to share responsibility with IT for cybersecurity:
#1 Can the organisation make risk-informed decisions without facilitation from security personnel?
#2 Can IT explain the business value of each security control?
#3 What do the metrics related to the organisation’s security controls reflect: the levels of protection technology perspective or the operational functions business perspective?
#4 What proportion of time on security decision making is spent on fear, uncertainty and doubt compared with business goals?
#5 Is the security programme defensible with customers, shareholders and regulators?
With clarity about how ready your organisation is to share cybersecurity accountability; you can take steps to involve other business leaders in decisions and trade-offs.
Share cybersecurity decisions
Present the available options related to cybersecurity approaches and investments, and include the risks and costs associated with each. Providing information and involving business leaders in the decision makes them more likely to accept responsibility.
Optimal balance of risk, value, cost
Help prioritise cybersecurity investments by measuring the amount of value each business unit produces in relation to their readiness to address known risks, as well as the cost of doing so. Create a visual matrix to enable fast, cross-business-unit comparisons.
CIOs must rebalance accountability for cybersecurity so that it is shared with business and enterprise leaders
Credibility to motivate accountability
Focusing on shared goals will go far in fostering communication and collaboration with business side partners.
To shift towards shared responsibility, be proactive and work with your board to establish governance models that share responsibility with business.
