Fotolia

Cultural changes in cyber security are shifting the way companies delegate accountabilities

James Goepel is the General Counsel (GC) and Chief Technology Officer for ClearArmor Corporation, and a member of the company’s Board of Directors. As GC, he advises the company on a wide range of legal issues, and lead negotiations with ClearArmor’s customers and strategic partners. As the CTO, he is heavily involved in the design of the company’s main product, leads the international development team’s efforts to bring products to market, identify and recruit partners, and create the licensing and financial terms under which the company conducts business.

Goepel is also the company’s representative to the NIST National CyberSecurity Center of Excellence, and a participant in the Center for Internet Security’s efforts to update their top 20 security controls. He regularly speaks at domestic and international conferences on a variety of topics, including cybersecurity, intellectual property law and commercial and government contracts. In addition to his legal background, Goepel gained practical security and technology experience working in a variety of roles for large corporations, start-ups and Congress before attending law school.


 

Christopher P. Skroupa: Where does the cyber governance landscape need to shift to, and how can that point be reached?

James Goepel: In my experience, most organizations relegate cyber governance to the I.T. staff because their leadership sees cyber security as a technology issue. These leaders fail to appreciate that a cyber security incident can have a profound impact on the organization’s bottom line. From substantial fines and penalties imposed by regulations like Europe’s GDPR, which amount to 4 percent of an organization’s global revenue, to the cost of remediation, data breach notifications, lost business, loss of brand reputation and lost intellectual property, a single cyber security incident can quickly force an organization out of business.  

We need a cultural shift to a point where organizations finally treat cyber security risks as a business issue and govern cyber security with the same level of leadership engagement as financial risks. The leaders’ participation is critical, because only the leadership has the knowledge and visibility to define the organization’s budgets, priorities and, ultimately, its risk tolerance. This leadership-driven, business-focused approach to cyber governance is essential to creating robust, sustainable cyber security.

I have met some CEOs and Directors who are resistant to making these cultural changes, because they find the thought of tackling cyber governance to be overwhelming. As we speak more, it is clear they know their organization needs a structured cyber security plan, but they don’t know where to start. Thankfully, the United States National Institutes of Standards and Technology (NIST) created a standard framework that provides a structured approach to creating a cyber security plan. With true NIST Cyber Security Framework (NIST CSF) alignment, these leaders can effectively govern cyber security, and their I.T. departments have a better understanding of the organization’s business priorities, including its risk tolerance.

Skroupa: To what effect can the disconnect between Leadership and I.T. impact cyber governance and security?

Goepel: The organization’s business priorities shift all the time, and these shifting priorities need to be reflected in the organization’s approach to cyber governance. If there is a disconnect between leadership and the I.T. department, the best the I.T. department can do is to guess at how it should address problems. Let’s take an example right out of the headlines: A technology organization that is crippled by ransomware which simultaneously takes down all of its servers.

When the I.T. department repairs the servers, should the corporate communications systems be the priority, or should it be something else, like revenue-generating servers? If the revenue-generating servers are the priority, should those serving key customers be restored first? Most I.T. departments are busy keeping the business running, and they simply don’t have the business-level visibility needed to make these decisions. Instead, they are likely to restore the servers based on whichever department leader is yelling the loudest at that time. A leadership-driven approach to cyber governance allows the organization to create a well-defined incident response plan that is regularly updated to balance the organization’s competing priorities.

Skroupa: How can leadership-driven cyber governance reduce risk?

Goepel: As I mentioned before, to achieve robust, sustainable cyber security, organizations need to fundamentally change their culture so leadership sets and governs cyber security policies and procedures. When these cultural changes are pervasive and consistently enforced, the organization’s cyber risk can be greatly reduced.

For example, some I.T. departments have started conducting mock phishing exercises as a way of testing employee awareness. This is a great idea, but without leadership-driven cyber governance, it only addresses half of the issue. When cyber security is treated as a technology issue, the most these I.T. departments can do is to encourage employees who fall for the phishing attack to take additional training.

With leadership-driven cyber governance, the leadership has better visibility into which employees are consistently creating risks to the organization and can take appropriate steps to mitigate those risks going forward. When employees know that the organization’s leadership is actively governing cyber security and that it is a cultural priority, the employees are more likely to consistently make it a priority rather than reverting to past behaviors. Given that 60 percent of recent data breaches were the result of human error, these kinds of cultural changes can significantly reduce the organization’s risk.

Skroupa: Ultimately, the conversation around cyber security is complex. Who must absolutely be a part of that conversation, and why?

Cyber security is an organization-wide issue, and representatives from across the organization – including human resources, legal, accounting and the audit committee – should all be part of the cyber security conversation along with senior leadership and I.T.

Human resources is an important participant because the cultural change impacts hiring decisions, the onboarding process, employee training and even enforcement and disciplinary processes because these impact human capital management.  

I see the General Counsel as having a critical role in reducing the organization’s cyber security risk. The laws and regulations around cyber security are constantly changing, with best practices often becoming regulations. Two recent examples include GDPR in Europe and New York state’s Division of Financial Services Rule 500, which require organizations to demonstrate compliance with cyber governance requirements by establishing robust, structured and documented cyber security programs.

The legal department can determine which regulations apply and help craft the processes necessary to ensure leadership is meeting their fiduciary and regulatory obligations, including continuous oversight of cyber security. Legal also needs to understand the organization’s risk tolerance so that appropriate cyber security provisions are included in contracts with vendors and customers.

The accounting department’s participation is essential because every cyber security initiative has a corresponding cost, and the department will have insight into the budgetary changes that will be necessary to fit those costs in the overall budget. The audit committee’s representation is crucial because they are responsible for ensuring that the organization is properly executing its cyber governance plan. In short, in this new approach to cyber security, every employee has a role to play and every department should be involved in cyber governance conversations.

Skroupa: Do you have any final thoughts of cyber security and governance?

Goepel: One of the chief concerns I hear from many CEOs and other senior leaders is that they realize they will be held accountable when a data breach occurs, and at a minimum, they want to be able to stand in front of the TV cameras and demonstrate that their organization was doing the right thing.

They want to be able to show that the organization was taken down by an advanced, persistent adversary rather than a less sophisticated attacker who took advantage of an unpatched system or other oversight. These leaders know that something needs to be done, but they aren’t sure where to start.  

Some know that their organizations have begun adoption of standards like the NIST CSF or ISO 27001, but they still aren’t confident that they are getting the information they need to demonstrate that their organizations are doing the right thing. ClearArmor created CyberSecurity Resource Planning, or CSRP, to help address these concerns. We help the organization effectively implement cyber governance by walking them through the NIST CSF, including defining the organization’s risk tolerance, business priorities and critical roles and responsibilities.  

This information is then used to create a structured cyber security plan, and leadership can use CSRP’s powerful tool suite to measure, monitor and govern adherence to the cyber security plan. This allows the leaders to be confident that their organization is truly aligned with leading standards like the NIST CSF, rather than just partial alignment with only the technical aspects of those standards. CSRP allows the leaders to demonstrate to investors, regulators, politicians and the public that they are taking cyber security seriously by implementing a robust, structured, standards-based cyber security program.


James Goepel will be moderating a panel entitled Demystifying Cyber Security: The Need to Leverage Industry Recognized Standards on March 13 in NY, New York at the Cyber Risk Governance program.

Originally published on Forbes.com. More articles by Christopher Skroupa on his Forbes column.

Follow us on twitter @SkytopStrat, and on Facebook @SkytopStrategies. Find us on YouTube, too, for exclusive interviews, panel discussions and debates that are prime examples of the market moving dialogue held at our various conferences and summits around the world.