Article

Governing cybersecurity means revamping your organization and processes

August 02, 2024
#
Risk consulting Cybersecurity consulting

Digital systems have evolved from a segmented, back-office function in the IT closet into the central nervous system essential for your business’s operations. For example, how long would your operations last without email? And digital transformation is only accelerating in today’s environment.

Consider these statistics:

You don’t need to go further than the daily headlines to realize that, despite this focus by organizations, cybersecurity risks remain on the rise:

  • Statista reports the average downtime for businesses affected by ransomware is over 20 days
  • Twenty-eight percent of middle market organizations experienced a data breach in the previous year, according to the 2024 RSM US Middle Market Business Index Cybersecurity Special Report, tying a record high in RSM’s research
  • Events are influencing financials, with the SEC filing a Wells Notice in 2023 along with new governance and disclosure requirements in the SEC cybersecurity disclosure rule

Transforming cyber governance with enterprise as a system (EAS)

Our experience working with thousands of organizations across industries has shown that they often lack context when it comes to understanding the impact of cybersecurity risks. Indeed, this is one of an organization’s main challenges. Without the right context, investing to reduce your cybersecurity risks is like throwing darts at a board that you can’t see.

Today’s business enterprises comprise a complex set of interacting and interdependent internal and external digital and physical elements, including the people that operate them. These elements make up the systems which define your business. Traditional enterprise risk models look at only one domino without understanding the enterprise impact of what happens when one falls.  However, EAS allows your organization to build an in-depth understanding of complex interconnections between systems and how each influences enterprise risk.

A shared understanding of EAS among the board and management is crucial to contextualizing cybersecurity risk and mitigating cyberthreats as digital systems rapidly change and AI transforms the risk landscape. A lack of EAS competency can lead to weak governance and an uneasy feeling of cyber whack-a-mole in the boardroom. Conversely, a shared EAS understanding can create resilient organizations poised to rapidly respond to cyberthreats. This is important for all enterprises regardless of size, but particularly for public companies with SEC reporting responsibilities that must assess and make determinations about the materiality of incidents in a timely manner.

EAS requires boards to think differently about three key elements:

  • Organization: Organize the board and management team for optimal governance and management
  • Education: Educate the board, management and employees to develop a shared understanding of EAS and its related cybersecurity risk
  • Culture: Change the enterprise’s culture to imprint upon all stakeholders a shared responsibility for cybersecurity

This is the first of four articles that explore each of these elements and how they work in concert to align directors on their governance and managers on their management of digital risks to their business. In this article, we focus on organizational recommendations to govern and manage cybersecurity.

EAS organization: Reorganize your enterprise risk and digital systems management and governance structure

Governing is the sole fiduciary responsibility of the board, one which cannot be delegated to the management team. Board responsibilities include oversight, guidance and approval of major strategic initiatives. As the cybersecurity threat landscape grows, boards are considering how to fulfill their fiduciary responsibility related to the highly complex nature of cybersecurity, one which is hard to understand and put into a business risk context. Management teams are challenged to effectively communicate technical issues and often report using high-level metrics which lack contextual meaning.

Boards and management teams need to meet in the middle to communicate a shared understanding of the systems they oversee and manage. This begins with assessing and revamping how boards and management teams are organized to deal with cybersecurity. A properly aligned and effective organization is essential for creating a resilient and flexible enterprise prepared to deal with cybersecurity.

Key actions for boards

Bringing it together

Investing the time and resources to assess your cybersecurity governance and management organization will result in a more resilient enterprise, optimized cyber spending, and more effective corporate policies and procedures to tackle cyber and AI risk. Organization sets the stage for embarking on an education program for the board, management and employees with the goal of developing a culture of shared responsibility for cybersecurity.

RSM contributors

  • Rod Hackman
    Rod Hackman
    Executive Advisor, Board Excellence
  • Robert Snodgrass
    Principal

Do you know how to protect your business from the latest cybersecurity threats?

Our one-day workshops enable you to understand current trends and challenges and strengthen your business’s cybersecurity approach.