Your Business News
For boards, the best cybersecurity defense is a good offense
August 22, 2023
Authored by RSM Canada LLP
Joel A. Humphrey, CPA, CA shared this article
ARTICLE | August 22, 2023
Complex digital systems are the central nervous system controlling your company’s most vital assets and business outcomes. Their importance only exacerbates the growing complexity and rapidly changing nature of cyber risk. As boards face significant cybersecurity governance, disclosure, regulatory, and legal challenges, they often find themselves playing defense.
Cyber risk transcends typical business risk. Familiar defensive measures and compliance requirements are necessary but alone do not constitute effective governance. Further, they are often communicated using technical language that lacks the business context boards should demand.
To effectively govern, boards must go on the offensive by taking a proactive approach that centers on three core areas.
By solidifying an organizational hierarchy with clear roles and responsibilities, an enterprise establishes a foundation for processes that proactively protect against cyber threats. This also creates a knowledge base among leadership to drive education and culture.
Boards can consider the following actions:
- Create a cybersecurity organization to fit the size of the enterprise. For smaller companies, that might mean outsourcing a chief information security officer (CISO). For larger enterprises, functions could be assigned to leaders of an in-house team, including a chief risk officer, chief information officer, or CISO.
- Appoint a chief cybersecurity officer to lead the team. This person should be a peer of organization executives, to whom they may offer respected perspectives and directives across enterprise functions. They should have an independent reporting channel to executive leadership.
- Establish an internal management and a chartered board risk committee to oversee enterprise and cyber risk.
- Identify and evaluate existing baseline cybersecurity controls that impact all systems in the enterprise.
- Establish a cybersecurity framework and procedures based on the cyber risk committee’s recommendations. Start with the National Institute of Standards and Technology’s cybersecurity framework and modify it as needed.
Cyber risk is a form of systemic risk. Controlling it requires a working knowledge of underlying systems. Otherwise, risk protection tools and methods lack context and can be suboptimal. Enterprises need to be defined within the context of a system—a regularly interacting and interdependent group of elements, subsystems, and assets. For example, the elements of enterprise as a system (EAS) include assets and processes that interact with one another both internally and externally and with people.
Boards can govern the EAS with the following process:
- Phase 1: Produce a high-level business process map of the EAS using common business language.
- Phase 2: Produce a detailed business process analysis and board summary. Break down the larger Phase 1 elements to better understand overall processes and interactions. Approach these elements incrementally based on relative importance.
- Phase 3: Utilize outside advisors to identify and determine the efficacy of relevant cybersecurity controls against the specific elements identified in Phase 2. Provide recommendations to the board to remediate gaps.
- Phase 4: Develop and articulate the risk appetite, risk indicators, and associated thresholds that the enterprise accepts in pursuit of value. Optimize the EAS to reduce the threat landscape and improve control efficiency, adjusting the use of cybersecurity tools accordingly.
Through these phases, the board and other executives share a contextualized picture of the EAS in understandable business language. The EAS should be reevaluated whenever changes are introduced, such as new digital systems or mergers and acquisitions.
Once the board signals its priority of cybersecurity through organizational and educational steps and has a business context for areas of greatest risk, it can do the following to ensure all constituents embrace this shared responsibility:
- Emphasize the importance of addressing cyber threats before they become a reality.
- Communicate emerging cyber threats and incidents through established channels.
- Market the importance of cybersecurity and reward good behavior.
These initiatives, as part of comprehensive and thoughtful changes to the three focus areas, will put boards on the offensive against cybersecurity
Call us at 1 855 363 3526 or fill out the form below and we'll contact you to discuss your specific situation.
This article was written by Robert Snodgrass, Rod Hackman and originally appeared on 2023-08-22 RSM Canada, and is available online at https://rsmcanada.com/insights/services/risk-fraud-cybersecurity/for-boards-the-best-cybersecurity-defense-is-a-good-offense.html.
RSM Canada Alliance provides its members with access to resources of RSM Canada Operations ULC, RSM Canada LLP and certain of their affiliates (“RSM Canada”). RSM Canada Alliance member firms are separate and independent businesses and legal entities that are responsible for their own acts and omissions, and each are separate and independent from RSM Canada. RSM Canada LLP is the Canadian member firm of RSM International, a global network of independent audit, tax and consulting firms. Members of RSM Canada Alliance have access to RSM International resources through RSM Canada but are not member firms of RSM International. Visit rsmcanada.com/aboutus for more information regarding RSM Canada and RSM International. The RSM trademark is used under license by RSM Canada. RSM Canada Alliance products and services are proprietary to RSM Canada.
FCR a proud member of RSM Canada Alliance, a premier affiliation of independent accounting and consulting firms across North America. RSM Canada Alliance provides our firm with access to resources of RSM, the leading provider of audit, tax and consulting services focused on the middle market. RSM Canada LLP is a licensed CPA firm and the Canadian member of RSM International, a global network of independent audit, tax and consulting firms with more than 43,000 people in over 120 countries.
Our membership in RSM Canada Alliance has elevated our capabilities in the marketplace, helping to differentiate our firm from the competition while allowing us to maintain our independence and entrepreneurial culture. We have access to a valuable peer network of like-sized firms as well as a broad range of tools, expertise, and technical resources.
For more information on how FCR can assist you, please call us at 1 855 363 3526