In April 2023 the National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce, released a discussion draft of their proposed update 2.0 to the NIST Cybersecurity Framework (CSF). The NIST CSF helps businesses better understand, manage, and reduce their cybersecurity risk to protect their data, systems, and key business process from cyber-attacks. NIST CSF is one of several frameworks used across the U.S. and globally as a basis for assessing risk and utilizes five “functions” (identify, protect, detect, respond, and recover) to evaluate the key controls for a resilient organization. The new version 2.0 has added a new function, govern, to the mix emphasizing the critical role it plays in cybersecurity.

cyber governance be confidently audit ready today

Cybersecurity governance is the set of policies, processes, and practices that define how a firm manages and oversees it cybersecurity strategy. Governance provides a framework for defining roles, responsibilities, and decision-making processes related to cybersecurity, which helps to ensure that resources are properly allocated, risks are identified and mitigated, and compliance with regulations and standards is maintained.

The importance of governance for cybersecurity risk management can be summarized as follows:

  1. Provides a framework for accountability: Governance establishes clear lines of responsibility and accountability for cybersecurity within an organization. It ensures that everyone involved in managing cybersecurity risks understands their role and how it contributes to the overall cybersecurity strategy.
  2. Enables effective risk management: Effective governance ensures that cybersecurity risks are properly identified, assessed, and managed. It provides a structure for risk management that takes into account the organization’s risk tolerance, objectives, and priorities.
  3. Supports compliance with regulations and standards: Governance provides a framework for ensuring compliance with applicable laws, regulations, and standards. It helps to ensure that cybersecurity controls are implemented in a consistent and effective manner, and that the organization is prepared for audits and assessments.
  4. Facilitates communication and collaboration: Governance establishes clear channels of communication and collaboration between different parts of the organization, including IT, legal, human resources, and management. This helps to ensure that cybersecurity risks are properly understood and addressed across the organization.
  5. Provides a basis for continuous improvement: Governance establishes a framework for continuous improvement of the organization’s cybersecurity posture. It enables regular review and assessment of cybersecurity policies, practices, and controls, and ensures that necessary adjustments are made to address emerging risks and threats.
See also  SEC Fires $50 Million Shot Across the Bow: Vital Lessons from LPL & Ameriprise Ahead of Copilot Implementation

Governance is a critical component of cybersecurity risk management because it provides a framework for accountability, effective risk management, compliance, communication and collaboration, and continuous improvement. It ensures that cybersecurity risks are properly identified, assessed, and managed, and that the organization is prepared to respond to emerging risks and threats.

Governance is also at the heart of Agio’s cybersecurity offering. For almost a decade Agio has offered Cybersecurity Governance Programs to our clients to ensure that proper governance frames any approach to cybersecurity risk management. Agio’s governance approach includes regular governance meetings to review new threats, discuss current gaps, risks, and corrective action strategies, manage necessary compliance activities, review and update policies, and assess and test the effectiveness of cybersecurity policies and procedures. We understand that firms differ based on size, inhouse technical capabilities, types of sensitive data managed, compliance and regulation frameworks, geographic footprint, third-party relationships, and risk tolerance so we build the governance program that is right for you. If your governance is missing from your firm’s approach to cybersecurity, find out more about Agio’s Cybersecurity Governance Programs.