By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager
It might seem counter-intuitive to think that cybersecurity starts with what is essentially paperwork and ceremony, without actually doing anything concrete to protect systems. But governance is critical to an organization’s cybersecurity.
Cybersecurity Governance
Governance is the combination of the corporate tone and leadership and the policies and procedures that grant authorities and assign responsibilities.
There are a number of reasons why governance is critical:
-
Cybersecurity Plan
Good cyber policies and procedures essentially outline your company’s plan for cybersecurity. And like anything in business, a good plan is critical to good execution. A scattershot approach to cybersecurity inevitably leads to errors in implementations, gaps in your defenses, and inefficient investment choices.
-
Establishes Corporate Tone
A governance structure demonstrates to the workforce that cybersecurity is important to leadership. And when issues are important to leadership, staff are more likely to take those same issues seriously. Likewise, an issue that appears unimportant to leadership is almost certain to be ignored by staff.
-
Grants Authority
Governance also provides authority to the IT and business managers to ensure that best practices are followed. In organizations without documented authority limits, IT staff can be pressured by powerful employees to make allowances that may jeopardize organizational cybersecurity. A governance structure empowers the IT staff to say, “Sorry, I’m not allowed to do that” or “Sure, I can do that, but I need authorization from the CEO first.”
-
Assigns Responsibility
By assigning responsibility, individuals are accountable when an activity is not performed. Without assigning responsibility, critical activities are bound to fall through the cracks. Suppose your business uses a web-based scheduling and payment software, and the software vendor issues an update that corrects a critical security flaw. Without polices that assign responsibilities to specific staff to update the software, the exploit is more likely to be unpatched, and an attacker could exploit that flaw to gain access to your website. This access could result in far-reaching consequences, like installing malware on your customers’ computers, stealing their information, or turning the server into a botnet node sending millions of spam emails to your vendors and customers.
Governance is the combination of the corporate tone and leadership with the policies and procedures that assign responsibilities and demand compliance. It’s your cybersecurity plan. Just as you create a plan before you do many things in business, it’s important to document your organization’s approach to cybersecurity.
The content in this article covers just one aspect that small to mid-size businesses need to address for Cybersecurity. Download the entire whitepaper below to access additional Cybersecurity suggestions.
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.