Implementing Cybersecurity Governance.
Implementing Cybersecurity Governance.
The FCA (Financial Conduct Authority) have provided a guide on cybersecurity governance as a key practice for regulated firms to implement. What best practices should your organisation follow?
The Financial Conduct Authority (FCA) have once again reinforced their commitment to cybersecurity through the publication of a industry insights document. The aim of the document is to improve cybersecurity practices amongst regulated organisations.
The document provides insights around best practices and experiences throughout a range of areas, the first of which is cybersecurity governance. At 2|SEC Consulting we agree that governance is a key element of a cybersecurity strategy, and we actively support FCA regulated organisations in implementing cybersecurity governance best practices.
In this blog post we will talk about the best practices highlighted in the FCA’s document. Our aim is to put your organisation in the best possible position to implement good cybersecurity governance throughout the organisation.
Top down Approach
Putting cybersecurity on the agenda requires educating the board on the importance of good cybersecurity governance. This should be placed in the context of the continuing financial success of the firm in terms of the financial, operational and reputational impact of any breach.
Awareness is important, but education needs to remain clear and to the point: in our experience we’ve found that implementing good cybersecurity governance is 20% education, and 80% buy-in. You will need examples to back up the importance of cybersecurity governance – as the FCA guidance advises, you should use case studies and incidents reported in the media to highlight potential risks and help executives link these risks to their business. You should also back this up with compliance success rates with different standards and regulations for other organisations in your sector.
Executives will always ask ‘why should we bother?’, and you need to be able to make them aware of current risks and relate these to your business to highlight their relevance. In order to support this dialogue, we highly recommend employing the services of a Chief Information Security Officer (CISO).
Whether it’s in house or virtual, a CISO will enable you to review your business processes and ensure that each risk is ‘owned’ by a named executive. Your CISO should be backed up with a governance, risk and compliance (GRC) tool that presents a ‘scorecard’ for your organisation and allows you to understand and prioritise risks. This will enable you to present this back to the board in a clear and digestible dashboard format.
Keeping it Simple
We can’t emphasise enough the need to use clear language when articulating cybersecurity risks and best practices. The simple fact is that cybersecurity is not the most exciting subject for many people, so anything you can do to make education and awareness more engaging and less of a bore should be considered.
There are many cybersecurity providers who can advise you on best practices and help you to implement effective programmes that will allow you to engage and train your staff in the importance of cybersecurity and how they can help to protect your business. You need to be clear on objectives and deliverables and ensure that the CISO reports not into just the Senior Management team in IT or CIO, but into a Senior business owner that owns the biggest risk areas in the business.
In addition, cybersecurity champions within each business area are a great way to move cybersecurity governance up the business agenda. You should allocate responsible owners within each operating location and business area; they will help influence their departments and management and drive cybersecurity discussions and engagements.
Think Big Picture
There are many different types of malicious actors that can potentially target your organisation, and as they say, one size does not fit all. In insurance, for example, fraudsters are a key threat, alongside amateur attackers. Larger financial institutions, meanwhile, are more likely to be targeted by hostile nation states, organised criminal gangs and activists. Ensure that your governance strategy fits with the wider context of your organisation and tackles the most prevalent and relevant threats. Managing your biggest risk areas is key here.
When it comes to the links between risks and controls, we advise against over-engineering the measures you put in place – it’s an old cliché, but cybersecurity budgets can be hard to secure, and you shouldn’t spend £200,000 fixing a £20,000 problem.
Standards such as ISO 27001 and Cyber Essentials Plus provide good practice frameworks, allowing you to benchmark your firm’s cybersecurity maturity and posture. Just remember that these standards provide minimum best practice measures only: attaining one or more standard or regulation does not in itself make your firm secure.
Implementing Cybersecurity Governance
The cybersecurity threat landscape is constantly shifting. Cybersecurity governance is a key aspect of any business’s security preparedness, and to implement governance throughout your firm you will need representation and engagement from the top down.
If there is one thing, we’d like you to take from this blog, it’s that all firms should have a CISO or virtual CISO (vCISO) in place. Your organisation needs a dedicated resource with no conflict of interest to hold security responsibilities and protect you against both external malicious activity and insider threats.
You can find out more about our own vCISO services, delivering experienced, senior security professionals into security conscious organisations, by getting in touch with us: firstname.lastname@example.org.
Written by Parminder Lall, Director of Cyber Security of 2|SEC Consulting.