Call for Executive led Cyber expertise, value of Consultant alternative
“Directors don’t grow on trees and, certainly, directors with cybersecurity experience don’t grow on trees".
Companies are being advised to seek directors with cyber expertise or hire experts to advise them, given ongoing, global, regulatory change and requirements for focus and understanding around cyber security.
Given the very nature of the relatively young "age", and mercurial nature of cyber security risks, senior executives with the necessary expertise can be difficult to find.
Regulatory Developments
In the latest proposal, cybersecurity rules from the Securities and Exchange Commission (SEC) would require public companies to disclose board members' security knowledge and approach to cyber oversight. The SEC aims for more transparency and board expertise to protect investors from cyberattacks.
Whilst there may appear to be somewhat of a disconnect locally, this is certainly not the case, with the foreshadowing by ASIC Commissioner Danielle Press, just one example:
"Cyber measures taken should be proportionate to the nature, scale, and complexity of your organisation – and the criticality and sensitivity of the key assets held. This includes the reassessment of cybersecurity risks on an ongoing basis. ASIC also expects this to include oversight of cybersecurity risk throughout your organisation’s digital supply chain."
CPS 230 is another example of ongoing action from Australian regulators to expand the scope of privacy and cybersecurity obligations, and in this case, specifically addresses third-party provider risk management.
APRA is focusing on regulated entities that are placing increased reliance on third parties to undertake critical operations on their behalf. CPS 230 looks to enforce, amongst other obligations, ongoing monitoring, testing, and assurance of the risk management controls implemented by third-party service providers, utilised by regulated entities.
Finally, and most recently, Cyber Security Minister, Clare O’Neill has been outspoken on her intentions to put more onus on the #technology sector for cyber breaches, with a call for tighter regulations and restrictions on the sector. This is just one example of the level of scrutiny and challenges the technology sector is facing in 2023.
Legal proposals and regulatory penalties are increasing the focus on privacy and cybersecurity measures, and Boards are being called upon to enhance their cyber and data protection competence.
Engaging an independent expert
Given the breadth of expertise required, and the current, global cyber security talent shortage, evident in no area more so than the Executive level, organisations may be well placed instead to choose to engage consultants to assist in asking the right questions, gaining the right understanding, and obtain independent advice with respect to their responsibility for cyber, data and technology risks.
Utilising a service such as an appropriately qualified CISO-as-a-Service - beyond the subject matter specialism - is no different to engaging other similar consultants, i.e., Company Secretaries, Accountants, and so on, in that organisations will gain access to and seek to leverage off:
Independence
Consultant's are not influenced by internal politics, personal consequence of action or profit motivators, or other less tangible business intricacies. Further, Boards or the C-Suite that want or need to make an "unpopular" decision can utilise a consulting firm to help. This provides ammunition to recommend an unpopular or risky decision to the board (expansion into a new business line or geography, or shutting down an expansion idea). One of the many ways that CISOs bring value is by prioritising which actions to take. Moreover, they can put these remediation activities in the context of the financial and operational impact to the business, from an independent perspective.
Pool of knowledge
A security leader (or any leader for that matter) at an organisation sees the same problems day in and day out, and they're specific to the business. In contrast, however, being in a role similar to that of a CISO-as-a-Service, affords the hiring organisation to see many different types of problems being approached and solved in multiple ways. This difference in perspective positively affects our ability provide meaningful, tangible advice to align on cybersecurity baselines, metrics, prioritisation approaches, etc.. This way organisations are far less likely to suffer from "blind spots" that result in business disruption. Instead, the approach results in a mindset shift in the way cybersecurity programs are managed, from a traditional risk management model to cyber resilience.
Access to various levels and parts of the business
Similarly, consultants engage with, watch, and tag along with people through out the organisation's structure, potentially across customers, sales, security, procurement and executive. Other people within the organisation - sometimes even including the C-Suite and Executive team, rarely do this (especially within larger organisations). There can be significant insights to be had by doing this.
Focus on the problem
The biggest value can come in simply having a dedicated team of specialists who are unbiased, and that can focus deeply on the issue at hand. At a company, in any role, everyone has their "day job". Given the ever increasing requirement to be available 24/7, and a common want to advance and succeed even at our best can we focus only a portion of your on a particular issue. Coupled with the mercurial nature of cyber, data and technology risk, at this point in time, almost nowhere is this more true.
Conclusion
Alignment of an effective cyber security strategy with top business stakeholders (the Executive and Board) maximizes resources and sets expectations for how an effective security posture can enable business growth by building trust and defending against cyber events.
While technical talk resonates with security professionals, it’s the language of profit and loss that resonates with boards. Organisations should seek advice and guidance from consultants who interact, or provide them with the information, language and mitigation advice to interact with the board in terms that are more quantifiable, with tailored language that resonates with their audience: How much risk a security program will mitigate – in dollars and cents. As an organization comes to an understanding of how much risk it’s willing to accept, risk quantification enables a clear understanding of ROI in financial terms.
One of the many ways that our CISO-as-a-Service brings value is by prioritising which actions to take. Moreover, we put these remediation activities in the context of the financial and operational impact to the business.Source#3
Source#3
Leave a Comment