Cybersecurity governance is an oft-neglected topic in organizations. It is often poorly understood because there is an aura of mystery around it. Many people convince themselves that they would never understand the technology, or it’s something “those IT guys” need to pay attention to.
While it may require IT skills to fight it out in the trenches with any hackers attacking your system, the process of governance is usually much more understandable and the responsibility of the board and executives, just like any other facet of business governance. Governance is about making the high-level rules that drive the behavior of your staff in order to protect your organization from cyber threats, so that most of the response is automatic and well-rehearsed, along with ensuring preventative measure are in place to avoid compromises in the first place.
In communicating this with executives, we sometimes resort to metaphors, and the most important metaphor for cybersecurity and its governance is that of the immune system. Your body’s immune system wages war against incoming viruses and pathogens continuously. You have a sophisticated set of biological systems that prevent infection and ward off illness, by attacking the invaders. Your skin acts like a network firewall against invaders. You have cells in your body that recognize invaders, much like antivirus programs. Your body learns how to defeat serious diseases by being vaccinated which simply tells your immune system what the “bad guys” look like. Similarly, in cyberspace, there are email filtering systems which exchange information (like a vaccination) about what malicious emails look like, so that they can be identified and quarantined from your users.
Most people don’t understand the details of their own immune system, they just know it works, and it works better if you are kept healthy, so they create policies for themselves that help them stay healthy, and similar policies can apply to cyber governance. If you have a rule to go to the gym three days a week to exercise, you have created a governance policy for yourself. Cybersecurity can work in the same way.
So here are some simple metaphors you can use to make sure you are putting the right governance policies in place for your IT systems:
Exercise Regularly – You have to train your muscles, so you need to train your people on cybersecurity. It is important to have education and testing programs that teach your employees how to avoid malicious emails, and scams which might be propagated by email, text, of phone. All employees should be trained on social engineering techniques that can be used against them. Your cyber professionals need to practice mock responses to potential attacks, such as though tabletop exercises. A healthy body that exercises can respond faster and more quickly to an illness. This metaphor translates to you cyber governance.
Get regular checkups – Most people know they do not have the expertise to diagnose and treat themselves. We go to doctors and other health professionals. These doctors run tests, observe symptoms, and sometimes intervene with treatments. The same logic applies to cybersecurity. You should regularly get your systems checked by outside cyber experts who can see if there’s an infection present, or if you are vulnerable in some way to a cyber-attack. The checkups in the form of risk analyses, IT audits, and penetration tests will give your organization the information and recommendation needed to stay healthy.
Get vaccinated – Vaccines quite literally tell your immune system what a dangerous virus looks like, so that it can destroy it in the future if it sees one. You need to justify some of the smart cyber systems to protect your network, like email filters, crow strike and the like, who share information with your systems so that they can identify and destroy malware, dangerous emails, and shield you from dangerous web sites.
Eat Correctly – The biggest thing about this point is that you have to feed your body and immune system to stay healthy. This is a no-brainer for healthy people, when applied to cybersecurity it means that you have to properly budget for cybersecurity, and realize it is an ongoing commitment for the organization, and not just a one-time event to get an audit or assessment. Allocate budget and think about the things you will spend it on to put yourself in the healthiest position.
Thinking about the steps you take to be healthy can help you think about your cybersecurity governance approach. By realizing you have to exercise your staff’s security awareness skill and response plans; get regular checkups from cybersecurity firms; inoculate your organization using products to better recognize threats; and properly plan budgets to stay healthy; you can learn to think about cybersecurity governance in terms of a more tangible model – keeping your organization healthy.