Good Cybersecurity Starts with Governance

By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Good Cybersecurity Starts with Governance

It might seem counter-intuitive to think that cybersecurity starts with what is essentially paperwork and ceremony, without actually doing anything concrete to protect systems. But governance is critical to an organization’s cybersecurity.

Cybersecurity Governance

Governance is the combination of the corporate tone and leadership and the policies and procedures that grant authorities and assign responsibilities.

There are a number of reasons why governance is critical:

  1. Cybersecurity Plan 

    Good cyber policies and procedures essentially outline your company’s plan for cybersecurity.  And like anything in business, a good plan is critical to good execution.  A scattershot approach to cybersecurity inevitably leads to errors in implementations, gaps in your defenses, and inefficient investment choices.

  2. Establishes Corporate Tone

    A governance structure demonstrates to the workforce that cybersecurity is important to leadership.  And when issues are important to leadership, staff are more likely to take those same issues seriously.  Likewise, an issue that appears unimportant to leadership is almost certain to be ignored by staff.

  3. Grants Authority 

    Governance also provides authority to the IT and business managers to ensure that best practices are followed.  In organizations without documented authority limits, IT staff can be pressured by powerful employees to make allowances that may jeopardize organizational cybersecurity.  A governance structure empowers the IT staff to say, “Sorry, I’m not allowed to do that” or “Sure, I can do that, but I need authorization from the CEO first.”

  4. Assigns Responsibility 

    By assigning responsibility, individuals are accountable when an activity is not performed.  Without assigning responsibility, critical activities are bound to fall through the cracks.  Suppose your business uses a web-based scheduling and payment software, and the software vendor issues an update that corrects a critical security flaw. Without polices that assign responsibilities to specific staff to update the software, the exploit is more likely to be unpatched, and an attacker could exploit that flaw to gain access to your website.  This access could result in far-reaching consequences, like installing malware on your customers’ computers, stealing their information, or turning the server into a botnet node sending millions of spam emails to your vendors and customers.

Governance is the combination of the corporate tone and leadership with the policies and procedures that assign responsibilities and demand compliance.  It’s your cybersecurity plan.  Just as you create a plan before you do many things in business, it’s important to document your organization’s approach to cybersecurity.

The content in this article covers just one aspect that small to mid-size businesses need to address for Cybersecurity. Download the entire whitepaper below to access additional Cybersecurity suggestions.

Small to Mid-Size Business Cybersecurity

Share this Insight:

About the Author

Christopher Moschella

Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.

More Insights from Christopher Moschella

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.


Contact Us