BUSINESS surveillance
Senior leadership must be involved in cyber-risk governance to ensure that the companywide governance plan aligns with overall corporate objectives . involved in cyber-risk governance to ensure that the companywide governance plan aligns with overall corporate objectives .
Addressing cyber-risk starts at the top
Regardless of the organisation ’ s structure , those at the top have a duty to understand and monitor the critical cyberthreats that could impact the organisation . They need to oversee the strategies , policies , and procedures required to adequately mitigate risks and ensure that there is a response plan to contain the impact of a compromise . They also need to ensure that they have systems to detect , investigate , and eradicate an intrusion and to comply with contractual , legal and regulatory requirements . Once senior leadership is on board , a cyber-risk governance plan requires continuous assessments of the organisation ’ s business operations . These cyber-risk assessments can help identify cybersecurity business risks and the organisation ’ s cybersecurity gaps and vulnerabilities before they become a crisis .
A robust information security program should be anchored on a recognised security standard or framework , such as ISO and NIST . It also needs to be aligned with security and privacy regulatory requirements the organisation is subject to and that are recognised by external stakeholders , such as PCI-DSS , HIPAA , NERC , CJIS , NIS2 , GDPR , PIPEDA or CCPA . Pursuing information security certifications is essential to protecting data and providing assurances to customers and investors about the maturity of the organisation ’ s readiness to defend itself against evolving cyberthreats .
The endorsement of policies and procedures by management and setting a ‘ tone from the top ’ is essential to foster the adoption of new tools and behaviours critical to protecting the organisation ’ s key assets . Taking the time to define and educate on cybersecurity policies and objectives helps ensure that the entire organisation understands the purpose of the security controls and that they are used correctly and consistently . Such policies are not static documents but require regular updates to
64 WWW . INTELLIGENTCISO . COM