In Cybersecurity, Governance Trumps Technology

by Ray Hillen 0 Comments

I know it isn’t as sexy or even fun to talk about governance instead of talking about cybersecurity technology. However, a lack of, or just ineffective governance will do more to weaken your organization’s cybersecurity program than a failure to adopt the latest and greatest in cybersecurity technology.

A strong cybersecurity program, whether you are a hedge fund, hospital, retail chain or private equity firm, depends on governance to ensure broad participation among managers, executives and other key stakeholders, establish clear authority for all information resources, and enable fully informed decision-making as to what risks are acceptable and where strategic investments in cybersecurity are needed.

Progress toward effective governance may be slowed by three common misconceptions about cybersecurity:

    1. A “set it and forget it” mindset, which assumes that, if we put the right technology in place, our problems are solved for a while. Or if we just respond to the results of a penetration test, then we are done until next year’s audit.Unfortunately, cybersecurity occurs in an unpredictable, rapidly changing environment. It requires regular monitoring of internal events, external events, newly discovered vulnerabilities and ongoing evaluation of new procedures and solutions. New technology is also only one part of any security program. More than 70% of cyber-attacks, for example, come from individuals using relatively simple techniques like phishing.  And over 80% of breaches leverage either stolen and/or weak passwords.

     

    1. Cybersecurity is IT’s concern. This attitude can be a major obstacle and we particularly see it in hedge funds and private equity firms. Your hedge fund or asset manager won’t be able to establish effective prevention and response processes without the participation of business unit managers and other stakeholders who help track information assets, uncover new weaknesses, and make strategic investment decisions.In addition, individuals at all levels can create problems by sharing passwords, not updating their devices, losing their laptops, accidentally emailing sensitive files, clicking on malicious links, and ignoring other security guidelines. 43% of data breaches are enabled by employees.

     

    1. You just need to spend enough money. There’s no question that substantial investments in cybersecurity are essential, but research by McKinsey & Co. shows no direct correlation between spending and the success of an organization’s cybersecurity program.The reality is few organizations have unlimited resources for cybersecurity and, with a shortage of professionals capable of getting the most out of new security technology, you may never be able to realize its full value. Strategic investment decisions will always be necessary.

What these three assumptions have in common is a desire to assign sole responsibility for cybersecurity to someone or something else.

Fortunately, governance gives us a powerful instrument for addressing these misconceptions by helping organizations learn what security really requires.

A Three-Pronged Approach

To establish effective governance, we recommend your cybersecurity program receive ongoing attention at three levels.

Weekly Meetings with Operational Staff

These meetings handle basic hygiene such as keeping up with high-risk vulnerabilities and reviewing data from your Managed Detection and Response systems to identify areas requiring action.

The cybersecurity team can also review what other companies in your industry are doing and go over information available from government agencies and other intelligence-based sources. In addition to seeing what steps others are taking, this helps keep your firm from lagging behind competitors and becoming the most attractive target for attackers.

Monthly Meetings with Key Stakeholders

Cybersecurity and risk decisions have to align with your firm’s business needs; this isn’t likely to happen if operations AND governance are handled primarily by cybersecurity and IT staff. Business unit managers and other stakeholders have to participate—and do so personally rather than sending delegates.

At our hedge fund, private equity and other asset management clients, we suggest monthly meetings to do the following:

  • Review, certify and update your firms data map with information about your firm’s information assets
  • Review any new business processes or “shadow-IT” activities that could create new exposures
  • Make sure the cyber event activity log is updated and incident response plans are updated as appropriate
  • Review intelligence-based risks to your firm, your industry and additional global threats
  • Decide where to make strategic investments in cybersecurity
  • Review and discuss your current corrective action plan from your most recent risk assessment

This also helps stakeholders and the cybersecurity team work together and develop ways to integrate cybersecurity procedures into work processes with minimal disruption.

Stakeholders see how the cybersecurity program really works and develop an appreciation for cybersecurity as a valuable risk management process that deserves their on-going attention and firm resources.

Quarterly Meetings with Executive Team

Most senior executives at hedge funds and private equity firms understand that the responsibility for protecting an organization’s information assets ultimately resides with them; however, if they are not kept up-to-date, they might just assume others have it handled.

Beyond this oversight function, regular communication with executive leadership works to create buy-in. The entire organization needs to know that its leaders value cybersecurity and are actively involved in ensuring the right programs are in place and the right procedures are being followed to protect the organization.

We suggest that, at a minimum, executive teams (and boards if applicable) know the top risk areas and what risk mitigation measures are in place to address each of them.

 

Overall, your governance initiative should be comprehensive in scope, follow regular schedules to review security needs and processes, be evidenced by meeting minutes and involve the right people at the various management levels.

The efficacy of your cybersecurity program will be highly correlated to the rigor applied to  cybersecurity governance.