Why Good Governance Starts With Strategy Not Technology for CNI Organisations
At heart, governance is a business issue. It might feel like governance is a tech issue, but at their core, information assurance and cyber security are business questions. They need to be solved by the Board, not just the IT team, or procurement.
For CNI organisations, cyber security needs a Board presence. Of course, Cyber Assurance Framework (CAF), already demands a strategic approach to governance. Its Principle A1 Governance note says:
‘There should be an individual who holds overall responsibility and is accountable for security’[1].
But too often the senior information risk owner is the CFO. Despite their often limited cyber security experience, the finance chief is assigned the responsibility. The legal requirement may be met, but the business risk is not under control. So the responsibility and decision-making for security gets pushed down the chain.
Would other business critical issues be treated like this? Given the impact and cost of an incident for CNI organisations (and the country), it is surprising how these big risk decisions get passed down. As M&S observed earlier this year; it’s not just the ransom that is costly in a breach, it’s the cost of the management time and repurposing of the IT specialists that adds up. Most organisations would not allow this lack of Board oversight in other areas of the business.
As a counter to this, we’re seeing a rise in BISOs. Rather than sit the security responsibility under the CFO or even the CIO, we’re seeing smart organisations appoint a Business Information Security Officer to the Board. The BISO is someone with the seniority to communicate potentially unwelcome information to their peers. We know that any security assessment will raise issues and potential vulnerabilities. Without a specialist on the Board, organisations may find they don’t get the whole picture. Difficulties can be played down. Technical solutions are offered as a cure-all. Only with a senior expert can organisations be sure to be making a strategic decision about cyber security, and not a tactical technical one.
The Cyber Assurance Framework (CAF) will enforce good governance. Via the Cyber Security & Resilience Act, the CAF will become an enforcer. It already says organisations should be able to show ‘well-defined lines of responsibility and accountability for the security of network and information systems’[1]. We believe this ‘responsibility and accountability’ should start a the top of the organisation.
It’s time for CNI organisations to become secure-by-design. Strategic governance means seeing cyber risk as a board-level decision. It means assessing the risk, regularly, and acting on it. It means starting by making existing policies work, and filling in the gaps. It means training your people and understanding zero-trust, before implementing new technology. To do this, organisations need an experienced risk expert at the highest level. You wouldn’t let non-Board members make other strategic, multi-million pound decisions, so why leave cyber security to tactical decision-makers?
We believe that if the Board is properly informed and accountable, the country’s critical national infrastructure is more likely to be resilient. Good governance starts with good strategy.
Author: Paul Rose, CISO, Cyro Cyber.
[1] Principle A1 Governance - NCSC.GOV.UK
NEED SUPPORT? ENQUIRE NOW
One of our experts will be in touch shortly to better understand your requirements and challenges.
